1

I'm testing some bytecode generation libraries with java module system. I've compiled java 11 with the following changes to the java.base module-info.java:

module java.base {
  ...
  exports java.lang.reflect to <some java and custom modules>;
  ...
}

Then I start java with "--illegal-access=deny" option. When I use this compiled java version with javassist library, it generates the following class in unnamed module:

public class SomeJavassistProxy extends SomeClass implements WriteReplaceInterface, ProxyObject {
   private MethodHandler handler;
   private static Method[] _methods_;
   ...

Java throws some kind of "java.lang.IllegalAccessError class SomeJavassistProxy(in unnamed module) cannot access class java.lang.reflect.Method(in module java.base) because module java.base does not export java.lang.reflect to unnamed module".

This is the expected behaviour.

Then I tried bytebuddy library and it generated the following class:

public class SomeClass$HibernateProxy$7DKVefUe extends SomeClass implements HibernateProxy, ProxyConfiguration {
   private Interceptor $$_hibernate_interceptor;
   // $FF: synthetic field
   private static final Method cachedValue$ghVgnbHc$4cscpe1 = Object.class.getMethod("toString");
   // $FF: synthetic field
   private static final Method cachedValue$ghVgnbHc$o23rrk2 = HibernateProxy.class.getMethod("getHibernateLazyInitializer");
   ...

This class is also generated in the unnamed module. But this time it works and no errors are thrown. Somehow it can access java.lang.reflect despite the fact that the package should not be accessible to the unnamed module.

The only difference that I see is the synthetic field with java.lang.reflect.Method in the bytebuddy generated class.

So, my question is, does java module system not work with synthetic fields?

Liberator
  • 75
  • 7
  • To start off with understand [what does illegal access mean](https://stackoverflow.com/questions/50251798/what-is-an-illegal-reflective-access) and further follow up with byte buddy version to verify how its developer has ensured upgrading to support higher JDK versions with illegal access denied as a default behaviour. – Naman Oct 10 '21 at 08:33
  • I don't think there is much to understand what --illegal-access=deny does)) It's pretty straightforward - it denies illegal access operations in runtime. And that's exactly what I want to do - to deny access to java.lang.reflect for all modules not specified in java.base module-info.java in "exports java.lang.reflect to " clause. And it works in most cases. Except for this one with synthetic fields in a class in an unnamed module. I've thought such a class shouldn't be even defined in defineClass method. But somehow it does. Maybe synthetic fields are considered as trusted. – Liberator Oct 10 '21 at 14:26

1 Answers1

1

Sorry, my bad.
Turns out that IllegalAccessError is thrown only when you actually invoke methods from the secured package (java.lang.reflect in my case) inside the module that can't access that package (the unnamed module in my case).
If there is just a reference to the secured package, no exception is thrown.

In the example with bytebuddy there is only a reference to the Method class in the unnamed module. This reference is passed to the Interceptor class (it belongs to the automatic module which has access to java.lang.reflect in my case) where the actual invocation of Method takes place.

So, it has nothing to do with synthetic fields.

Liberator
  • 75
  • 7