tchekai704
/
src-spring-framework
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Consider security in ClassUtils#getMostSpecificMethod 

Recent changes in ExtendedBeanInfo involve invoking
ClassUtils#getMostSpecificMethod when determining JavaBeans get/set
pairs; if Java security settings control disallow reflective access,
this results in an AccessControlException.

This change defends against this (comparatively rare) scenario by
catching the exception and falling back to returning the method
originally supplied by the user.

This change was a result of noticing CallbacksSecurityTests failing
following the ExtendedBeanInfo modifications mentioned above

Issue: SPR-8949
pull/25/merge
Chris Beams 13 years ago
parent
21aed042ea
commit
45ad183331
1 changed files with 10 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      org.springframework.core/src/main/java/org/springframework/util/ClassUtils.java

11
org.springframework.core/src/main/java/org/springframework/util/ClassUtils.java
Unescape View File

@ -22,6 +22,7 @@ import java.lang.reflect.Constructor; @@ -22,6 +22,7 @@ import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.lang.reflect.Proxy;
import java.security.AccessControlException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
@ -712,6 +713,9 @@ public abstract class ClassUtils { @@ -712,6 +713,9 @@ public abstract class ClassUtils {
* Call {@link org.springframework.core.BridgeMethodResolver#findBridgedMethod}
* if bridge method resolution is desirable (e.g. for obtaining metadata from
* the original method definition).
* <p><b>NOTE:</b>Since Spring 3.1.1, if java security settings disallow reflective
* access (e.g. calls to {@code Class#getDeclaredMethods} etc, this implementation
* will fall back to returning the originally provided method.
* @param method the method to be invoked, which may come from an interface
* @param targetClass the target class for the current invocation.
* May be <code>null</code> or may not even implement the method.
@ -722,7 +726,12 @@ public abstract class ClassUtils { @@ -722,7 +726,12 @@ public abstract class ClassUtils {
Method specificMethod = null;
if (method != null && isOverridable(method, targetClass) &&
targetClass != null && !targetClass.equals(method.getDeclaringClass())) {
specificMethod = ReflectionUtils.findMethod(targetClass, method.getName(), method.getParameterTypes());
try {
specificMethod = ReflectionUtils.findMethod(targetClass, method.getName(), method.getParameterTypes());
} catch (AccessControlException ex) {
// security settings are disallowing reflective access; leave
// 'specificMethod' null and fall back to 'method' below
}
}
return (specificMethod != null ? specificMethod : method);
}

Write Preview
Loading…
Cancel
Save