Consider security in ClassUtils#getMostSpecificMethod

cbeams · cbeams · commit 45ad18333154 · 2012-02-10T00:13:24.000+01:00
Recent changes in ExtendedBeanInfo involve invoking
ClassUtils#getMostSpecificMethod when determining JavaBeans get/set
pairs; if Java security settings control disallow reflective access,
this results in an AccessControlException.

This change defends against this (comparatively rare) scenario by
catching the exception and falling back to returning the method
originally supplied by the user.

This change was a result of noticing CallbacksSecurityTests failing
following the ExtendedBeanInfo modifications mentioned above

Issue: SPR-8949
diff --git a/org.springframework.core/src/main/java/org/springframework/util/ClassUtils.java b/org.springframework.core/src/main/java/org/springframework/util/ClassUtils.java
@@ -22,6 +22,7 @@
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
 import java.lang.reflect.Proxy;
+import java.security.AccessControlException;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
@@ -712,6 +713,9 @@ public static boolean hasAtLeastOneMethodWithName(Class<?> clazz, String methodN
 	 * Call {@link org.springframework.core.BridgeMethodResolver#findBridgedMethod}
 	 * if bridge method resolution is desirable (e.g. for obtaining metadata from
 	 * the original method definition).
+	 * <p><b>NOTE:</b>Since Spring 3.1.1, if java security settings disallow reflective
+	 * access (e.g. calls to {@code Class#getDeclaredMethods} etc, this implementation
+	 * will fall back to returning the originally provided method.
 	 * @param method the method to be invoked, which may come from an interface
 	 * @param targetClass the target class for the current invocation.
 	 * May be <code>null</code> or may not even implement the method.
@@ -722,7 +726,12 @@ public static Method getMostSpecificMethod(Method method, Class<?> targetClass)
 		Method specificMethod = null;
 		if (method != null && isOverridable(method, targetClass) &&
 				targetClass != null && !targetClass.equals(method.getDeclaringClass())) {
-			specificMethod = ReflectionUtils.findMethod(targetClass, method.getName(), method.getParameterTypes());
+			try {
+				specificMethod = ReflectionUtils.findMethod(targetClass, method.getName(), method.getParameterTypes());
+			} catch (AccessControlException ex) {
+				// security settings are disallowing reflective access; leave
+				// 'specificMethod' null and fall back to 'method' below
+			}
 		}
 		return (specificMethod != null ? specificMethod : method);
 	}
