Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] java.lang.reflect.InaccessibleObjectException error in webapp

Actually, "--add-opens
java.base/java.util=ALL-UNNAMED" is not the solution to this problem anyway as it comes from a bad use of reflection (in Spring) that could happen even without using modules, it's a matter of trying to invoke exactly through reflection a method of a non public class implementing a public interface or class instead of using a method of a public class or interface and letting the appropriate Java reflection method invoking the non public accessible implementation.


envoyé : 23 août 2024 à 11:47
de : Simone Bordet via jetty-users <jetty-users@xxxxxxxxxxx>
à : "Paul B. Henson" <henson@xxxxxxx>
Cc: Simone Bordet <sbordet@xxxxxxxxxxx>, JETTY user mailing list <jetty-users@xxxxxxxxxxx>
objet : Re: [jetty-users] java.lang.reflect.InaccessibleObjectException error in webapp


Hi,

On Thu, Aug 22, 2024 at 10:11 PM Paul B. Henson <henson@xxxxxxx> wrote:

A suggested workaround is to add "--add-opens
java.base/java.util=ALL-UNNAMED" to the jvm startup arguments. Would
that prevent the problem when the race condition is lost for this issue?
If so, would it have any undesirable security aspects that make it a bad
idea?

Yes it's a bad idea because now all code in the class-path will be
able to perform deep reflection on JDK code, opening up for
vulnerabilities (depending on your application).

This may not be a race, but just a data problem.
For example, when you have an empty collection you return List.of()
which has a private Iterator implementation, but when you have data
you return some other data structure that has a public Iterator
implementation.

How are you using JPMS, if at all?

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users


Back to the top