From 45ad1833315415022a3cefa54f4df531815e41e8 Mon Sep 17 00:00:00 2001 From: Chris Beams Date: Fri, 10 Feb 2012 00:11:12 +0100 Subject: [PATCH] Consider security in ClassUtils#getMostSpecificMethod Recent changes in ExtendedBeanInfo involve invoking ClassUtils#getMostSpecificMethod when determining JavaBeans get/set pairs; if Java security settings control disallow reflective access, this results in an AccessControlException. This change defends against this (comparatively rare) scenario by catching the exception and falling back to returning the method originally supplied by the user. This change was a result of noticing CallbacksSecurityTests failing following the ExtendedBeanInfo modifications mentioned above Issue: SPR-8949 --- .../java/org/springframework/util/ClassUtils.java | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/org.springframework.core/src/main/java/org/springframework/util/ClassUtils.java b/org.springframework.core/src/main/java/org/springframework/util/ClassUtils.java index db0524c25c..cbd6bae580 100644 --- a/org.springframework.core/src/main/java/org/springframework/util/ClassUtils.java +++ b/org.springframework.core/src/main/java/org/springframework/util/ClassUtils.java @@ -22,6 +22,7 @@ import java.lang.reflect.Constructor; import java.lang.reflect.Method; import java.lang.reflect.Modifier; import java.lang.reflect.Proxy; +import java.security.AccessControlException; import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -712,6 +713,9 @@ public abstract class ClassUtils { * Call {@link org.springframework.core.BridgeMethodResolver#findBridgedMethod} * if bridge method resolution is desirable (e.g. for obtaining metadata from * the original method definition). + *

NOTE:Since Spring 3.1.1, if java security settings disallow reflective + * access (e.g. calls to {@code Class#getDeclaredMethods} etc, this implementation + * will fall back to returning the originally provided method. * @param method the method to be invoked, which may come from an interface * @param targetClass the target class for the current invocation. * May be null or may not even implement the method. @@ -722,7 +726,12 @@ public abstract class ClassUtils { Method specificMethod = null; if (method != null && isOverridable(method, targetClass) && targetClass != null && !targetClass.equals(method.getDeclaringClass())) { - specificMethod = ReflectionUtils.findMethod(targetClass, method.getName(), method.getParameterTypes()); + try { + specificMethod = ReflectionUtils.findMethod(targetClass, method.getName(), method.getParameterTypes()); + } catch (AccessControlException ex) { + // security settings are disallowing reflective access; leave + // 'specificMethod' null and fall back to 'method' below + } } return (specificMethod != null ? specificMethod : method); }