{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 仙女界的扛把子 的问题《Are private methods really safe?》','https://www.manongdao.com/q-456237.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
In Java the private access modifier consider as safe since it is not visible outside of the class. Then outside world doesn't know about that method either.
But I thought Java reflection can use to break this rule. Consider following case:
public class ProtectedPrivacy{
private String getInfo(){
return "confidential";
}
}
Now from another class I am going to get Info:
public class BreakPrivacy{
public static void main(String[] args) throws Exception {
ProtectedPrivacy protectedPrivacy = new ProtectedPrivacy();
Method method = protectedPrivacy.getClass().getDeclaredMethod("getInfo", null);
method.setAccessible(true);
Object result = method.invoke(protectedPrivacy);
System.out.println(result.toString());
}
}
At this moment I just thought still private method safe since to do some thing like above we must know method name. But if class which contain private method written by some one else we don't have visibility of those.
But my point become invalid since below line of code.
Method method[] = new ProtectedPrivacy().getClass().getDeclaredMethods();
Now this method[] contains all the things need to do above thing. My question is, is there a way to avoid this kind of things doing using Java reflection?
I am quote some point from Java Documentation to clarify my question.
Tips on Choosing an Access Level:
If other programmers use your class, you want to ensure that errors from misuse cannot happen. Access levels can help you do this.Use the most restrictive access level that makes sense for a particular member. Use private unless you have a good reason not to.
Assuming you trust the client programmer of your API, another way of looking at is how 'safe' it is for them to use those particular functions.
Your publicly available functions should provide a clear, well-documented, rarely-changing interface into your code. Your private functions can be considered an implementation detail and may change over time, so are not safe to use directly.
If a client programmer goes out of their way to circumvent these abstractions, they are in a way declaring that they know what they are doing. More importantly, they understand that it is unsupported and may stop working with future versions of your code.
privateis not for security, it is to keep the code clean and to prevent mistakes. It allows users to modularize the code (and how it is developed) without having to worry about all the details of the other modulesOnce you release your code, people can figure out how it works. There's no way to "hide" the logic if you eventually want the code to run on a computer. Even compiling to binary is jsut a level of obfuscation.
So, there's no way that you can set up your API to do special things that you don't want others to be able to call. In the case of a web API, you could put the methods you want control over on the server side.
The question is who are you trying to save it from. In my opinion, such a client of your code is the one at a loss here.
Any piece of code (written by you or others) which tries to access a
privatemember of the above class is essentially digging its own grave.privatemembers don't make a part of the public API and are subject to change without notice. If a client happens to consume one of such private members in the manner given above, it's going to break if it upgrades to a newer version of the API in which the private member got modified.By saying 'safe', you are protecting you or other developers, which are using your API to not harm the object by calling your private method. But if you or they really need to call this method, they can do it with Reflection.
With facility, there comes responsibility. There are thing's you can't do, & things you can do but you shouldn't do.
Private modifier is provided/used as/in the most restricted manner. Members which should not be visible outside the class shall be defined as private. But this can be broken with Reflection as we see. But this does not mean that you should not use private - or they are unsafe. It is about you shall use things judiciously or in constructive manner (like reflection).
It depends on what you mean by "safe". If you're running with a security manager that allows this sort of thing, then yes, you can do all kinds of nasty things with reflection. But then in that kind of environment the library can probably just be modified to make the method public anyway.
Access control is effectively "advisory" in an environment like that - you're effectively trusting the code to play nicely. If you don't trust the code you're running, you should use a more restrictive security manager.