Many Java frameworks allow class members used for injection to be declared non-public. For example, injected variables in Spring and EJB 3 may be private. JPA allows properties of a persistent class to be protected or package-private.
We know it’s better to declare methods non-public if you can. That being said, if I’m not mistaken, allowing these frameworks to access non-public members only works with the default Java security manager. Doesn’t it mean that custom code can also gain access to non-public member via reflection by calling setAccessible(), which would compromise security?
Which begs this question: What is the best practice when setting the access level for injection methods?
Typically a class needs to opt-in to a persistence mechanism. For instance, Java serialisatoin requires a class to implement
java.io.Serializable. It is the responsibility of classes that implementSerializableto ensure that they are secure. Where a library allows poking of privates through an external configuration file, then that should not be trusted – reflection is really dangerous and its use is usually messed up.Of course if you do find a vulnerability, please report it to the appropriate group.