可能每款成熟的金融app上架前都会经过层层安全检测才能执行上架，所以我隔三差五就能看到安全检测报告中提到的问题，根据问题的不同级别，处理的优先级也有所不同，此次讲的主要是一个 “轻度问题” ，个人认为属于那种可改不可改的状态

Tip：因并未重新进行安全检测，尚不确定该方式是否能解决实际提到的问题

所遇问题

漏洞描述：AccessibleObject 类 允许程序员绕过 由 Java 访问说明符提供的 访问控制（access control）检查，特别是他让程序员能够允许反射对象绕过 Java access control，并反过来更改私有字段或调用私有方法、行为，这些通常情况下都是不允许的 |

漏洞影响：不符合安全准则，绕过部分安全控制

解决建议：建议应用服务器或者应用程序使用 SecurityManager的。如果存在System.getSecurityManager则该方法会必须先经过它的同意才能调用（这条建议是安全中心给出的，然后我全局都搜索不到SecurityManager、System.getSecurityManager，起初先忽略了，回头看的时候在最后补充了相关内容）

触发安全风险的伪代码示例

---

自我求知

解决问题的第一步是明确问题的产生原因，然后针对于此进行逐步解决

结论先行：项目中存在类（对象）操作的相关代码

• 当编译时，编译器会进行访问（权限）检查
• 可以通过setAccessible方法屏蔽或者说禁用运行时访问检查

setAccessible

在安全中心给出的风险代码段中 ，核心风险代码为 setAccessible(true)，那么有必要先了解一下此为何物

之前在 java setaccessible 用处 中看到一个简短描述，提示了可能存在潜在风险

按照我看源码的猜想，不论访问权限是（public、private）哪种，setAccessible 在底层中默认应该都是 false，意味着都需要接受权限检查，主要区别在于 public 可以通过检查，而 private 通不过

setAccessible(boolean flag) 方法是 AccessibleObject 类中的一个方法，它是 Field、 Method、Constructor的公共父类。

通过反射Class类后，以下三种都是其内部可反射的范围，当触发这些场景将执行运行时访问检查：

• Field（字段） 设置字段（set(Object obj, Object value)）或获取字段（get(Object obj)）
• Method（方法） 调用方法（invoke(Object obj, Object… args)）
• Constructor（构造函数） 创建和初始化类的新实例（newInstance(Object… initargs)）

反射原理

Java反射是一种强大的特性，它允许程序在运行时动态地获取和操作类的信息。通过反射，我们可以创建对象、调用方法和访问字段，而不需要提前知道类的具体定义。

Java反射的原理基于Java的运行时数据区域（Runtime Data Area）和类加载机制。当Java虚拟机加载一个类时，它将类的字节码文件加载到内存中，并在方法区创建一个Class对象来表示该类。

因为Class对象包含了类的完整信息，包括类的构造函数、方法、字段等；所以可以通过反射提供的一系列方法在运行时来获取Class对象、获取构造函数、获取方法、获取字段等。

---

解决过程

起初看到这个问题，我认为是没必要解决，所以直接拒了需求方，然后因为工作态度就被上了一课，然后直接给我发了一个别人的处理方式 - field.setAccessible(true)；代码扫描有安全漏洞,解决方案

第一阶段

AccessibleObject类是 Field、Method和Constructor对象的基类，能够允许反射对象修改访问权限修饰符，绕过由Java访问修饰符提供的访问控制检查。它让程序员能够更改私有字段或调用私有方法，这在通常情况下是不允许的！

例如：以下代码片段中，将Field将accessible标记设置为true。

 Class clazz = User.class;Field field = clazz.getField("name");field.setAccessible(true);

如果为false，则其中的私有字段不能够被访问到的，所以不可以注掉。

 ReflectionUtils.makeAccessible(field);

个人想法：起初不确定是用 ReflectionUtils.makeAccessible(field) 替换 field.setAccessible(true) ，还行是在尾端加入ReflectionUtils.makeAccessible(field) ，所以可以先看看源码（后续会提到该类详情），可以看出在源码中做了权限检查后才确定是否禁用权限检查

调用代码，类似如下

 Class clazz = User.class;Field field = clazz.getField("name");ReflectionUtils.makeAccessible(field);

第二阶段

因为这里并未提供 ReflectionUtils 工具类，所以自行搜索到了 ReflectionUtils反射工具：精要介绍与实战应用指南

作者说：org.springframework.util.ReflectionUtils 是 Spring 框架提供的一个反射工具类，它封装了 Java 反射 API 的一些常用操作，使得我们能够更加方便、简洁地使用反射功能…

这篇Blog内并不是一无所获，至少我们可以看到这款工具类的相关调用方式！

那么接了下来我们就去找一下 Android 的 ReflectionUtils 工具类

---

最终方案

经自我查证和同事推荐，主要找到俩种方法，处理方式应该是一样的，但是这种方法是否真的能解决问题？我目前对最终结果保持怀疑态度

解决方式

ReflectionUtils

找了半天在 Android反射机制简单理解，ReflectionUtils 反射工具类 看到一个类似的 ReflectionUtils（可直接copy）

package xxx;import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.lang.reflect.UndeclaredThrowableException;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.regex.Pattern;public class ReflectionUtils {/*** Pattern for detecting CGLIB-renamed methods.* @see #isCglibRenamedMethod*/private static final Pattern CGLIB_RENAMED_METHOD_PATTERN = Pattern.compile("CGLIB\\$(.+)\\$\\d+");/*** Attempt to find a {@link Field field} on the supplied {@link Class} with the* supplied {@code name}. Searches all superclasses up to {@link Object}.* @param clazz the class to introspect* @param name the name of the field* @return the corresponding Field object, or {@code null} if not found*/public static Field findField(Class<?> clazz, String name) {return findField(clazz, name, null);}/*** Attempt to find a {@link Field field} on the supplied {@link Class} with the* supplied {@code name} and/or {@link Class type}. Searches all superclasses* up to {@link Object}.* @param clazz the class to introspect* @param name the name of the field (may be {@code null} if type is specified)* @param type the type of the field (may be {@code null} if name is specified)* @return the corresponding Field object, or {@code null} if not found*/public static Field findField(Class<?> clazz, String name, Class<?> type) {//Assert.notNull(clazz, "Class must not be null");//Assert.isTrue(name != null || type != null, "Either name or type of the field must be specified");Class<?> searchType = clazz;while (!Object.class.equals(searchType) && searchType != null) {Field[] fields = searchType.getDeclaredFields();for (Field field : fields) {if ((name == null || name.equals(field.getName())) && (type == null || type.equals(field.getType()))) {return field;}}searchType = searchType.getSuperclass();}return null;}/*** Set the field represented by the supplied {@link Field field object} on the* specified {@link Object target object} to the specified {@code value}.* In accordance with {@link Field#set(Object, Object)} semantics, the new value* is automatically unwrapped if the underlying field has a primitive type.* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException(Exception)}.* @param field the field to set* @param target the target object on which to set the field* @param value the value to set; may be {@code null}*/public static void setField(Field field, Object target, Object value) {try {field.set(target, value);}catch (IllegalAccessException ex) {handleReflectionException(ex);throw new IllegalStateException("Unexpected reflection exception - " + ex.getClass().getName() + ": " + ex.getMessage());}}/*** Get the field represented by the supplied {@link Field field object} on the* specified {@link Object target object}. In accordance with {@link Field#get(Object)}* semantics, the returned value is automatically wrapped if the underlying field* has a primitive type.* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException(Exception)}.* @param field the field to get* @param target the target object from which to get the field* @return the field's current value*/public static Object getField(Field field, Object target) {try {return field.get(target);}catch (IllegalAccessException ex) {handleReflectionException(ex);throw new IllegalStateException("Unexpected reflection exception - " + ex.getClass().getName() + ": " + ex.getMessage());}}/*** Attempt to find a {@link Method} on the supplied class with the supplied name* and no parameters. Searches all superclasses up to {@code Object}.* <p>Returns {@code null} if no {@link Method} can be found.* @param clazz the class to introspect* @param name the name of the method* @return the Method object, or {@code null} if none found*/public static Method findMethod(Class<?> clazz, String name) {return findMethod(clazz, name, new Class<?>[0]);}/*** Attempt to find a {@link Method} on the supplied class with the supplied name* and parameter types. Searches all superclasses up to {@code Object}.* <p>Returns {@code null} if no {@link Method} can be found.* @param clazz the class to introspect* @param name the name of the method* @param paramTypes the parameter types of the method* (may be {@code null} to indicate any signature)* @return the Method object, or {@code null} if none found*/public static Method findMethod(Class<?> clazz, String name, Class<?>... paramTypes) {//Assert.notNull(clazz, "Class must not be null");//Assert.notNull(name, "Method name must not be null");Class<?> searchType = clazz;while (searchType != null) {Method[] methods = (searchType.isInterface() ? searchType.getMethods() : searchType.getDeclaredMethods());for (Method method : methods)if (name.equals(method.getName()) &&(paramTypes == null || Arrays.equals(paramTypes, method.getParameterTypes()))) {return method;}searchType = searchType.getSuperclass();}return null;}/*** Invoke the specified {@link Method} against the supplied target object with no arguments.* The target object can be {@code null} when invoking a static {@link Method}.* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException}.* @param method the method to invoke* @param target the target object to invoke the method on* @return the invocation result, if any* @see #invokeMethod(Method, Object, Object[])*/public static Object invokeMethod(Method method, Object target) {return invokeMethod(method, target, new Object[0]);}/*** Invoke the specified {@link Method} against the supplied target object with the* supplied arguments. The target object can be {@code null} when invoking a* static {@link Method}.* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException}.* @param method the method to invoke* @param target the target object to invoke the method on* @param args the invocation arguments (may be {@code null})* @return the invocation result, if any*/public static Object invokeMethod(Method method, Object target, Object... args) {try {return method.invoke(target, args);}catch (Exception ex) {handleReflectionException(ex);}throw new IllegalStateException("Should never get here");}/*** Invoke the specified JDBC API {@link Method} against the supplied target* object with no arguments.* @param method the method to invoke* @param target the target object to invoke the method on* @return the invocation result, if any* @throws SQLException the JDBC API SQLException to rethrow (if any)* @see #invokeJdbcMethod(Method, Object, Object[])*/public static Object invokeJdbcMethod(Method method, Object target) throws SQLException {return invokeJdbcMethod(method, target, new Object[0]);}/*** Invoke the specified JDBC API {@link Method} against the supplied target* object with the supplied arguments.* @param method the method to invoke* @param target the target object to invoke the method on* @param args the invocation arguments (may be {@code null})* @return the invocation result, if any* @throws SQLException the JDBC API SQLException to rethrow (if any)* @see #invokeMethod(Method, Object, Object[])*/public static Object invokeJdbcMethod(Method method, Object target, Object... args) throws SQLException {try {return method.invoke(target, args);}catch (IllegalAccessException ex) {handleReflectionException(ex);}catch (InvocationTargetException ex) {if (ex.getTargetException() instanceof SQLException) {throw (SQLException) ex.getTargetException();}handleInvocationTargetException(ex);}throw new IllegalStateException("Should never get here");}/*** Handle the given reflection exception. Should only be called if no* checked exception is expected to be thrown by the target method.* <p>Throws the underlying RuntimeException or Error in case of an* InvocationTargetException with such a root cause. Throws an* IllegalStateException with an appropriate message else.* @param ex the reflection exception to handle*/public static void handleReflectionException(Exception ex) {if (ex instanceof NoSuchMethodException) {throw new IllegalStateException("Method not found: " + ex.getMessage());}if (ex instanceof IllegalAccessException) {throw new IllegalStateException("Could not access method: " + ex.getMessage());}if (ex instanceof InvocationTargetException) {handleInvocationTargetException((InvocationTargetException) ex);}if (ex instanceof RuntimeException) {throw (RuntimeException) ex;}throw new UndeclaredThrowableException(ex);}/*** Handle the given invocation target exception. Should only be called if no* checked exception is expected to be thrown by the target method.* <p>Throws the underlying RuntimeException or Error in case of such a root* cause. Throws an IllegalStateException else.* @param ex the invocation target exception to handle*/public static void handleInvocationTargetException(InvocationTargetException ex) {rethrowRuntimeException(ex.getTargetException());}/*** Rethrow the given {@link Throwable exception}, which is presumably the* <em>target exception</em> of an {@link InvocationTargetException}. Should* only be called if no checked exception is expected to be thrown by the* target method.* <p>Rethrows the underlying exception cast to an {@link RuntimeException} or* {@link Error} if appropriate; otherwise, throws an* {@link IllegalStateException}.* @param ex the exception to rethrow* @throws RuntimeException the rethrown exception*/public static void rethrowRuntimeException(Throwable ex) {if (ex instanceof RuntimeException) {throw (RuntimeException) ex;}if (ex instanceof Error) {throw (Error) ex;}throw new UndeclaredThrowableException(ex);}/*** Rethrow the given {@link Throwable exception}, which is presumably the* <em>target exception</em> of an {@link InvocationTargetException}. Should* only be called if no checked exception is expected to be thrown by the* target method.* <p>Rethrows the underlying exception cast to an {@link Exception} or* {@link Error} if appropriate; otherwise, throws an* {@link IllegalStateException}.* @param ex the exception to rethrow* @throws Exception the rethrown exception (in case of a checked exception)*/public static void rethrowException(Throwable ex) throws Exception {if (ex instanceof Exception) {throw (Exception) ex;}if (ex instanceof Error) {throw (Error) ex;}throw new UndeclaredThrowableException(ex);}/*** Determine whether the given method explicitly declares the given* exception or one of its superclasses, which means that an exception of* that type can be propagated as-is within a reflective invocation.* @param method the declaring method* @param exceptionType the exception to throw* @return {@code true} if the exception can be thrown as-is;* {@code false} if it needs to be wrapped*/public static boolean declaresException(Method method, Class<?> exceptionType) {//Assert.notNull(method, "Method must not be null");Class<?>[] declaredExceptions = method.getExceptionTypes();for (Class<?> declaredException : declaredExceptions) {if (declaredException.isAssignableFrom(exceptionType)) {return true;}}return false;}/*** Determine whether the given field is a "public static final" constant.* @param field the field to check*/public static boolean isPublicStaticFinal(Field field) {int modifiers = field.getModifiers();return (Modifier.isPublic(modifiers) && Modifier.isStatic(modifiers) && Modifier.isFinal(modifiers));}/*** Determine whether the given method is an "equals" method.* @see Object#equals(Object)*/public static boolean isEqualsMethod(Method method) {if (method == null || !method.getName().equals("equals")) {return false;}Class<?>[] paramTypes = method.getParameterTypes();return (paramTypes.length == 1 && paramTypes[0] == Object.class);}/*** Determine whether the given method is a "hashCode" method.* @see Object#hashCode()*/public static boolean isHashCodeMethod(Method method) {return (method != null && method.getName().equals("hashCode") && method.getParameterTypes().length == 0);}/*** Determine whether the given method is a "toString" method.* @see Object#toString()*/public static boolean isToStringMethod(Method method) {return (method != null && method.getName().equals("toString") && method.getParameterTypes().length == 0);}/*** Determine whether the given method is originally declared by {@link Object}.*/public static boolean isObjectMethod(Method method) {if (method == null) {return false;}try {Object.class.getDeclaredMethod(method.getName(), method.getParameterTypes());return true;}catch (Exception ex) {return false;}}/*** Determine whether the given method is a CGLIB 'renamed' method,* following the pattern "CGLIB$methodName$0".* @param renamedMethod the method to check* @see //org.springframework.cglib.proxy.Enhancer#rename*/public static boolean isCglibRenamedMethod(Method renamedMethod) {return CGLIB_RENAMED_METHOD_PATTERN.matcher(renamedMethod.getName()).matches();}/*** Make the given field accessible, explicitly setting it accessible if* necessary. The {@code setAccessible(true)} method is only called* when actually necessary, to avoid unnecessary conflicts with a JVM* SecurityManager (if active).* @param field the field to make accessible* @see Field#setAccessible*/public static void makeAccessible(Field field) {if ((!Modifier.isPublic(field.getModifiers()) || !Modifier.isPublic(field.getDeclaringClass().getModifiers()) ||Modifier.isFinal(field.getModifiers())) && !field.isAccessible()) {field.setAccessible(true);}}/*** Make the given method accessible, explicitly setting it accessible if* necessary. The {@code setAccessible(true)} method is only called* when actually necessary, to avoid unnecessary conflicts with a JVM* SecurityManager (if active).* @param method the method to make accessible* @see Method#setAccessible*/public static void makeAccessible(Method method) {if ((!Modifier.isPublic(method.getModifiers()) || !Modifier.isPublic(method.getDeclaringClass().getModifiers()))&& !method.isAccessible()) {method.setAccessible(true);}}/*** Make the given constructor accessible, explicitly setting it accessible* if necessary. The {@code setAccessible(true)} method is only called* when actually necessary, to avoid unnecessary conflicts with a JVM* SecurityManager (if active).* @param ctor the constructor to make accessible* @see Constructor#setAccessible*/public static void makeAccessible(Constructor<?> ctor) {if ((!Modifier.isPublic(ctor.getModifiers()) || !Modifier.isPublic(ctor.getDeclaringClass().getModifiers()))&& !ctor.isAccessible()) {ctor.setAccessible(true);}}/*** Perform the given callback operation on all matching methods of the given* class and superclasses.* <p>The same named method occurring on subclass and superclass will appear* twice, unless excluded by a {@link MethodFilter}.* @param clazz class to start looking at* @param mc the callback to invoke for each method* @see #doWithMethods(Class, MethodCallback, MethodFilter)*/public static void doWithMethods(Class<?> clazz, MethodCallback mc) throws IllegalArgumentException {doWithMethods(clazz, mc, null);}/*** Perform the given callback operation on all matching methods of the given* class and superclasses (or given interface and super-interfaces).* <p>The same named method occurring on subclass and superclass will appear* twice, unless excluded by the specified {@link MethodFilter}.* @param clazz class to start looking at* @param mc the callback to invoke for each method* @param mf the filter that determines the methods to apply the callback to*/public static void doWithMethods(Class<?> clazz, MethodCallback mc, MethodFilter mf)throws IllegalArgumentException {// Keep backing up the inheritance hierarchy.Method[] methods = clazz.getDeclaredMethods();for (Method method : methods) {if (mf != null && !mf.matches(method)) {continue;}try {mc.doWith(method);}catch (IllegalAccessException ex) {throw new IllegalStateException("Shouldn't be illegal to access method '" + method.getName()+ "': " + ex);}}if (clazz.getSuperclass() != null) {doWithMethods(clazz.getSuperclass(), mc, mf);}else if (clazz.isInterface()) {for (Class<?> superIfc : clazz.getInterfaces()) {doWithMethods(superIfc, mc, mf);}}}/*** Get all declared methods on the leaf class and all superclasses. Leaf* class methods are included first.*/public static Method[] getAllDeclaredMethods(Class<?> leafClass) throws IllegalArgumentException {final List<Method> methods = new ArrayList<Method>(32);doWithMethods(leafClass, new MethodCallback() {public void doWith(Method method) {methods.add(method);}});return methods.toArray(new Method[methods.size()]);}/*** Get the unique set of declared methods on the leaf class and all superclasses. Leaf* class methods are included first and while traversing the superclass hierarchy any methods found* with signatures matching a method already included are filtered out.*/public static Method[] getUniqueDeclaredMethods(Class<?> leafClass) throws IllegalArgumentException {final List<Method> methods = new ArrayList<Method>(32);doWithMethods(leafClass, new MethodCallback() {public void doWith(Method method) {boolean knownSignature = false;Method methodBeingOverriddenWithCovariantReturnType = null;for (Method existingMethod : methods) {if (method.getName().equals(existingMethod.getName()) &&Arrays.equals(method.getParameterTypes(), existingMethod.getParameterTypes())) {// Is this a covariant return type situation?if (existingMethod.getReturnType() != method.getReturnType() &&existingMethod.getReturnType().isAssignableFrom(method.getReturnType())) {methodBeingOverriddenWithCovariantReturnType = existingMethod;}else {knownSignature = true;}break;}}if (methodBeingOverriddenWithCovariantReturnType != null) {methods.remove(methodBeingOverriddenWithCovariantReturnType);}if (!knownSignature && !isCglibRenamedMethod(method)) {methods.add(method);}}});return methods.toArray(new Method[methods.size()]);}/*** Invoke the given callback on all fields in the target class, going up the* class hierarchy to get all declared fields.* @param clazz the target class to analyze* @param fc the callback to invoke for each field*/public static void doWithFields(Class<?> clazz, FieldCallback fc) throws IllegalArgumentException {doWithFields(clazz, fc, null);}/*** Invoke the given callback on all fields in the target class, going up the* class hierarchy to get all declared fields.* @param clazz the target class to analyze* @param fc the callback to invoke for each field* @param ff the filter that determines the fields to apply the callback to*/public static void doWithFields(Class<?> clazz, FieldCallback fc, FieldFilter ff)throws IllegalArgumentException {// Keep backing up the inheritance hierarchy.Class<?> targetClass = clazz;do {Field[] fields = targetClass.getDeclaredFields();for (Field field : fields) {// Skip static and final fields.if (ff != null && !ff.matches(field)) {continue;}try {fc.doWith(field);}catch (IllegalAccessException ex) {throw new IllegalStateException("Shouldn't be illegal to access field '" + field.getName() + "': " + ex);}}targetClass = targetClass.getSuperclass();}while (targetClass != null && targetClass != Object.class);}/*** Given the source object and the destination, which must be the same class* or a subclass, copy all fields, including inherited fields. Designed to* work on objects with public no-arg constructors.* @throws IllegalArgumentException if the arguments are incompatible*/public static void shallowCopyFieldState(final Object src, final Object dest) throws IllegalArgumentException {if (src == null) {throw new IllegalArgumentException("Source for field copy cannot be null");}if (dest == null) {throw new IllegalArgumentException("Destination for field copy cannot be null");}if (!src.getClass().isAssignableFrom(dest.getClass())) {throw new IllegalArgumentException("Destination class [" + dest.getClass().getName()+ "] must be same or subclass as source class [" + src.getClass().getName() + "]");}doWithFields(src.getClass(), new FieldCallback() {public void doWith(Field field) throws IllegalArgumentException, IllegalAccessException {makeAccessible(field);Object srcValue = field.get(src);field.set(dest, srcValue);}}, COPYABLE_FIELDS);}/*** Action to take on each method.*/public interface MethodCallback {/*** Perform an operation using the given method.* @param method the method to operate on*/void doWith(Method method) throws IllegalArgumentException, IllegalAccessException;}/*** Callback optionally used to filter methods to be operated on by a method callback.*/public interface MethodFilter {/*** Determine whether the given method matches.* @param method the method to check*/boolean matches(Method method);}/*** Callback interface invoked on each field in the hierarchy.*/public interface FieldCallback {/*** Perform an operation using the given field.* @param field the field to operate on*/void doWith(Field field) throws IllegalArgumentException, IllegalAccessException;}/*** Callback optionally used to filter fields to be operated on by a field callback.*/public interface FieldFilter {/*** Determine whether the given field matches.* @param field the field to check*/boolean matches(Field field);}/*** Pre-built FieldFilter that matches all non-static, non-final fields.*/public static FieldFilter COPYABLE_FIELDS = new FieldFilter() {public boolean matches(Field field) {return !(Modifier.isStatic(field.getModifiers()) || Modifier.isFinal(field.getModifiers()));}};/*** Pre-built MethodFilter that matches all non-bridge methods.*/public static MethodFilter NON_BRIDGED_METHODS = new MethodFilter() {public boolean matches(Method method) {return !method.isBridge();}};/*** Pre-built MethodFilter that matches all non-bridge methods* which are not declared on {@code java.lang.Object}.*/public static MethodFilter USER_DECLARED_METHODS = new MethodFilter() {public boolean matches(Method method) {return (!method.isBridge() && method.getDeclaringClass() != Object.class);}};
}

ReflectionHelper

ReflectionHelper 是 google.gson 提供的一个类，有需要的话可以引入 gson 依赖，不确定copy后是否可直接使用（如果有包内关联类的话，最好是引入依赖）

package com.google.gson.internal.reflect;import com.google.gson.JsonIOException;
import com.google.gson.internal.GsonBuildConfig;
import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;public class ReflectionHelper {private static final RecordHelper RECORD_HELPER;static {RecordHelper instance;try {// Try to construct the RecordSupportedHelper, if this fails, records are not supported on this JVM.instance = new RecordSupportedHelper();} catch (NoSuchMethodException e) {instance = new RecordNotSupportedHelper();}RECORD_HELPER = instance;}private ReflectionHelper() {}/*** Internal implementation of making an {@link AccessibleObject} accessible.** @param object the object that {@link AccessibleObject#setAccessible(boolean)} should be called on.* @throws JsonIOException if making the object accessible fails*/public static void makeAccessible(AccessibleObject object) throws JsonIOException {try {object.setAccessible(true);} catch (Exception exception) {String description = getAccessibleObjectDescription(object, false);throw new JsonIOException("Failed making " + description + " accessible; either increase its visibility"+ " or write a custom TypeAdapter for its declaring type.", exception);}}/*** Returns a short string describing the {@link AccessibleObject} in a human-readable way.* The result is normally shorter than {@link AccessibleObject#toString()} because it omits* modifiers (e.g. {@code final}) and uses simple names for constructor and method parameter* types.** @param object object to describe* @param uppercaseFirstLetter whether the first letter of the description should be uppercased*/public static String getAccessibleObjectDescription(AccessibleObject object, boolean uppercaseFirstLetter) {String description;if (object instanceof Field) {description = "field '" + fieldToString((Field) object) + "'";} else if (object instanceof Method) {Method method = (Method) object;StringBuilder methodSignatureBuilder = new StringBuilder(method.getName());appendExecutableParameters(method, methodSignatureBuilder);String methodSignature = methodSignatureBuilder.toString();description = "method '" + method.getDeclaringClass().getName() + "#" + methodSignature + "'";} else if (object instanceof Constructor) {description = "constructor '" + constructorToString((Constructor<?>) object) + "'";} else {description = "<unknown AccessibleObject> " + object.toString();}if (uppercaseFirstLetter && Character.isLowerCase(description.charAt(0))) {description = Character.toUpperCase(description.charAt(0)) + description.substring(1);}return description;}/*** Creates a string representation for a field, omitting modifiers and* the field type.*/public static String fieldToString(Field field) {return field.getDeclaringClass().getName() + "#" + field.getName();}/*** Creates a string representation for a constructor.* E.g.: {@code java.lang.String(char[], int, int)}*/public static String constructorToString(Constructor<?> constructor) {StringBuilder stringBuilder = new StringBuilder(constructor.getDeclaringClass().getName());appendExecutableParameters(constructor, stringBuilder);return stringBuilder.toString();}// Note: Ideally parameter type would be java.lang.reflect.Executable, but that was added in Java 8private static void appendExecutableParameters(AccessibleObject executable, StringBuilder stringBuilder) {stringBuilder.append('(');Class<?>[] parameters = (executable instanceof Method)? ((Method) executable).getParameterTypes(): ((Constructor<?>) executable).getParameterTypes();for (int i = 0; i < parameters.length; i++) {if (i > 0) {stringBuilder.append(", ");}stringBuilder.append(parameters[i].getSimpleName());}stringBuilder.append(')');}/*** Tries making the constructor accessible, returning an exception message* if this fails.** @param constructor constructor to make accessible* @return exception message; {@code null} if successful, non-{@code null} if*    unsuccessful*/public static String tryMakeAccessible(Constructor<?> constructor) {try {constructor.setAccessible(true);return null;} catch (Exception exception) {return "Failed making constructor '" + constructorToString(constructor) + "' accessible;"+ " either increase its visibility or write a custom InstanceCreator or TypeAdapter for"// Include the message since it might contain more detailed information+ " its declaring type: " + exception.getMessage();}}/** If records are supported on the JVM, this is equivalent to a call to Class.isRecord() */public static boolean isRecord(Class<?> raw) {return RECORD_HELPER.isRecord(raw);}public static String[] getRecordComponentNames(Class<?> raw) {return RECORD_HELPER.getRecordComponentNames(raw);}/** Looks up the record accessor method that corresponds to the given record field */public static Method getAccessor(Class<?> raw, Field field) {return RECORD_HELPER.getAccessor(raw, field);}public static <T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw) {return RECORD_HELPER.getCanonicalRecordConstructor(raw);}public static RuntimeException createExceptionForUnexpectedIllegalAccess(IllegalAccessException exception) {throw new RuntimeException("Unexpected IllegalAccessException occurred (Gson " + GsonBuildConfig.VERSION + ")."+ " Certain ReflectionAccessFilter features require Java >= 9 to work correctly. If you are not using"+ " ReflectionAccessFilter, report this to the Gson maintainers.",exception);}private static RuntimeException createExceptionForRecordReflectionException(ReflectiveOperationException exception) {throw new RuntimeException("Unexpected ReflectiveOperationException occurred"+ " (Gson " + GsonBuildConfig.VERSION + ")."+ " To support Java records, reflection is utilized to read out information"+ " about records. All these invocations happens after it is established"+ " that records exist in the JVM. This exception is unexpected behavior.",exception);}/*** Internal abstraction over reflection when Records are supported.*/private abstract static class RecordHelper {abstract boolean isRecord(Class<?> clazz);abstract String[] getRecordComponentNames(Class<?> clazz);abstract <T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw);public abstract Method getAccessor(Class<?> raw, Field field);}private static class RecordSupportedHelper extends RecordHelper {private final Method isRecord;private final Method getRecordComponents;private final Method getName;private final Method getType;private RecordSupportedHelper() throws NoSuchMethodException {isRecord = Class.class.getMethod("isRecord");getRecordComponents = Class.class.getMethod("getRecordComponents");// Class java.lang.reflect.RecordComponentClass<?> classRecordComponent = getRecordComponents.getReturnType().getComponentType();getName = classRecordComponent.getMethod("getName");getType = classRecordComponent.getMethod("getType");}@Overrideboolean isRecord(Class<?> raw) {try {return (boolean) isRecord.invoke(raw);} catch (ReflectiveOperationException e) {throw createExceptionForRecordReflectionException(e);}}@OverrideString[] getRecordComponentNames(Class<?> raw) {try {Object[] recordComponents = (Object[]) getRecordComponents.invoke(raw);String[] componentNames = new String[recordComponents.length];for (int i = 0; i < recordComponents.length; i++) {componentNames[i] = (String) getName.invoke(recordComponents[i]);}return componentNames;} catch (ReflectiveOperationException e) {throw createExceptionForRecordReflectionException(e);}}@Overridepublic <T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw) {try {Object[] recordComponents = (Object[]) getRecordComponents.invoke(raw);Class<?>[] recordComponentTypes = new Class<?>[recordComponents.length];for (int i = 0; i < recordComponents.length; i++) {recordComponentTypes[i] = (Class<?>) getType.invoke(recordComponents[i]);}// Uses getDeclaredConstructor because implicit constructor has same visibility as record and might// therefore not be publicreturn raw.getDeclaredConstructor(recordComponentTypes);} catch (ReflectiveOperationException e) {throw createExceptionForRecordReflectionException(e);}}@Overridepublic Method getAccessor(Class<?> raw, Field field) {try {// Records consists of record components, each with a unique name, a corresponding field and accessor method// with the same name. Ref.: https://docs.oracle.com/javase/specs/jls/se17/html/jls-8.html#jls-8.10.3return raw.getMethod(field.getName());} catch (ReflectiveOperationException e) {throw createExceptionForRecordReflectionException(e);}}}/*** Instance used when records are not supported*/private static class RecordNotSupportedHelper extends RecordHelper {@Overrideboolean isRecord(Class<?> clazz) {return false;}@OverrideString[] getRecordComponentNames(Class<?> clazz) {throw new UnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}@Override<T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw) {throw new UnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}@Overridepublic Method getAccessor(Class<?> raw, Field field) {throw new UnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}}
}

使用方式

仅需在原 setAccessible(true) 处采用 ReflectionHelper.makeAccessible(xxx) 或 ReflectionUtils.makeAccessible(xxx) 替换即可

---

SecurityManager 相关思考

在此之前我应该没了解过 SecurityManager ，这次应该是首次，以下主要是我的一些答疑

如何规避 setAccessible 风险？

Hint：伪代码其实就已经做了 try、catch 操作

SecurityManager 如何给 setAccessible 授权？

我理解的：根据结果来看就是不建议使用 setAccessible，如果要使用就用 SecurityManager 授权，但即使这样也不保证就能解决安全风险？

SecurityManager 如何使用？