安全风险 - 如何解决 setAccessible(true) 带来的安全风险？

可能每款成熟的金融app上架前都会经过层层安全检测才能执行上架，所以我隔三差五就能看到安全检测报告中提到的问题，根据问题的不同级别，处理的优先级也有所不同，此次讲的主要是一个 “轻度问题” ，个人认为属于那种可改不可改的状态

Tip：因并未重新进行安全检测，尚不确定该方式是否能解决实际提到的问题

人生处处是课堂

- 所遇问题
- 自我求知
- - setAccessible
  - 反射原理
- 解决过程
- - 第一阶段
  - 第二阶段
- 最终方案
- - 解决方式
  - - ReflectionUtils
    - ReflectionHelper
  - 使用方式
- SecurityManager 相关思考
- - 如何规避 setAccessible 风险？
  - SecurityManager 如何给 setAccessible 授权？
  - SecurityManager 如何使用？

所遇问题

漏洞描述：AccessibleObject 类允许程序员绕过由 Java 访问说明符提供的访问控制（access control）检查，特别是他让程序员能够允许反射对象绕过 Java access control，并反过来更改私有字段或调用私有方法、行为，这些通常情况下都是不允许的 |

漏洞影响：不符合安全准则，绕过部分安全控制

解决建议：建议应用服务器或者应用程序使用 SecurityManager的。如果存在System.getSecurityManager则该方法会必须先经过它的同意才能调用（这条建议是安全中心给出的，然后我全局都搜索不到SecurityManager、System.getSecurityManager，起初先忽略了，回头看的时候在最后补充了相关内容）

触发安全风险的伪代码示例

在这里插入图片描述

自我求知

解决问题的第一步是明确问题的产生原因，然后针对于此进行逐步解决

结论先行：项目中存在类（对象）操作的相关代码

当编译时，编译器会进行访问（权限）检查
可以通过setAccessible方法屏蔽或者说禁用运行时访问检查

setAccessible

在安全中心给出的风险代码段中，核心风险代码为 setAccessible(true)，那么有必要先了解一下此为何物

之前在 java setaccessible 用处中看到一个简短描述，提示了可能存在潜在风险

在这里插入图片描述

按照我看源码的猜想，不论访问权限是（public、private）哪种，setAccessible 在底层中默认应该都是 false，意味着都需要接受权限检查，主要区别在于 public 可以通过检查，而 private 通不过

setAccessible(boolean flag) 方法是 AccessibleObject 类中的一个方法，它是 Field、 Method、Constructor的公共父类。

在这里插入图片描述

通过反射Class类后，以下三种都是其内部可反射的范围，当触发这些场景将执行运行时访问检查：

Field（字段） 设置字段（set(Object obj, Object value)）或获取字段（get(Object obj)）
Method（方法） 调用方法（invoke(Object obj, Object… args)）
Constructor（构造函数） 创建和初始化类的新实例（newInstance(Object… initargs)）

反射原理

Java反射是一种强大的特性，它允许程序在运行时动态地获取和操作类的信息。通过反射，我们可以创建对象、调用方法和访问字段，而不需要提前知道类的具体定义。

Java反射的原理基于Java的运行时数据区域（Runtime Data Area）和类加载机制。当Java虚拟机加载一个类时，它将类的字节码文件加载到内存中，并在方法区创建一个Class对象来表示该类。

因为Class对象包含了类的完整信息，包括类的构造函数、方法、字段等；所以可以通过反射提供的一系列方法在运行时来获取Class对象、获取构造函数、获取方法、获取字段等。

解决过程

起初看到这个问题，我认为是没必要解决，所以直接拒了需求方，然后因为工作态度就被上了一课，然后直接给我发了一个别人的处理方式 - field.setAccessible(true)；代码扫描有安全漏洞,解决方案

第一阶段

AccessibleObject类是 Field、Method和Constructor对象的基类，能够允许反射对象修改访问权限修饰符，绕过由Java访问修饰符提供的访问控制检查。它让程序员能够更改私有字段或调用私有方法，这在通常情况下是不允许的！

例如：以下代码片段中，将Field将accessible标记设置为true。

 Class clazz = User.class;Field field = clazz.getField("name");field.setAccessible(true);

如果为false，则其中的私有字段不能够被访问到的，所以不可以注掉。

 ReflectionUtils.makeAccessible(field);

个人想法：起初不确定是用 ReflectionUtils.makeAccessible(field) 替换 field.setAccessible(true) ，还行是在尾端加入ReflectionUtils.makeAccessible(field) ，所以可以先看看源码（后续会提到该类详情），可以看出在源码中做了权限检查后才确定是否禁用权限检查

在这里插入图片描述

调用代码，类似如下

 Class clazz = User.class;Field field = clazz.getField("name");ReflectionUtils.makeAccessible(field);

第二阶段

因为这里并未提供 ReflectionUtils 工具类，所以自行搜索到了 ReflectionUtils反射工具：精要介绍与实战应用指南

作者说：org.springframework.util.ReflectionUtils 是 Spring 框架提供的一个反射工具类，它封装了 Java 反射 API 的一些常用操作，使得我们能够更加方便、简洁地使用反射功能…

这篇Blog内并不是一无所获，至少我们可以看到这款工具类的相关调用方式！

在这里插入图片描述
那么接了下来我们就去找一下 Android 的 ReflectionUtils 工具类

最终方案

经自我查证和同事推荐，主要找到俩种方法，处理方式应该是一样的，但是这种方法是否真的能解决问题？我目前对最终结果保持怀疑态度

解决方式

ReflectionUtils

找了半天在 Android反射机制简单理解，ReflectionUtils 反射工具类看到一个类似的 ReflectionUtils（可直接copy）

package xxx;import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.lang.reflect.UndeclaredThrowableException;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.regex.Pattern;public class ReflectionUtils {/*** Pattern for detecting CGLIB-renamed methods.* @see #isCglibRenamedMethod*/private static final Pattern CGLIB_RENAMED_METHOD_PATTERN = Pattern.compile("CGLIB\\$(.+)\\$\\d+");/*** Attempt to find a {@link Field field} on the supplied {@link Class} with the* supplied {@code name}. Searches all superclasses up to {@link Object}.* @param clazz the class to introspect* @param name the name of the field* @return the corresponding Field object, or {@code null} if not found*/public static Field findField(Class<?> clazz, String name) {return findField(clazz, name, null);}/*** Attempt to find a {@link Field field} on the supplied {@link Class} with the* supplied {@code name} and/or {@link Class type}. Searches all superclasses* up to {@link Object}.* @param clazz the class to introspect* @param name the name of the field (may be {@code null} if type is specified)* @param type the type of the field (may be {@code null} if name is specified)* @return the corresponding Field object, or {@code null} if not found*/public static Field findField(Class<?> clazz, String name, Class<?> type) {//Assert.notNull(clazz, "Class must not be null");//Assert.isTrue(name != null || type != null, "Either name or type of the field must be specified");Class<?> searchType = clazz;while (!Object.class.equals(searchType) && searchType != null) {Field[] fields = searchType.getDeclaredFields();for (Field field : fields) {if ((name == null || name.equals(field.getName())) && (type == null || type.equals(field.getType()))) {return field;}}searchType = searchType.getSuperclass();}return null;}/*** Set the field represented by the supplied {@link Field field object} on the* specified {@link Object target object} to the specified {@code value}.* In accordance with {@link Field#set(Object, Object)} semantics, the new value* is automatically unwrapped if the underlying field has a primitive type.* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException(Exception)}.* @param field the field to set* @param target the target object on which to set the field* @param value the value to set; may be {@code null}*/public static void setField(Field field, Object target, Object value) {try {field.set(target, value);}catch (IllegalAccessException ex) {handleReflectionException(ex);throw new IllegalStateException("Unexpected reflection exception - " + ex.getClass().getName() + ": " + ex.getMessage());}}/*** Get the field represented by the supplied {@link Field field object} on the* specified {@link Object target object}. In accordance with {@link Field#get(Object)}* semantics, the returned value is automatically wrapped if the underlying field* has a primitive type.* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException(Exception)}.* @param field the field to get* @param target the target object from which to get the field* @return the field's current value*/public static Object getField(Field field, Object target) {try {return field.get(target);}catch (IllegalAccessException ex) {handleReflectionException(ex);throw new IllegalStateException("Unexpected reflection exception - " + ex.getClass().getName() + ": " + ex.getMessage());}}/*** Attempt to find a {@link Method} on the supplied class with the supplied name* and no parameters. Searches all superclasses up to {@code Object}.* <p>Returns {@code null} if no {@link Method} can be found.* @param clazz the class to introspect* @param name the name of the method* @return the Method object, or {@code null} if none found*/public static Method findMethod(Class<?> clazz, String name) {return findMethod(clazz, name, new Class<?>[0]);}/*** Attempt to find a {@link Method} on the supplied class with the supplied name* and parameter types. Searches all superclasses up to {@code Object}.* <p>Returns {@code null} if no {@link Method} can be found.* @param clazz the class to introspect* @param name the name of the method* @param paramTypes the parameter types of the method* (may be {@code null} to indicate any signature)* @return the Method object, or {@code null} if none found*/public static Method findMethod(Class<?> clazz, String name, Class<?>... paramTypes) {//Assert.notNull(clazz, "Class must not be null");//Assert.notNull(name, "Method name must not be null");Class<?> searchType = clazz;while (searchType != null) {Method[] methods = (searchType.isInterface() ? searchType.getMethods() : searchType.getDeclaredMethods());for (Method method : methods)if (name.equals(method.getName()) &&(paramTypes == null || Arrays.equals(paramTypes, method.getParameterTypes()))) {return method;}searchType = searchType.getSuperclass();}return null;}/*** Invoke the specified {@link Method} against the supplied target object with no arguments.* The target object can be {@code null} when invoking a static {@link Method}.* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException}.* @param method the method to invoke* @param target the target object to invoke the method on* @return the invocation result, if any* @see #invokeMethod(Method, Object, Object[])*/public static Object invokeMethod(Method method, Object target) {return invokeMethod(method, target, new Object[0]);}/*** Invoke the specified {@link Method} against the supplied target object with the* supplied arguments. The target object can be {@code null} when invoking a* static {@link Method}.* <p>Thrown exceptions are handled via a call to {@link #handleReflectionException}.* @param method the method to invoke* @param target the target object to invoke the method on* @param args the invocation arguments (may be {@code null})* @return the invocation result, if any*/public static Object invokeMethod(Method method, Object target, Object... args) {try {return method.invoke(target, args);}catch (Exception ex) {handleReflectionException(ex);}throw new IllegalStateException("Should never get here");}/*** Invoke the specified JDBC API {@link Method} against the supplied target* object with no arguments.* @param method the method to invoke* @param target the target object to invoke the method on* @return the invocation result, if any* @throws SQLException the JDBC API SQLException to rethrow (if any)* @see #invokeJdbcMethod(Method, Object, Object[])*/public static Object invokeJdbcMethod(Method method, Object target) throws SQLException {return invokeJdbcMethod(method, target, new Object[0]);}/*** Invoke the specified JDBC API {@link Method} against the supplied target* object with the supplied arguments.* @param method the method to invoke* @param target the target object to invoke the method on* @param args the invocation arguments (may be {@code null})* @return the invocation result, if any* @throws SQLException the JDBC API SQLException to rethrow (if any)* @see #invokeMethod(Method, Object, Object[])*/public static Object invokeJdbcMethod(Method method, Object target, Object... args) throws SQLException {try {return method.invoke(target, args);}catch (IllegalAccessException ex) {handleReflectionException(ex);}catch (InvocationTargetException ex) {if (ex.getTargetException() instanceof SQLException) {throw (SQLException) ex.getTargetException();}handleInvocationTargetException(ex);}throw new IllegalStateException("Should never get here");}/*** Handle the given reflection exception. Should only be called if no* checked exception is expected to be thrown by the target method.* <p>Throws the underlying RuntimeException or Error in case of an* InvocationTargetException with such a root cause. Throws an* IllegalStateException with an appropriate message else.* @param ex the reflection exception to handle*/public static void handleReflectionException(Exception ex) {if (ex instanceof NoSuchMethodException) {throw new IllegalStateException("Method not found: " + ex.getMessage());}if (ex instanceof IllegalAccessException) {throw new IllegalStateException("Could not access method: " + ex.getMessage());}if (ex instanceof InvocationTargetException) {handleInvocationTargetException((InvocationTargetException) ex);}if (ex instanceof RuntimeException) {throw (RuntimeException) ex;}throw new UndeclaredThrowableException(ex);}/*** Handle the given invocation target exception. Should only be called if no* checked exception is expected to be thrown by the target method.* <p>Throws the underlying RuntimeException or Error in case of such a root* cause. Throws an IllegalStateException else.* @param ex the invocation target exception to handle*/public static void handleInvocationTargetException(InvocationTargetException ex) {rethrowRuntimeException(ex.getTargetException());}/*** Rethrow the given {@link Throwable exception}, which is presumably the* <em>target exception</em> of an {@link InvocationTargetException}. Should* only be called if no checked exception is expected to be thrown by the* target method.* <p>Rethrows the underlying exception cast to an {@link RuntimeException} or* {@link Error} if appropriate; otherwise, throws an* {@link IllegalStateException}.* @param ex the exception to rethrow* @throws RuntimeException the rethrown exception*/public static void rethrowRuntimeException(Throwable ex) {if (ex instanceof RuntimeException) {throw (RuntimeException) ex;}if (ex instanceof Error) {throw (Error) ex;}throw new UndeclaredThrowableException(ex);}/*** Rethrow the given {@link Throwable exception}, which is presumably the* <em>target exception</em> of an {@link InvocationTargetException}. Should* only be called if no checked exception is expected to be thrown by the* target method.* <p>Rethrows the underlying exception cast to an {@link Exception} or* {@link Error} if appropriate; otherwise, throws an* {@link IllegalStateException}.* @param ex the exception to rethrow* @throws Exception the rethrown exception (in case of a checked exception)*/public static void rethrowException(Throwable ex) throws Exception {if (ex instanceof Exception) {throw (Exception) ex;}if (ex instanceof Error) {throw (Error) ex;}throw new UndeclaredThrowableException(ex);}/*** Determine whether the given method explicitly declares the given* exception or one of its superclasses, which means that an exception of* that type can be propagated as-is within a reflective invocation.* @param method the declaring method* @param exceptionType the exception to throw* @return {@code true} if the exception can be thrown as-is;* {@code false} if it needs to be wrapped*/public static boolean declaresException(Method method, Class<?> exceptionType) {//Assert.notNull(method, "Method must not be null");Class<?>[] declaredExceptions = method.getExceptionTypes();for (Class<?> declaredException : declaredExceptions) {if (declaredException.isAssignableFrom(exceptionType)) {return true;}}return false;}/*** Determine whether the given field is a "public static final" constant.* @param field the field to check*/public static boolean isPublicStaticFinal(Field field) {int modifiers = field.getModifiers();return (Modifier.isPublic(modifiers) && Modifier.isStatic(modifiers) && Modifier.isFinal(modifiers));}/*** Determine whether the given method is an "equals" method.* @see Object#equals(Object)*/public static boolean isEqualsMethod(Method method) {if (method == null || !method.getName().equals("equals")) {return false;}Class<?>[] paramTypes = method.getParameterTypes();return (paramTypes.length == 1 && paramTypes[0] == Object.class);}/*** Determine whether the given method is a "hashCode" method.* @see Object#hashCode()*/public static boolean isHashCodeMethod(Method method) {return (method != null && method.getName().equals("hashCode") && method.getParameterTypes().length == 0);}/*** Determine whether the given method is a "toString" method.* @see Object#toString()*/public static boolean isToStringMethod(Method method) {return (method != null && method.getName().equals("toString") && method.getParameterTypes().length == 0);}/*** Determine whether the given method is originally declared by {@link Object}.*/public static boolean isObjectMethod(Method method) {if (method == null) {return false;}try {Object.class.getDeclaredMethod(method.getName(), method.getParameterTypes());return true;}catch (Exception ex) {return false;}}/*** Determine whether the given method is a CGLIB 'renamed' method,* following the pattern "CGLIB$methodName$0".* @param renamedMethod the method to check* @see //org.springframework.cglib.proxy.Enhancer#rename*/public static boolean isCglibRenamedMethod(Method renamedMethod) {return CGLIB_RENAMED_METHOD_PATTERN.matcher(renamedMethod.getName()).matches();}/*** Make the given field accessible, explicitly setting it accessible if* necessary. The {@code setAccessible(true)} method is only called* when actually necessary, to avoid unnecessary conflicts with a JVM* SecurityManager (if active).* @param field the field to make accessible* @see Field#setAccessible*/public static void makeAccessible(Field field) {if ((!Modifier.isPublic(field.getModifiers()) || !Modifier.isPublic(field.getDeclaringClass().getModifiers()) ||Modifier.isFinal(field.getModifiers())) && !field.isAccessible()) {field.setAccessible(true);}}/*** Make the given method accessible, explicitly setting it accessible if* necessary. The {@code setAccessible(true)} method is only called* when actually necessary, to avoid unnecessary conflicts with a JVM* SecurityManager (if active).* @param method the method to make accessible* @see Method#setAccessible*/public static void makeAccessible(Method method) {if ((!Modifier.isPublic(method.getModifiers()) || !Modifier.isPublic(method.getDeclaringClass().getModifiers()))&& !method.isAccessible()) {method.setAccessible(true);}}/*** Make the given constructor accessible, explicitly setting it accessible* if necessary. The {@code setAccessible(true)} method is only called* when actually necessary, to avoid unnecessary conflicts with a JVM* SecurityManager (if active).* @param ctor the constructor to make accessible* @see Constructor#setAccessible*/public static void makeAccessible(Constructor<?> ctor) {if ((!Modifier.isPublic(ctor.getModifiers()) || !Modifier.isPublic(ctor.getDeclaringClass().getModifiers()))&& !ctor.isAccessible()) {ctor.setAccessible(true);}}/*** Perform the given callback operation on all matching methods of the given* class and superclasses.* <p>The same named method occurring on subclass and superclass will appear* twice, unless excluded by a {@link MethodFilter}.* @param clazz class to start looking at* @param mc the callback to invoke for each method* @see #doWithMethods(Class, MethodCallback, MethodFilter)*/public static void doWithMethods(Class<?> clazz, MethodCallback mc) throws IllegalArgumentException {doWithMethods(clazz, mc, null);}/*** Perform the given callback operation on all matching methods of the given* class and superclasses (or given interface and super-interfaces).* <p>The same named method occurring on subclass and superclass will appear* twice, unless excluded by the specified {@link MethodFilter}.* @param clazz class to start looking at* @param mc the callback to invoke for each method* @param mf the filter that determines the methods to apply the callback to*/public static void doWithMethods(Class<?> clazz, MethodCallback mc, MethodFilter mf)throws IllegalArgumentException {// Keep backing up the inheritance hierarchy.Method[] methods = clazz.getDeclaredMethods();for (Method method : methods) {if (mf != null && !mf.matches(method)) {continue;}try {mc.doWith(method);}catch (IllegalAccessException ex) {throw new IllegalStateException("Shouldn't be illegal to access method '" + method.getName()+ "': " + ex);}}if (clazz.getSuperclass() != null) {doWithMethods(clazz.getSuperclass(), mc, mf);}else if (clazz.isInterface()) {for (Class<?> superIfc : clazz.getInterfaces()) {doWithMethods(superIfc, mc, mf);}}}/*** Get all declared methods on the leaf class and all superclasses. Leaf* class methods are included first.*/public static Method[] getAllDeclaredMethods(Class<?> leafClass) throws IllegalArgumentException {final List<Method> methods = new ArrayList<Method>(32);doWithMethods(leafClass, new MethodCallback() {public void doWith(Method method) {methods.add(method);}});return methods.toArray(new Method[methods.size()]);}/*** Get the unique set of declared methods on the leaf class and all superclasses. Leaf* class methods are included first and while traversing the superclass hierarchy any methods found* with signatures matching a method already included are filtered out.*/public static Method[] getUniqueDeclaredMethods(Class<?> leafClass) throws IllegalArgumentException {final List<Method> methods = new ArrayList<Method>(32);doWithMethods(leafClass, new MethodCallback() {public void doWith(Method method) {boolean knownSignature = false;Method methodBeingOverriddenWithCovariantReturnType = null;for (Method existingMethod : methods) {if (method.getName().equals(existingMethod.getName()) &&Arrays.equals(method.getParameterTypes(), existingMethod.getParameterTypes())) {// Is this a covariant return type situation?if (existingMethod.getReturnType() != method.getReturnType() &&existingMethod.getReturnType().isAssignableFrom(method.getReturnType())) {methodBeingOverriddenWithCovariantReturnType = existingMethod;}else {knownSignature = true;}break;}}if (methodBeingOverriddenWithCovariantReturnType != null) {methods.remove(methodBeingOverriddenWithCovariantReturnType);}if (!knownSignature && !isCglibRenamedMethod(method)) {methods.add(method);}}});return methods.toArray(new Method[methods.size()]);}/*** Invoke the given callback on all fields in the target class, going up the* class hierarchy to get all declared fields.* @param clazz the target class to analyze* @param fc the callback to invoke for each field*/public static void doWithFields(Class<?> clazz, FieldCallback fc) throws IllegalArgumentException {doWithFields(clazz, fc, null);}/*** Invoke the given callback on all fields in the target class, going up the* class hierarchy to get all declared fields.* @param clazz the target class to analyze* @param fc the callback to invoke for each field* @param ff the filter that determines the fields to apply the callback to*/public static void doWithFields(Class<?> clazz, FieldCallback fc, FieldFilter ff)throws IllegalArgumentException {// Keep backing up the inheritance hierarchy.Class<?> targetClass = clazz;do {Field[] fields = targetClass.getDeclaredFields();for (Field field : fields) {// Skip static and final fields.if (ff != null && !ff.matches(field)) {continue;}try {fc.doWith(field);}catch (IllegalAccessException ex) {throw new IllegalStateException("Shouldn't be illegal to access field '" + field.getName() + "': " + ex);}}targetClass = targetClass.getSuperclass();}while (targetClass != null && targetClass != Object.class);}/*** Given the source object and the destination, which must be the same class* or a subclass, copy all fields, including inherited fields. Designed to* work on objects with public no-arg constructors.* @throws IllegalArgumentException if the arguments are incompatible*/public static void shallowCopyFieldState(final Object src, final Object dest) throws IllegalArgumentException {if (src == null) {throw new IllegalArgumentException("Source for field copy cannot be null");}if (dest == null) {throw new IllegalArgumentException("Destination for field copy cannot be null");}if (!src.getClass().isAssignableFrom(dest.getClass())) {throw new IllegalArgumentException("Destination class [" + dest.getClass().getName()+ "] must be same or subclass as source class [" + src.getClass().getName() + "]");}doWithFields(src.getClass(), new FieldCallback() {public void doWith(Field field) throws IllegalArgumentException, IllegalAccessException {makeAccessible(field);Object srcValue = field.get(src);field.set(dest, srcValue);}}, COPYABLE_FIELDS);}/*** Action to take on each method.*/public interface MethodCallback {/*** Perform an operation using the given method.* @param method the method to operate on*/void doWith(Method method) throws IllegalArgumentException, IllegalAccessException;}/*** Callback optionally used to filter methods to be operated on by a method callback.*/public interface MethodFilter {/*** Determine whether the given method matches.* @param method the method to check*/boolean matches(Method method);}/*** Callback interface invoked on each field in the hierarchy.*/public interface FieldCallback {/*** Perform an operation using the given field.* @param field the field to operate on*/void doWith(Field field) throws IllegalArgumentException, IllegalAccessException;}/*** Callback optionally used to filter fields to be operated on by a field callback.*/public interface FieldFilter {/*** Determine whether the given field matches.* @param field the field to check*/boolean matches(Field field);}/*** Pre-built FieldFilter that matches all non-static, non-final fields.*/public static FieldFilter COPYABLE_FIELDS = new FieldFilter() {public boolean matches(Field field) {return !(Modifier.isStatic(field.getModifiers()) || Modifier.isFinal(field.getModifiers()));}};/*** Pre-built MethodFilter that matches all non-bridge methods.*/public static MethodFilter NON_BRIDGED_METHODS = new MethodFilter() {public boolean matches(Method method) {return !method.isBridge();}};/*** Pre-built MethodFilter that matches all non-bridge methods* which are not declared on {@code java.lang.Object}.*/public static MethodFilter USER_DECLARED_METHODS = new MethodFilter() {public boolean matches(Method method) {return (!method.isBridge() && method.getDeclaringClass() != Object.class);}};
}

ReflectionHelper

ReflectionHelper 是 google.gson 提供的一个类，有需要的话可以引入 gson 依赖，不确定copy后是否可直接使用（如果有包内关联类的话，最好是引入依赖）

package com.google.gson.internal.reflect;import com.google.gson.JsonIOException;
import com.google.gson.internal.GsonBuildConfig;
import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;public class ReflectionHelper {private static final RecordHelper RECORD_HELPER;static {RecordHelper instance;try {// Try to construct the RecordSupportedHelper, if this fails, records are not supported on this JVM.instance = new RecordSupportedHelper();} catch (NoSuchMethodException e) {instance = new RecordNotSupportedHelper();}RECORD_HELPER = instance;}private ReflectionHelper() {}/*** Internal implementation of making an {@link AccessibleObject} accessible.** @param object the object that {@link AccessibleObject#setAccessible(boolean)} should be called on.* @throws JsonIOException if making the object accessible fails*/public static void makeAccessible(AccessibleObject object) throws JsonIOException {try {object.setAccessible(true);} catch (Exception exception) {String description = getAccessibleObjectDescription(object, false);throw new JsonIOException("Failed making " + description + " accessible; either increase its visibility"+ " or write a custom TypeAdapter for its declaring type.", exception);}}/*** Returns a short string describing the {@link AccessibleObject} in a human-readable way.* The result is normally shorter than {@link AccessibleObject#toString()} because it omits* modifiers (e.g. {@code final}) and uses simple names for constructor and method parameter* types.** @param object object to describe* @param uppercaseFirstLetter whether the first letter of the description should be uppercased*/public static String getAccessibleObjectDescription(AccessibleObject object, boolean uppercaseFirstLetter) {String description;if (object instanceof Field) {description = "field '" + fieldToString((Field) object) + "'";} else if (object instanceof Method) {Method method = (Method) object;StringBuilder methodSignatureBuilder = new StringBuilder(method.getName());appendExecutableParameters(method, methodSignatureBuilder);String methodSignature = methodSignatureBuilder.toString();description = "method '" + method.getDeclaringClass().getName() + "#" + methodSignature + "'";} else if (object instanceof Constructor) {description = "constructor '" + constructorToString((Constructor<?>) object) + "'";} else {description = "<unknown AccessibleObject> " + object.toString();}if (uppercaseFirstLetter && Character.isLowerCase(description.charAt(0))) {description = Character.toUpperCase(description.charAt(0)) + description.substring(1);}return description;}/*** Creates a string representation for a field, omitting modifiers and* the field type.*/public static String fieldToString(Field field) {return field.getDeclaringClass().getName() + "#" + field.getName();}/*** Creates a string representation for a constructor.* E.g.: {@code java.lang.String(char[], int, int)}*/public static String constructorToString(Constructor<?> constructor) {StringBuilder stringBuilder = new StringBuilder(constructor.getDeclaringClass().getName());appendExecutableParameters(constructor, stringBuilder);return stringBuilder.toString();}// Note: Ideally parameter type would be java.lang.reflect.Executable, but that was added in Java 8private static void appendExecutableParameters(AccessibleObject executable, StringBuilder stringBuilder) {stringBuilder.append('(');Class<?>[] parameters = (executable instanceof Method)? ((Method) executable).getParameterTypes(): ((Constructor<?>) executable).getParameterTypes();for (int i = 0; i < parameters.length; i++) {if (i > 0) {stringBuilder.append(", ");}stringBuilder.append(parameters[i].getSimpleName());}stringBuilder.append(')');}/*** Tries making the constructor accessible, returning an exception message* if this fails.** @param constructor constructor to make accessible* @return exception message; {@code null} if successful, non-{@code null} if*    unsuccessful*/public static String tryMakeAccessible(Constructor<?> constructor) {try {constructor.setAccessible(true);return null;} catch (Exception exception) {return "Failed making constructor '" + constructorToString(constructor) + "' accessible;"+ " either increase its visibility or write a custom InstanceCreator or TypeAdapter for"// Include the message since it might contain more detailed information+ " its declaring type: " + exception.getMessage();}}/** If records are supported on the JVM, this is equivalent to a call to Class.isRecord() */public static boolean isRecord(Class<?> raw) {return RECORD_HELPER.isRecord(raw);}public static String[] getRecordComponentNames(Class<?> raw) {return RECORD_HELPER.getRecordComponentNames(raw);}/** Looks up the record accessor method that corresponds to the given record field */public static Method getAccessor(Class<?> raw, Field field) {return RECORD_HELPER.getAccessor(raw, field);}public static <T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw) {return RECORD_HELPER.getCanonicalRecordConstructor(raw);}public static RuntimeException createExceptionForUnexpectedIllegalAccess(IllegalAccessException exception) {throw new RuntimeException("Unexpected IllegalAccessException occurred (Gson " + GsonBuildConfig.VERSION + ")."+ " Certain ReflectionAccessFilter features require Java >= 9 to work correctly. If you are not using"+ " ReflectionAccessFilter, report this to the Gson maintainers.",exception);}private static RuntimeException createExceptionForRecordReflectionException(ReflectiveOperationException exception) {throw new RuntimeException("Unexpected ReflectiveOperationException occurred"+ " (Gson " + GsonBuildConfig.VERSION + ")."+ " To support Java records, reflection is utilized to read out information"+ " about records. All these invocations happens after it is established"+ " that records exist in the JVM. This exception is unexpected behavior.",exception);}/*** Internal abstraction over reflection when Records are supported.*/private abstract static class RecordHelper {abstract boolean isRecord(Class<?> clazz);abstract String[] getRecordComponentNames(Class<?> clazz);abstract <T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw);public abstract Method getAccessor(Class<?> raw, Field field);}private static class RecordSupportedHelper extends RecordHelper {private final Method isRecord;private final Method getRecordComponents;private final Method getName;private final Method getType;private RecordSupportedHelper() throws NoSuchMethodException {isRecord = Class.class.getMethod("isRecord");getRecordComponents = Class.class.getMethod("getRecordComponents");// Class java.lang.reflect.RecordComponentClass<?> classRecordComponent = getRecordComponents.getReturnType().getComponentType();getName = classRecordComponent.getMethod("getName");getType = classRecordComponent.getMethod("getType");}@Overrideboolean isRecord(Class<?> raw) {try {return (boolean) isRecord.invoke(raw);} catch (ReflectiveOperationException e) {throw createExceptionForRecordReflectionException(e);}}@OverrideString[] getRecordComponentNames(Class<?> raw) {try {Object[] recordComponents = (Object[]) getRecordComponents.invoke(raw);String[] componentNames = new String[recordComponents.length];for (int i = 0; i < recordComponents.length; i++) {componentNames[i] = (String) getName.invoke(recordComponents[i]);}return componentNames;} catch (ReflectiveOperationException e) {throw createExceptionForRecordReflectionException(e);}}@Overridepublic <T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw) {try {Object[] recordComponents = (Object[]) getRecordComponents.invoke(raw);Class<?>[] recordComponentTypes = new Class<?>[recordComponents.length];for (int i = 0; i < recordComponents.length; i++) {recordComponentTypes[i] = (Class<?>) getType.invoke(recordComponents[i]);}// Uses getDeclaredConstructor because implicit constructor has same visibility as record and might// therefore not be publicreturn raw.getDeclaredConstructor(recordComponentTypes);} catch (ReflectiveOperationException e) {throw createExceptionForRecordReflectionException(e);}}@Overridepublic Method getAccessor(Class<?> raw, Field field) {try {// Records consists of record components, each with a unique name, a corresponding field and accessor method// with the same name. Ref.: https://docs.oracle.com/javase/specs/jls/se17/html/jls-8.html#jls-8.10.3return raw.getMethod(field.getName());} catch (ReflectiveOperationException e) {throw createExceptionForRecordReflectionException(e);}}}/*** Instance used when records are not supported*/private static class RecordNotSupportedHelper extends RecordHelper {@Overrideboolean isRecord(Class<?> clazz) {return false;}@OverrideString[] getRecordComponentNames(Class<?> clazz) {throw new UnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}@Override<T> Constructor<T> getCanonicalRecordConstructor(Class<T> raw) {throw new UnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}@Overridepublic Method getAccessor(Class<?> raw, Field field) {throw new UnsupportedOperationException("Records are not supported on this JVM, this method should not be called");}}
}