> On 2021. Feb 21., at 21:57, Remi Forax <fo...@univ-mlv.fr> wrote: > > ----- Mail original ----- >> De: "Attila Szegedi" <szege...@gmail.com> >> À: "core-libs-dev" <core-libs-dev@openjdk.java.net> >> Envoyé: Dimanche 21 Février 2021 21:14:48 >> Objet: Class.getRecordComponents security checks > >> Hey folks, >> >> Why are security checks for Class.getRecordComponents as strict as those for >> e.g. getDeclaredMethods? I would’ve expected they’d be as strict as those for >> e.g. getMethods. Specifically, the difference is the: >> >>> “the caller's class loader is not the same as the class loader of this >>> class and >>> invocation of s.checkPermission method with >>> RuntimePermission("accessDeclaredMembers") denies access to the declared >>> methods within this class” > > Good question, getRecordComponents() list the record components not the > record accessors, > while each record component has a corresponding accessor method, the reverse > is not true. > > so here, what you are asking is more like asking fields than methods, so it's > more like getDeclaredFields() than getMethods(), > hence the runtime check if there is a SecurityManager enabled.
But the whole point is that accessors are methods, and not fields, I thought. And even if it were so, we have a distinction between getFields and getDeclaredFields. There’s no separation of getRecordComponents vs. hypothetical getDeclaredRecordComponents. I’m convinced I don’t understand this issue completely, and I remain confused. I appreciate you trying to clear it up, the problem of continued failure to understand is most likely inside my head :-) > >> >> step. Aren’t record accessors supposed to be public? > > yes, at least for the code generated by javac, accessors are always public > (the class itself may be non public, and the package may not be exported). Right, but for non-record classes you could also invoke e.g. getMethods() on it. Attila.