On Nov 1, 2016, at 9:53 AM, David M. Lloyd <david.ll...@redhat.com> wrote: > > 1. It requires the target class to be initialized > 2. It requires the target class to proactively donate MethodHandles or a > Lookup to the lookup class
Both of these can be overcome, though only by privileged code. The privileged code would forge (uh, "mint") a legitimate Lookup to the not-yet-initialized class. A "Vault" meta-framework doesn't need to inject a Lookup donation statement into anybody's <clinit>. Instead, it needs to do the super-user operation of making a trusted lookup. It must also fulfill the super-user *responsibility* of not leaking such lookups, just using them in a predictable, rule-based manner. — John