Posted on 01/29/2013 7:04:53 AM PST by ShadowAce
I believe that allowing the use of reflection in Java was an unwise decision. It gives programmers tremendous power, but these classes and methods are much too dangerous in the hands of malicious programmers. At the very least, I would disable the reflection classes and methods in an applet context.
I no longer program for a living—can you explain what a reflection class is? I think I know, based on the name alone, but would appreciate an explanation.
A little cut’n’paste:
Uses of Reflection
Reflection is commonly used by programs which require the ability to examine or modify the runtime behavior of applications running in the Java virtual machine. This is a relatively advanced feature and should be used only by developers who have a strong grasp of the fundamentals of the language. With that caveat in mind, reflection is a powerful technique and can enable applications to perform operations which would otherwise be impossible.
Extensibility Features
An application may make use of external, user-defined classes by creating instances of extensibility objects using their fully-qualified names.
Class Browsers and Visual Development Environments
A class browser needs to be able to enumerate the members of classes. Visual development environments can benefit from making use of type information available in reflection to aid the developer in writing correct code.
Debuggers and Test Tools
Debuggers need to be able to examine private members on classes. Test harnesses can make use of reflection to systematically call a discoverable set APIs defined on a class, to insure a high level of code coverage in a test suite.
Drawbacks of Reflection
Reflection is powerful, but should not be used indiscriminately. If it is possible to perform an operation without using reflection, then it is preferable to avoid using it. The following concerns should be kept in mind when accessing code via reflection.
Performance Overhead
Because reflection involves types that are dynamically resolved, certain Java virtual machine optimizations can not be performed. Consequently, reflective operations have slower performance than their non-reflective counterparts, and should be avoided in sections of code which are called frequently in performance-sensitive applications.
Security Restrictions
Reflection requires a runtime permission which may not be present when running under a security manager. This is in an important consideration for code which has to run in a restricted security context, such as in an Applet.
Exposure of Internals
Since reflection allows code to perform operations that would be illegal in non-reflective code, such as accessing private fields and methods, the use of reflection can result in unexpected side-effects, which may render code dysfunctional and may destroy portability. Reflective code breaks abstractions and therefore may change behavior with upgrades of the platform.
Take a desk you want to work on and clear what you need to do that work
If you learn you need more space after doing what you've done so far, you take that phase of the projecrt off the desk (clearing the space again), go to the shelf you need to get the materiels you need to perform phase two and sit down to work on a clear desk.
THAT works for me (if it's correct)
Can you simplify what you just said for us non techies ?
Basically, reflection allows self-modifying code.
All these security exploits have used reflection in sneaky ways to get access to classes and data they’re not supposed to have access to.
I work a lot with server-side Java, but there is NO WAY I would advocate using Java in the browser.
Yes, and I hope they do it soon. I am tired of Retina crapping all over it.
We use it internally here. We use HP servers with ILO licensed, and we access the ILO with JVM or .NET.
But ... what is reflection ?
Perhaps an analogy will help.
***
Scenario: Pointy-Headed Boss (PHB) says to Dilbert: “I need an employee to do ImpossibleTask. And no, you may not hire a new employee from outside.” Dilbert frantically searches the list of employees that he manages for one with the capability of handling ImpossibleTask, and tells that employee to perform ImpossibleTask on PHB’s behalf.
***
Dilbert is the “reflection class” for PHB in this scenario. He can “see into” the capabilities of the employees that he manages and “reflect” those capabilities back to PHB.
PHB doesn’t (have to) know (or care) which employee actually performs ImpossibleTask, as long as Dilbert finds one that does.
In sum, a “reflection” class has the capability of inspecting the attributes (data) and behaviors (actions) of another class and providing that information to another class that requests it.
This is such a “Duh” headline. If Java is not locked down somehow for internet transmission and use, it will be relegated to the dustbin of history. People are now associating it with big trouble under all circumstances, despite it really having problems only when being downloaded by websites. It is too technical for most people to realize that Java programs that they have been using for years and are resident on their computers are not affected by the malware exploits.
Here is the problem with reflection:
field.setAccessible(true);
Top management never wants to admit it’s wrong.
Besides, I don’t like Larry Ellison.
C# also uses Reflection.
So .. an outsider (hacker) can be called by dilbert or the hacker IS dilbert?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.