private too secure?!?

Joel A. Shapiro (joel@dragon.Princeton.EDU)
Mon, 12 Jan 1998 13:01:21 -0500

Date: 	Mon, 12 Jan 1998 13:01:21 -0500
From: "Joel A. Shapiro" <joel@dragon.Princeton.EDU>
To: java-security@web2.javasoft.com, joel@dragon.Princeton.EDU
Subject: private too secure?!?

I have a comment about Java security. I'm an avid Java programmer and
would like to
build a feature into my code that allows automatic tracing of object
states. This would entail printing the values of all fields of an
object. For instance, one could do

public class A {

private int intField;
private String stringField;

public getIntField() {
return (intField);
}

}

public class Tracer {

public void trace(Object object) {
Class objectClass = object.getClass();
Field[] objectFields = objectClass.getDeclaredFields();
System.out.println("class " + objectClass.getName());
for (int i = 0; i < objectFields.length; i++) {
System.out.println("field " + objectFields[i].getName() + "
= " +
objectFields[i].get(object));
}

}

}

The problem is that the "objectFields[i].get" throws a SecurityException
for a private field like "stringField". I can get around this for
fields like "intField" by invoking their accessors automatically using
java.lang.Method, but I want to dump the *entire* state of the object,
not just those fields accessible by accessors.

My point is that perhaps the private accessibility modifier is too
strict. I can see wanting to protect sensitive information like
passwords and financial data, especially in serialized objects, but most
of the time private is used so that client code must access data through
"get" functions. Any suggestions?

Sincerely,

Joel A. Shapiro