Field 1 Reflection

| 16-04-2021
[RAND-1-100] Comments



Field 1 Reflection

by Hector Fernando Burga

Prevent reflection. Reflection is a very powerful feature and a lot of Java frameworks use it. However, an 'evil' code can also use it to break the security of your application and access and modify any field and a lot more things (invoke any methods, list all class content, etc). Field Experience #1 REFLECTION FORM 1.What strategies did the observed teacher use consistently to maintain polite and respectful interactions? 2.Which instructional activities communicated the teacher’s high expectations for learning and behavior? 3.What ideas and strategies can you take with you to use in your classroom?


I think to myself… as countless hours of interviews and site observations render the un-recognizable profile of an otherwise familiar term. I know what defines community, I can look it up in the dictionary, I can find it in the urban studies literature… I think with resignation and a hint of self-reflection.
Yet in the process of carrying out ethnographic fieldwork in the City, I encounter unexpected meanings of an otherwise familiar category; the disruptions and re-assemblages of an otherwise stable term.
Reader, you may find this observation obvious. After all, those of us who are privileged enough to engage the field, do it in order to test assumptions. One of the values of fieldwork is the re-evaluation of well defined categorizations. This is the fun part. The city is a laboratory. One finds and analyzes the evidence against expectations. But in the process of engaging the schizophrenia of the City; its sites, oral histories, detritus and visionary master-plans, “community” marks pitfalls and confusing traces. The city is not a laboratory; rather it’s a crime scene.
When entering the field, “community” can be imagined in the abstract. It is a packaged key word, an exercise of historical genealogy, a theory. The trace of this abstraction is found in different bodies of literature about the City. It may offer the researcher false clues by presenting a road map for her/his inquiry, a magnifying lens to register the unknown. One arrives assuming who is the culprit.
But the process of collecting evidence tells me there is a more subtle process taking place. Beyond its normative definition as a set of relationships between two or more individuals bound by shared values, this term is used in different realms and practices which shape the imagination of the City.
“Community” has an operative value. From economic development to urban design, from social grassroots activism to political causes, the term enables not only practitioners to carry out their work but also residents, planners and academics to imagine and re-imagine cities. This use establishes intersections, contradictions and most importantly useful interrogations.
One may encounter a social justice activist claiming the city as a site of collective rights for a community of workers. Simultaneously, in the same location a profit-driven developer may proclaim the value of mixed-use residences in building community. Urban designers and architects may argue for public space as fundamental community need. Historic preservationists may argue for the designation of a structure in the name of community identity. An economic development specialist may argue for jobs to save the community. A Local resident may complain about lack of services in her/his community.
These intersections are just the beginning. The term becomes even more complicated in cities where flows of capital, immigration, and ideas mark intense social transformation. In a global city, a resident may be part of several communities at once; acting locally and trans-nationally. How do planners and other professionals shaping the City address the re-assemblage of this term in a context like the Global City?
In the planner’s toolkit of the American metropolis, “community” conjures up Main Street, mom and pop shops, direct democracy, five minute walks and collective gardens. An imagination of locality trumps the perceived dangers of an imagination of conflict and dislocation. Difference is managed in degrees of assimilation to an ideal place. The physical manifestation of this logic is the ethnic enclave.
At this point, the negative effects of the use of this term may become evident. Yes, the practice of the use of “community” unites but it also excludes and divides. The term has the potential of dividing residents into insiders and outsiders. It may establish degrees of association and legitimacy to claims. It generates a hierarchy of belonging which registers social life through strata of class, race and ethnicity and lifestyle.
How then, can I analyze this term through my collected evidences; a set of discordant and conflicting voices, actors on a crime scene with enigmatic scripts and yet-to-be-determined roles?
How do I define community?
Credits: Image from Hector Fernando Burga.


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.

I. Reflection and Java security

For most Java developers, Java security comes from the use of keywords such as 'private, protected, or final'.
For example a field declared :
private static String state;
The field called 'state' is a class variable, with the given keywords, it should only be accessible by other instance objects of the same class.

Another example :
private final String name='MyClass';

In this example the field 'name' can only be accessed by another code in the same object, and it has the 'final' keyword so it cannot be modified once it is set (a real Java constant has both the keywords 'static' and 'final').

These examples shows that Java data access security is guaranteed by the language keywords, however this statement is not true because of Java 'reflection'.
Reflection is a Java feature that allows a code to examine itself dynamically and modify its references and properties at runtime.
Reflection is a direct part of the Java language. The reflection package is java.lang.reflect. This package provides objects that can be used to list any fields inside a class, invoke any class methods or access and modify any fields, and when I say any I mean all of them, even private ones.

II. Use reflection to modify any class/object field.

Field 1 Reflections

II.1 Our scope

The java.lang.reflect classes allows you do do a lot more things than just access to class fields. This is just a little part of the enormous possibilities of reflection, the goal here is to show that reflection can 'break' classic keyword security.
The only include that is needed for this article codes is :

II.2 Access and modify any class variables

A class variable is a variable that is common to all instances of this class, it is defined with the 'static' keyword.
The code below can be used to access any class variable :

Field 1 Reflection 1

In this code, the essential line is 'field.setAccessible(true);'. The setAccessible() method disables usual languages security checks and allows the field to be accessed from any other class.
Note also the getDeclaredField() method that is really useful and allows you to access via reflection to a Field object representing any field that is declared inside a Class.
We saw we could grab any field value, but can we also modify them? the answer is yes. For that you can use the next code :

Field 1 Reflection Meaning

Here, the Field.get() method is used to grab the object contained in the field. The set() method overrides this object with another Object (newValue) we passed in parameters.

II.3 Access and modify any instance variables

In the previous section we saw that we could access and modify any static field. We can do the same thing for non-static fields that is, instance variables. The example codes works basically like the previous ones except that instead of manipulating a Class, we are going to manipulate an Object, instance of the Class.

III. Prevent reflection

Field 1 Reflection 1

Reflection is a very powerful feature and a lot of Java frameworks use it. However, an 'evil' code can also use it to break the security of your application and access and modify any field and a lot more things (invoke any methods, list all class content, etc).
The only way to prevent reflection is to use a securitymanager. By default code using reflection needs particular security permissions.
In our example, both the getDeclaredField() method and the setAccessible() method contain an inner security check that will throw a SecurityException if called by a code that is not authorized by the securitymanager.
If you want to look at some example of securitymanager that authorizes reflection for particular jars you should read the article : Spring and Hibernate Tomcat security manager.

IV. Example : Disable Java security

The best example to show that reflection is a dangerous feature is to show that all the security mechanisms of Java, relying on the security manager, can be disabled using a single call to the setStaticValue() method previously described in this article.
The entire language security of Java relies on security checks using a static value inside the java.lang.System class.
The usual security checks maid by sensible functions are :

Field 1 Reflection Worksheets

  • Test if a call to System.getSecurityManager() returns null.
  • If returned value is null, the function considers security is deactivated.
  • If the return value is not null, the SecurityManager element returned by the function is used to know what is authorized and what is not.

The System.getSecurityManager() method simply returns the value of a static private variable of the System class, security.
So, that means, disabling Java language security is as simple as setting the security variable to null.

Thats all!

Also in this section

8 January 2011 – Enable securitymanager for Spring and Hibernate

10 November 2010 – Implement hash service using JCE

4 Forum posts

  • How can you possibly disable all security by calling

    setStaticValue('java.lang.System', 'security', null);

    when this method itself uses calls to the reflection api which will be prevented by the SecurityManager ( throw SecurityException) before you manage to set it to null?

    • “show that reflection is a dangerous feature” The point was to explain that if reflection API is enabled, the security of Java can be disabled.
      That is why when enabling Java security you must ensure that you do not allow reflection, especially on modules your are not sure you can trust.

  • how to change the order of the private data variable?

Field Study 1-6 Reflection

Any message or comments?