exposing Java private fields with reflection

Author: ramalho

classes/private/Confidential.class

@@ -0,0 +1,9 @@
+public class Confidential {
+
+	private String secret = "";
+	private String hidden = "burn after reading";
+
+	public Confidential(String text) {
+		this.secret = text;
+	}
+}

classes/private/Confidential.java

@@ -0,0 +1,25 @@
+import java.lang.reflect.Field;
+
+public class Expose {
+
+	public static void main(String[] args) {
+		Confidential message = new Confidential("text you shoudn't see");
+		Field privateField = null;
+		try {
+			privateField = Confidential.class.getDeclaredField("secret");
+		}
+		catch (NoSuchFieldException e) {
+			System.err.println(e);
+			System.exit(1);
+		}
+		privateField.setAccessible(true); // break the lock!
+		try {
+			String wasHidden = (String) privateField.get(message);
+			System.out.println("message.secret = " + wasHidden);
+		}
+		catch (IllegalAccessException e) { 
+			// this will not happen after setAcessible(true)
+			System.err.println(e);
+		}	
+	}
+}

classes/private/Expose.class

@@ -0,0 +1,6 @@
+import Confidential
+
+message = Confidential("text you shoudn't see")
+private_field = Confidential.getDeclaredField('secret')
+private_field.setAccessible(True)  # break the lock!
+print 'message.secret =', private_field.get(message)

classes/private/Expose.java

@@ -0,0 +1,11 @@
+from java.lang.reflect import Modifier
+import Confidential
+
+message = Confidential('never expose this')
+fields = Confidential.getDeclaredFields()
+for field in fields:
+    # list private fields only
+    if Modifier.isPrivate(field.getModifiers()):
+        field.setAccessible(True) # break the lock
+        print 'field:', field
+        print '\t', field.getName(), '=', field.get(message)

classes/private/expose.py

@@ -0,0 +1,12 @@
+# In the Jython registry:
+# python.security.respectJavaAccessibility = false
+# Setting this to false will allow Jython to provide access to
+# non-public fields, methods, and constructors of Java objects.
+
+import Confidential
+
+message = Confidential("text you shoudn't see")
+for name in dir(message):
+    attr = getattr(message, name)
+    if not callable(attr):  # ignore methods
+        print name, '=', attr

classes/private/leakprivate.py

@@ -0,0 +1,25 @@
+import java.lang.reflect.Field;
+
+public class AcessaPrivado {
+
+	public static void main(String[] args) {
+		ObjetoSecreto oSecreto = new ObjetoSecreto("senha super secreta");
+		Field campoPrivado = null;
+		try {
+			campoPrivado = ObjetoSecreto.class.getDeclaredField("escondido");
+		}
+		catch (NoSuchFieldException e) {
+			System.err.println(e);
+			System.exit(1);
+		}
+		campoPrivado.setAccessible(true); // arrombamos a porta
+		try {
+			String tavaEscondido = (String) campoPrivado.get(oSecreto);
+			System.out.println("oSecreto.escondido = " + tavaEscondido);
+		}
+		catch (IllegalAccessException e) { 
+			// esta exceção nao acontece porque fizemos setAcessible(true)
+			System.err.println(e);
+		}	
+	}
+}

classes/private/no_respect.py

@@ -0,0 +1,9 @@
+public class ObjetoSecreto {
+
+	private String escondido = "";
+	private String oculto = "dado ultra secreto";
+
+	public ObjetoSecreto(String texto) {
+		this.escondido = texto;
+	}
+}

classes/private/pt-br/AcessaPrivado.java

@@ -0,0 +1,6 @@
+import ObjetoSecreto
+
+oSecreto = ObjetoSecreto('senha super secreta')
+campoPrivado = ObjetoSecreto.getDeclaredField('escondido')
+campoPrivado.setAccessible(True) # arrombamos a porta
+print 'oSecreto.escondido =', campoPrivado.get(oSecreto)