Behavior change in new instance creation for non-public interfaces

Java 8 introduces a behavior change for code that uses the Proxy.getProxyClass and the Constructor.newInstance methods to create a proxy instance if the caller is not in the same runtime package as the non-public proxy interface. In Java 7, using these methods creates the proxy class. In Java 8, it fails with an IllegalAccessException.

Because the analyzer cannot always determine the interfaces that are used or their visibility, this rule flags all invocations of Constructor.newInstance(InvocationHandler) except when they are defined as accessible. The rule does not flag invocations of the Constructor.newInstance(InvocationHandler) method that are preceded in the same method with calls to the following methods:

• A Proxy.getProxyClass(ClassLoader, Class...) method that defines the interfaces as accessible-type literals
• A Constructor.setAccessible(true) method

Inspect the flagged code to see if the getProxyClass method is called from other runtime packages and if any of the proxy interfaces are non-public. For example, a package-level interface that does not have the public keyword is non-public.

To create a proxy class in Java 8, use one of the following techniques:

• Call Constructor.setAccessible(true) to set the accessible flag.
• Use the Proxy.newProxyInstance convenience method.

If a security manager is present, both solutions need the ReflectPermission("newProxyInPackage.{package name}") permission to avoid a SecurityException.

The following example shows how you can change the code if the proxyClass method instantiates a non-public interface:

Original code:
Solution 1:
Solution 2:

For additional information, see the Java documentation for the following classes:

• Class java.lang.reflect.Proxy
• Class java.lang.reflect.ReflectPermission
• Class java.lang.reflect.Constructor