问题描述

想象这样的事情：

import class B.*;


interface A supports A.testSum
{
   int sum( int a , int b ) access from B.calculator;

   testSum() { Assert(sum(1,1)==2); }

........


class B ...
{
  void calculator() {  A.sum(3,5); //ok }
  void someOtherMethod() { A.sum(0,3); //compile error }

的支持的思想是次要但有关自测试适用于界面在此情况下（这样的语言会的接口测试，其中所有的实现必须通过和实施测试，这是特定于区分列兵实施

the idea of the "supports" is secondary but relevant since the test applies to the interface in this case (so the language would discriminate between an interface test, which all implementations must pass and a implementation test, which is specific to the implementation privates

但我想在这里传达的重要思想是访问控制语义;注意用关键词，从获得只能从方法B.calculator被称为是A.sum。什么都被检测为一个编译时错误。这里的想法是，以执行在一个更精细的方式架构限制。如果您没有添加，从准入或只是补充说：从*访问这将意味着允许从任何地方调用的方法的默认行为。什么样的建筑限制？好了，做了分层设计时手动强制执行那种：层A（最低级别）从B层（中间层），而这又是从C层（高电平）使用使用。但是，B层是不是从A层访问，C层是不是从没有A或B入店，但它是公共的，否则（可能是什么最终用户将可以直接访问）

but the important idea i want to convey here is the access control semantics; notice that A.sum with "access from" keyword can only be called from the method B.calculator. Anything else is detected as a compile time error. The idea here is to enforce architectural constraints in a more granular way. If you didn't add an "access from" or just added "access from *" it would mean the default behavior of allowing the method to be called from anywhere. What sort of architectural constraints? well, the kind that are manually enforced when doing a layered design: Layer A(lowest level) is used from layer B(intermediate level), which is in turn used from layer C(high level). But layer B is not accessible from layer A, and layer C is not accesible from neither A or B, but it is public otherwise (it might be what the end user will have direct access)

问题：你知道任何语言（包括源到源的中间语言）的支持上面的语义？为讨论如果这种语义的会适得其反，危险或只是鼓励加分不好的设计

question: do you know any language (including source-to-source intermediate languages) that support the above semantics? extra points for discussing if this kind of semantics would be counterproductive, dangerous or just encouraging bad design

更新：还有另外一个非常重要的用例此类限制的：

Update: there is another really important use case for this sort of restriction:

事件驱动编程：通常与事件的问题是，事件倾向于做太多，依赖事件的理解链可能很麻烦

event-driven programming: Usually the problem with event is that events tend to do too much, and the understanding the chain of dependencies for events can get tricky

因此​​，例如，人们可以定义一个事件处理程序仅具有一定组可见类它可以向（或相反，一组特定的不能触及的对象）

so for instance, one could define that a event handler has only certain set of visible classes it can interact to (or conversely, a certain set of objects it cannot touch)

推荐答案

Java支持的东西pretty同样的事情。

Java supports something pretty much the same thing.

首先，字段和方法的可见性在运行时执行，这是不可能的非特权code绕开这一点。

First of all, visibility of fields and methods are enforced at runtime, it is not possible for unprivileged code to bypass this.

您也可以使你自己的特权，并授予code的某些部分。例如，要打开一个文件时，code想要访问该文件的文件需要的FilePermission 。你可以让任何一种你希望虽然许可的，有可能创建一个名为许可 SumPermission 这总结前计算器检查，只授予它到任何你想要的课程。保护域跨越整个班，在班不是个人的方法，因为全班通常是从单一来源获得。其实该模型的深入，你什么建议。堆栈（包括螺纹创作的历史），从而达到安全检查必须具有的权限，这样即使有些不可信code调用你的code上的每一个类，它具有 SumPermission ，它就会失败安全检查。当然，这只是默认情况下，当你做任何事情，需要的权限，你可以使用 doPrivileged的块，告诉即将到来的检查，只检查您的权限，而不是双方你和来电者。

You can also make your own privileges, and grant them to certain parts of code. For example, to open a file, the code that wants to access a file needs FilePermission for that file. You can make any kind of permission you wish though, it's possible to make a permission called SumPermission which Calculator checks before summing, and only grant it to whatever classes you want. Protection domains span across classes, not individual methods in the classes, because a whole class is generally obtained from a single source. The model in fact goes deeper that what you proposed. Every class on the stack (including the history of thread creations) leading up to a security check must have the permission, so if some untrusted code calls your code that has SumPermission, it will fail the security check. Of course this is only default, whenever you do anything that needs permissions, you can use a doPrivileged block, to tell the upcoming check to only check your permissions instead of both yours and your callers.

不过，在Java中当前默认的安全方案有很大的局限性。其一，不可信code不能细分它的权限或定义嵌套不可信code自己的权限。此外，它是一个的疼痛的防范不可信code阻止。

However, the current default security scheme in Java has many limitations. For one, untrusted code can't subdivide its permissions or define its own permissions for nested untrusted code. Also, it's a pain to guard against untrusted code that blocks.

您可能想看看。尤其是，它遵循对象能力模型。它是为相互信任的code作出安全互动，并有语言水平的结​​构，以prevent死锁的问题。

You may want to check out E. In particular, it follows the Object-Capability Model. It is made for mutually untrusted code to interact securely, and has language level constructs to prevent deadlocking issues.

这是完全可能和可行的在Java中实现相互信任的code之间强大的行为，但ê将可能使你的工作更容易，并在JVM上运行，所以你还是应该能够使用Java库和库使用JVM的任何其他语言。

It's perfectly possible and feasible to implement robust behavior between mutually untrusted code in Java, but E will probably make your job much easier, and runs on the JVM so you should still be able to use Java libraries and libraries from any other languages that use the JVM.

这篇关于编程语言颗粒的方法和属性访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！