How is Spring BeanFactory able to instantiate a non-public class?

Spring newbie here.

I observed that Spring was able to instantiate a non-public c开发者_开发问答lass (i.e. a class with default visibility) that I had defined. Can anyone tell me how Spring achieves this? Why is this allowed ?

OK, here's how they do it. Take this sample class:

package hidden;  

class YouCantInstantiateMe{

    private YouCantInstantiateMe(){
        System.out.println("Damn, you did it!!!");
    }

}

The above is a package-private class with a private constructor in a different package, but we'll still instantiate it:

Code (run from a class in a different package):

public static void main(final String[] args) throws Exception{
    Class<?> clazz = Class.forName("hidden.YouCantInstantiateMe");
                                            // load class by name
    Constructor<?> defaultConstructor = clazz.getDeclaredConstructor();
    // getDeclaredConstructor(paramTypes) finds constructors with
    // all visibility levels, we supply no param types to get the default
    // constructor
    defaultConstructor.setAccessible(true); // set visibility to public
    defaultConstructor.newInstance();       // instantiate the class
}

Output:

Damn, you did it!!!

Of course what Spring does is much more complex, because they also deal with Constructor Injection etc., but this is how to instantiate invisible classes (or invisible constructors).

The one, who is responsible to check if you (or Spring) is allowed to instantiate class in runtime, is Security Manager . If you are running with simple main class, you probably don't have it at all. If you configure your application to run with Security Manager, and do not grant Spring with special permissions, it won't be able to instantiate non-public classes.