Is java.lang.String Truly Immutable? Reflection Bypass in Java 11 and Prevention in Java 17

Java developers often assume that java.lang.String is immutable, but the article shows that in Java 11 reflection can change a String's internal value, breaking the immutability guarantee.

A real‑world incident is cited where clearing a String via reflection caused a business‑critical failure (link to the analysis article).

Starting with Java 17, attempts to modify a String through reflection trigger an InaccessibleObjectException , effectively preventing the unsafe operation.

The article details the internal checks performed when Field#setAccessible is invoked, including module, package and access‑level validations, illustrated with several screenshots of the security checks.

To enforce custom security policies, the author presents a StackTrace‑based validation technique. The provided Demo class extracts the current stack trace, verifies that the caller originates from the com.example.demo package and the method name is test , and throws an InaccessibleObjectException otherwise.

package com.example.demo;

import java.lang.reflect.InaccessibleObjectException;

public class Demo {
    public static void main(String[] args) throws ReflectiveOperationException {
        test();
        System.out.println("test....");
        doDo();
    }

    private static void test() {
        doDo();
    }

    private static void doDo() {
        StackTraceElement[] stackTrace = new RuntimeException().getStackTrace();
        StackTraceElement stackTraceElement = stackTrace[1];
        if (stackTraceElement.getClassName().startsWith("com.example.demo") &&
            stackTraceElement.getMethodName().equals("test")) {
            System.out.println("doDo.....");
        }
        throw new InaccessibleObjectException("doDo 方法不能被调用");
    }
}

Running the program shows that calling doDo() directly from main throws the exception, while invoking it through test() is allowed, as demonstrated by the accompanying screenshot.

The article also lists other practical uses of StackTrace information: retrieving the Spring Boot main class ( SpringApplication#deduceMainApplicationClass ), extracting exception stacks in Logback ( CallerData#extract ), detecting lock order violations with Guava's CycleDetectingLockFactory , identifying method callers, and validating layered‑architecture constraints.

In conclusion, StackTrace data can be leveraged for security checks and creative implementations, but because obtaining stack traces is costly, Java 9 introduced java.lang.StackWalker as a more efficient alternative to StackTraceElement .