Java 安全性:如何确保类只能从特定包访问?
[英]Java security: how to ensure class is only access from specific package?
问题描述
Now I know I can mark a method as 'no modifier' so that its only accessible by Class & Package.
现在我知道我可以将一个方法标记为“无修饰符”,以便它只能由类和包访问。
That is not what I need in this case though.不过,在这种情况下,这不是我所需要的。 What I need is this:我需要的是这个:
Methods on Class "Secure.java" can only be accessed from other Classes in the same JAR file.类“Secure.java”上的方法只能从同一 JAR 文件中的其他类访问。
AND (this is extra) AND(这是额外的)
When call is made into a secure method, the call stack does not go back to a none secure class & then back in again.当调用进入安全方法时,调用堆栈不会返回到非安全类然后再次返回。 For example:例如:
This is good:这很好:
- com.nonsecure.ClassA.doStuff() calls com.nonsecure.ClassA.doStuff() 调用
- com.nonsecure.ClassB.doStuff() calls com.nonsecure.ClassB.doStuff() 调用
- com.secure.Secure.doStuff() calls com.secure.Secure.doStuff() 调用
- com.secure.SecureB.doStuff() com.secure.SecureB.doStuff()
This is bad:这不好:
- com.nonsecure.ClassA.doStuff() calls com.nonsecure.ClassA.doStuff() 调用
- com.nonsecure.ClassB.doStuff() calls com.nonsecure.ClassB.doStuff() 调用
- com.secure.Secure.doStuff() calls com.secure.Secure.doStuff() 调用
- com. com。 nonsecure .ClassC.doStuff() calls [BAD: we went outside the classes in the secure JAR!]非安全.ClassC.doStuff() 调用 [糟糕:我们在安全 JAR 中的类之外!]
- com.secure.SecureB.doStuff() com.secure.SecureB.doStuff()
Now I think I can do this via a little manual work:现在我想我可以通过一些手动工作来做到这一点:
private void checkSecurity()
{
StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace();
for (StackTraceElement stackTraceElement : stackTraceElements)
{
// TODO: Add a little magic to check that we've not stepped outside the secure packages.
if (!stackTraceElement.getClassName().startsWith("com.secure"))
{
throw new SecurityException("Woop!");
}
}
}
QUESTION: This feels like there should be something that Java provides to help me out here?问题:感觉应该是 Java 提供的一些东西来帮助我解决这个问题?
I've read about我读过关于
AccessController.doPrivileged(new PrivilegedExceptionAction<String>()
But seems to only be about accessing resources/network connections etc. Not about accessing the call stack to ensure some sort of package protection.但似乎只是关于访问资源/网络连接等。而不是关于访问调用堆栈以确保某种包保护。
Notes:笔记:
- I am using Spring 3我正在使用 Spring 3
- The JAR file containing the secure code is signed with a certificate.包含安全代码的 JAR 文件使用证书签名。
- Access to the secure class will only be from within the JAR, direct access from outside the JAR must not be allowed.只能从 JAR 内部访问安全类,不允许从 JAR 外部直接访问。
3 个解决方案
解决方案1
1 2012-11-23 09:45:10
Your title says 'from same package' which provides the hint.你的标题说“来自同一个包”,它提供了提示。 Put the class into the same package as the classes that may access it;将类放入与可能访问它的类相同的包中; don't make it public, so it is only accessible to classes in that package;不要公开它,所以它只能被该包中的类访问; sign the JAR file;签署 JAR 文件; and seal the package.并密封包装。
解决方案2
1 2012-11-23 11:48:00
You are basically looking for access restrictions based on the container (jar) of your classes.您基本上是在寻找基于类的容器(jar)的访问限制。 Java does not provide such control on its own (at least not easily). Java 本身不提供这种控制(至少不容易)。
OSGI specifications are closer to the access control you want to achieve. OSGI 规范更接近您想要实现的访问控制。 In essence, OSGI do support and enforce access restrictions and rules based on the jar files (which it calls bundles ).本质上,OSGI 确实支持并实施基于 jar 文件(它称为bundles )的访问限制和规则。
You say you are using Spring: maybe have a look on these articles from JavaWorld here and here to check in which extent OSGI can help you.您说您正在使用 Spring:也许可以查看 JavaWorld here和here 中的这些文章,以检查 OSGI 可以在多大程度上帮助您。
解决方案3
0 2013-05-28 10:32:54
In the end I used the checkSecurity() method above.最后我使用了上面的 checkSecurity() 方法。
I didn't find a Java 1.6 feature to help me out.我没有找到 Java 1.6 功能来帮助我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.