stackoom
  简体   繁体   中英

Extracting unique caller information in java

 原文  2009-12-28 00:30:08       java/ reflection

Question

What I want to do is implement some basic security by checking not only what class has called a particular method, but also, which instance of that class.

I tried

StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace();

but that obviously only gives me the class name. The problem with allowing/requiring the callers to send self, or personal IDs is that all the callers are required to have access to the details of all the others. Can anyone help?

EDIT: More information:

So we have a server which makes connections with several agents. The agents send packets of information which include the name they CLAIM to have. There is a special agent which decides whether or not people should be able to lie about this in each particular case.

The agents make connections to instances of an Agent class on the server, but there is also a possibility that some agents will run natively. The reason I'm interested in this approach is that I will need that technique later (extract the specific instance that called a given method)

I hope this is better, and sorry for not putting enough info before :/

3 answers

solution1
 4 ACCPTED  2009-12-28 01:35:16

This whole line of attack can't possible secure anything. If users can control the code that runs, they can just run a codegen library and edit your code. If users can't control the code, then this is all unnecessary.

If you can't resist this urge, one approach is to wrap everything in Proxies that communicate the information you need.

By Proxy, I mean java.lang.reflect.Proxy . That is, wrap every one of these objects in a proxy. The proxy's job would be to store away this on a stack of your own that the callees could consult.

This is essentially AOP (aspect oriented programming) reinvented, so you might want to read about that. Look at the Spring framework.

solution2
 1  2009-12-28 03:54:23

You are not securing anything like this.

I think for such problems just check that all contributing code comes from signed jars.

solution3
 0  2009-12-28 23:06:12

Look up Capability-based security . Instead of knowing which client is doing what, you should give each client separate capability objects (essentially proxy objects with different privileges).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Caller Information in Java Java Regex for extracting price information Extracting some information from a String - Java + regex Extracting Information from Java using ANTLR extracting blocks of information from a text variable in Java Java Extracting class information from a generic type Extracting webpage information based on a template in Java Exposes implementation information to the caller? Accessing caller information quickly Java library for extracting audio information from MP3 files
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM