Java security: how to ensure class is only access from specific package?

Question

Now I know I can mark a method as 'no modifier' so that its only accessible by Class & Package.

That is not what I need in this case though. What I need is this:

Methods on Class "Secure.java" can only be accessed from other Classes in the same JAR file.

AND (this is extra)

When call is made into a secure method, the call stack does not go back to a none secure class & then back in again. For example:

This is good:

• com.nonsecure.ClassA.doStuff() calls
• com.nonsecure.ClassB.doStuff() calls
• com.secure.Secure.doStuff() calls
• com.secure.SecureB.doStuff()

This is bad:

• com.nonsecure.ClassA.doStuff() calls
• com.nonsecure.ClassB.doStuff() calls
• com.secure.Secure.doStuff() calls
• com. nonsecure .ClassC.doStuff() calls [BAD: we went outside the classes in the secure JAR!]
• com.secure.SecureB.doStuff()

---

Now I think I can do this via a little manual work:

 private void checkSecurity()
  {
    StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace();
    for (StackTraceElement stackTraceElement : stackTraceElements)
    {
      // TODO: Add a little magic to check that we've not stepped outside the secure packages.
      if (!stackTraceElement.getClassName().startsWith("com.secure"))
      {
         throw new SecurityException("Woop!");
      }
    }
  }

QUESTION: This feels like there should be something that Java provides to help me out here?

I've read about

AccessController.doPrivileged(new PrivilegedExceptionAction<String>()

But seems to only be about accessing resources/network connections etc. Not about accessing the call stack to ensure some sort of package protection.

Notes:

• I am using Spring 3
• The JAR file containing the secure code is signed with a certificate.
• Access to the secure class will only be from within the JAR, direct access from outside the JAR must not be allowed.

Answer 1

Your title says 'from same package' which provides the hint. Put the class into the same package as the classes that may access it; don't make it public, so it is only accessible to classes in that package; sign the JAR file; and seal the package.

Answer 2

You are basically looking for access restrictions based on the container (jar) of your classes. Java does not provide such control on its own (at least not easily).

OSGI specifications are closer to the access control you want to achieve. In essence, OSGI do support and enforce access restrictions and rules based on the jar files (which it calls bundles ).

You say you are using Spring: maybe have a look on these articles from JavaWorld here and here to check in which extent OSGI can help you.

Answer 3

In the end I used the checkSecurity() method above.

I didn't find a Java 1.6 feature to help me out.