Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Limit access of a java class to some packages

Tags:

java

I have a Java class which have some confidential information which I don't want to provide to any unauthorized class.

I want to access this class in some packages (classes from this packages are going to utilize confidential information), So that my secure class should be accessible in these packages.

Is there any way where I can check if caller of method is a authorized class from authorized package or not?

I know public/private/default all things (so please don't ask me to use it), but those are not useful here, because I want a class to be accessible in some packages(not one/same).

like image 833
Patriks Avatar asked Oct 09 '12 11:10

Patriks

3 Answers

I feel that you are going in the wrong direction. It might be a design problem.

The security requirement is your business logic. You should implement your security policy somehow, not rely on the java language level visibility modifier or caller package names. since if you give your jar to someone, he can anyway get access to your "confidencial" class.

And moreover, a class is a type, something abstract. it should not contain "data". well sure sometimes conf information was written as static variable etc. However if some data is sensitive, it should not be written in class. It could be stored in database or encrypted file and so on. Once a request to the sensitive information comes, you check your implemented security policy, if it is allowed to access those data.

just my 2cents

like image 139
Kent Avatar answered Nov 14 '22 21:11

Kent

The visibility modifiers in Java are not a security tool, but an OO design tool. Whatever you might do, if someone uses your class, it can access any private members of any class using reflection.

If your objects contain confidential information, leave these objects in your secure server.

like image 31
JB Nizet Avatar answered Nov 14 '22 22:11

JB Nizet

You can create an Exception (no need for it to be thrown) and use the getStackTrace() to analize the call stack. I always found it ugly, though.

That said, anything that you put in a client machine is vulnerable to that machine; if you have something really confidential protect it in your server; make it available only as a service.

like image 37
SJuan76 Avatar answered Nov 14 '22 20:11

SJuan76
Sign in to Comment

Related questions

Calendar hour set to 0, yet displays 1, why?
Accessing local field vs object field. Is doc wrong?
Tomcat 7.0.30 does not work with Resteasy 2.3.4
HashMap: containsKey() Not true when it should be?
How to delete blank rows in between the sheet using POI?
Java (web service - SOAP) - How do I add a SOAP handler on the client side and enable MTOM correct?
Reflections lib for Java: find all classes in a package
Creating new object in abstract class in Java
How to create a jar from part of my project that is packaged as a war
Android UnknownHostException Facebook SDK
JGit branch checkout Issue
Java - How to search a string for 6 random numbers
Fast Adaptive Threshold for Canny Edge Detector in Android
NullPointerException using Long after equality check
Android AudioRecord artifact
Java Regex Performance: Reluctant Quantifier or Character Class?
Why won't Eclipse detect these files as part of my folder?
Moving JScrollPane horizontally results in blured text
Java Regex lookahead takes too much time
Adjusting Gridbag layout

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!