Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Limit access of a java class to some packages

Tags:

java

I have a Java class which have some confidential information which I don't want to provide to any unauthorized class.

I want to access this class in some packages (classes from this packages are going to utilize confidential information), So that my secure class should be accessible in these packages.

Is there any way where I can check if caller of method is a authorized class from authorized package or not?

I know public/private/default all things (so please don't ask me to use it), but those are not useful here, because I want a class to be accessible in some packages(not one/same).

like image 833
Patriks Avatar asked Oct 09 '12 11:10

Patriks


3 Answers

I feel that you are going in the wrong direction. It might be a design problem.

The security requirement is your business logic. You should implement your security policy somehow, not rely on the java language level visibility modifier or caller package names. since if you give your jar to someone, he can anyway get access to your "confidencial" class.

And moreover, a class is a type, something abstract. it should not contain "data". well sure sometimes conf information was written as static variable etc. However if some data is sensitive, it should not be written in class. It could be stored in database or encrypted file and so on. Once a request to the sensitive information comes, you check your implemented security policy, if it is allowed to access those data.

just my 2cents

like image 139
Kent Avatar answered Nov 14 '22 21:11

Kent


The visibility modifiers in Java are not a security tool, but an OO design tool. Whatever you might do, if someone uses your class, it can access any private members of any class using reflection.

If your objects contain confidential information, leave these objects in your secure server.

like image 31
JB Nizet Avatar answered Nov 14 '22 22:11

JB Nizet


You can create an Exception (no need for it to be thrown) and use the getStackTrace() to analize the call stack. I always found it ugly, though.

That said, anything that you put in a client machine is vulnerable to that machine; if you have something really confidential protect it in your server; make it available only as a service.

like image 37
SJuan76 Avatar answered Nov 14 '22 20:11

SJuan76