Reputation: 6620
Java security: how to ensure class is only access from specific package?
Now I know I can mark a method as 'no modifier' so that its only accessible by Class & Package.
That is not what I need in this case though. What I need is this:
Methods on Class "Secure.java" can only be accessed from other Classes in the same JAR file.
AND (this is extra)
When call is made into a secure method, the call stack does not go back to a none secure class & then back in again. For example:
This is good:
- com.nonsecure.ClassA.doStuff() calls
- com.nonsecure.ClassB.doStuff() calls
- com.secure.Secure.doStuff() calls
- com.secure.SecureB.doStuff()
This is bad:
- com.nonsecure.ClassA.doStuff() calls
- com.nonsecure.ClassB.doStuff() calls
- com.secure.Secure.doStuff() calls
- com.nonsecure.ClassC.doStuff() calls [BAD: we went outside the classes in the secure JAR!]
- com.secure.SecureB.doStuff()
Now I think I can do this via a little manual work:
private void checkSecurity()
{
StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace();
for (StackTraceElement stackTraceElement : stackTraceElements)
{
// TODO: Add a little magic to check that we've not stepped outside the secure packages.
if (!stackTraceElement.getClassName().startsWith("com.secure"))
{
throw new SecurityException("Woop!");
}
}
}
QUESTION: This feels like there should be something that Java provides to help me out here?
I've read about
AccessController.doPrivileged(new PrivilegedExceptionAction<String>()
But seems to only be about accessing resources/network connections etc. Not about accessing the call stack to ensure some sort of package protection.
Notes:
- I am using Spring 3
- The JAR file containing the secure code is signed with a certificate.
- Access to the secure class will only be from within the JAR, direct access from outside the JAR must not be allowed.
Upvotes: 2
Views: 1273
Answers (3)
Reputation: 6620
In the end I used the checkSecurity() method above.
I didn't find a Java 1.6 feature to help me out.
Upvotes: 0
Reputation: 3036
You are basically looking for access restrictions based on the container (jar) of your classes. Java does not provide such control on its own (at least not easily).
OSGI specifications are closer to the access control you want to achieve. In essence, OSGI do support and enforce access restrictions and rules based on the jar files (which it calls bundles).
You say you are using Spring: maybe have a look on these articles from JavaWorld here and here to check in which extent OSGI can help you.
Upvotes: 1
Reputation: 310876
Your title says 'from same package' which provides the hint. Put the class into the same package as the classes that may access it; don't make it public, so it is only accessible to classes in that package; sign the JAR file; and seal the package.
Upvotes: 1
Related Questions
- Making package-protected java class visible in parent package
- Limit access of a java class to some packages
- How to restrict a class visibility in another class only that are in different packages?
- How can classes be made to be accessible from different package but not accessible from different library/ jar in java?
- Is there any way in java to limit a package's visibility to only some other package
- Restrict access to Java Packages for other Java Packages
- Java Access Specifiers to access across packages without being public
- How to protect classes so they are not visible outside their package
- How to make a java class only available to one other class in a package
- Make java methods visible to only specific classes