Reputation: 120516
Is there a maven plugin that augments Java access control?
Is there a maven plugin that makes mvn verify of an aggregating project fail when its submodules or their transitive dependencies depend on things they oughtn't.
I'd like to be able to restrict uses of public APIs to express policies like
- Only classes or packages on a whitelist can invoke this public constructor/method.
- This public setter that was produced by a code generator should not be called -- it should really have been package-private.
Motivation & Caveats
I realize that there are ways to work around these requirements using reflection and deserialization. My end goal is to allow system-architects & tech-leads to set a policy like
- All uses of security-critical APIs should be in modules reviewed by security. Contact them if you need the whitelist expanded.
- These deprecated APIs are banned in favor of new ones. There's a whitelist for grandfathered code which should shrink over time.
The system architect treats trusts application developers but we want naive policy violations flagged with useful error messages, and we want developers who hack around the policy to not be able to plausibly deny that they did so.
Tricks like reflection and deserialization fall into that not-plausibly-deniable hacking.
This is kind of like some of the aims of Jigsaw, where a module (group of packages) can declare that its public interface is limited to just some packages, but jigsaw isn't widely available.
This question differs from "Make Java methods visible to only specific classes" because I'm not asking about ways to do this from within the Java language.
Upvotes: 1
Views: 74
Answers (1)
Reputation: 15086
You can use checkstyle to perform such checks, for your use case you could use import control:
It seems that this doesn't support fully-qualified imports, based on following answers:
Checkstyle rule to limit interactions between root packages (with ImportControl?)
How to prevent fully qualified names in Java code
As the second answer suggest you could work around that by forbidding fully qualified imports by using another tool - PMD.
As for JSPs, these are usually compiled in the servlet container, nevertheless there is a way to pre-compile these as well, using maven plugin.
Upvotes: 3
Related Questions
- Is there a destructor for Java?
- Is there anything like .NET's NotImplementedException in Java?
- Specifying Java version in maven - differences between properties and compiler plugin
- IntelliJ - Convert a Java project/module into a Maven project/module
- Why is there no SortedList in Java?
- What is the maven-shade-plugin used for, and why would you want to relocate Java packages?
- Java 8 Lambda function that throws exception?
- When maven says "resolution will not be reattempted until the update interval of MyRepo has elapsed", where is that interval specified?
- How to solve "Plugin execution not covered by lifecycle configuration" for Spring Data Maven Builds
- Dealing with "Xerces hell" in Java/Maven?