Security problem about public modifier.

1. there are two classes exist in the different package, let's say, Class A in package com.a, and class B in com.b, there is a public(is a must) function in B which is only open to A, we don't want it to be published to the end user when we generate the api-docs, how should i do now?
2. since the class files and the java files are matched one by one, how can i be sure that the class IS the class i write, not the one replaced by the others?
much thanks.

This sounds a lot more like an "incomplete understanding of Java" problem than a "Security General" problem - but anyway...
1. there are two classes exist in the different
package, let's say, Class A in package com.a, and
class B in com.b, there is a public(is a must)
function in B which is only open to A, we don't want
it to be published to the end user when we generate
the api-docs, how should i do now?Are A and B in the same package? If so, then make B.protectedButPublicMethod() be package-protected.
Is any of B accessible to end-users? If not, then define B inside of A.java as a non-public class. Javadoc will then ignore B's methods (unless you go out of your way to tell it to produce the docs for B).
Java isn't C++ - there are no "friends" in Java. Package-protected comes closest.
2. since the class files and the java files are
matched one by one, how can i be sure that the class
IS the class i write, not the one replaced by the
others?.class and .java are NOT matched "one by one". A.java can only contain one public class, but it can also contain an arbitrary number of non-public classes and inner classes.
However, that is a separate issue from your second question. And the net is, you can't prevent your end-user from replacing your classfiles with their own.
Note that this isn't a Java-specific problem - it affects any system that allows dynamic libraries (like, say, .dlls on Windows or .so's on Unix).
Whatever it is you're trying to protect, I think you need to seriously rethink your approach - your questions hint at a system that is, at best, naive.
Good luck!
Grant

Similar Messages

  • Security problem about JCOM

    Hi,
    Now we are using IIS/ASP page to connect to EJB. This is the code below:
    Dim mobjHome
    Dim mobjBean
    dim mobjList
    Private Function BindObjects()
    Dim objTemp
    'Handle errors
    On Error resume next
    'Initialize function value
    BindObjects = True
    'Access WebLogic Server. Set here to localhost, port 7001.
    Set objTemp = GetObject("objref:TUVPVwEAAAAABAIAAAAAAMAAAAAAAABGABAAAAAAAABKaW50ZWdyYVRhbGtUb01lV2hhdHNBbGxUaGlzVGhlbhkAEgAHAGwAbwBjAGEAbABoAG8AcwB0AFsANwAwADAAMQBdAAAAAAAKAP//AAAAAAAAAAAAAA==:")
         if err.number>0 then
         BindObjects = False
         response.write "Error number:" & cstr(Err.Number) & "<BR>"
         response.write "Error Desc:" & Err.Description & "<BR>"
         'Notify user and end sub
         response.write "An error occurred while GetObject.<br>"
         exit function
         end if
    'Bind the EJB AccountHome object via JNDI
    Set mobjHome = objTemp.get("examplesServer:jndi:ejb20-containerManaged-AccountHome")
         if err.number>0 then
         BindObjects = False
         response.write "Error number:" & cstr(Err.Number) & "<BR>"
         response.write "Error Desc:" & Err.Description & "<BR>"
         'Notify user and end sub
         response.write "An error occurred while objTemp.Get.<br>"
         exit function
         end if
    Set mobjBean = mobjHome.create()
         if err.number>0 then
         BindObjects = False
         response.write "Error number:" & cstr(Err.Number) & "<BR>"
         response.write "Error Desc:" & Err.Description & "<BR>"
         'Notify user and end sub
         response.write "An error occurred while mobjHome.create().<br>"
         exit function
         end if
    'Find accounts with a balance > LARGE_BALANCE
    Set mobjList = FindBigTypes(700)
         if err.number>0 then
         BindObjects = False
         response.write "Error number:" & cstr(Err.Number) & "<BR>"
         response.write "Error Desc:" & Err.Description & "<BR>"
         'Notify user and end sub
         response.write "An error occurred while FindBigTypes.<br>"
         exit function
         end if
    'Exit before error code
    Exit Function
    End Function
    There is an error occured when running
    Set mobjHome = objTemp.get("examplesServer:jndi:ejb20-containerManaged-AccountHome")
    It told me "Access denied". Is there any setting I need to do in Weblogic server?
    Thank you!
    Best regards!
    Xianyu

    ADF SecurityContext is populated after execution of "/adfAuthentication" servlet so you can't get roles with ADFContext.getCurrent().getSecurityContext().getUserRoles() in your login method.
    Maybe you can retrieve roles with:
    Set<Principal> allPrincipals = mySubject.getPrincipals();
    for (Principal principal : allPrincipals) {
          if(principal instanceof WLSGroupImpl ) {
               roles.add(principal.getName());
    (note that this will retrieve 'enterprise' roles and not application roles)
    Dario

  • HT4623 Why isn't Apple talking about the security problem and the iOS software patch?

    Why isn't Apple telling us about the iOS security problem and the software patch?

    There's an iOS security problem already?
    They just issued an iOS update...

  • Need to solve serious security problem with Oracle Reports URL

    As mentioned repeatedly on this forum, Oracle Reports allows serious security breaches that allow users to see reports that they did not generate -- it's easy to guess a legal URL by changing the getjobid parameter.
    I've reviewed the JavaDocs to part of the rwrun.jar file and reviewed some of the example report plugins. This shows promise in helping to solve this security problem but critical pieces are missing.
    1) The javadocs are accurate for only 10g (9.0.4) but not correct for 10g (10.1.2+), which we are currently using. I need access to the updated version of this javadoc.
    2) Even with the updated version of the JavaDoc, I haven't found a class from which to inherit that would give me the opportunity to generate random jobid values, which then would effectively prevent users from guessing other jobid values, and thereby gaining access to other's reports (which in our cases, may contain sensitive information.
    3) We have found that we can send the parameter=value of EXPIRATION=1 which helps protect such information, but this requires that every program which invokes a report be modified to add this parameter. It would be far better for the report server to be configured to use a java class we write that inherits from some rwrun.jar class that would by default, add the EXPIRATION=1 parameter.

    Hi,
    Thanks for our replies. I will ask to an administrator about this security problem, now I know it depends of a security parameter.
    But I would know if it could be possible to hide the technical name of the query in the url. It could improve the security level of our reports in a first time in this way.
    Thanks a lot,
    JW.

  • Security problem? Bounded taskflow and sessionid in loopback url

    Hi,
    We just had a security evaluation of our public site. We use ADF in several places on the site (through iframes).
    The applications are made up of bounded taskflows. The request Url reads like:
    http://127.0.0.1:7101/test/faces/adf.task-flow?adf.tfId=task-flow-definition&adf.tfDoc=/WEB-INF/task-flow-definition.xml
    and it returns :
    http://127.0.0.1:7101/test/faces/adf.task-flow;jsessionid=R9YWRvkLJyD6lYC79DyTmTl6fxj177x1ZflDcJy4mrlcYmDVSmn0!-1545839156?adf.tfId=task-flow-definition&adf.tfDoc=/WEB-INF/task-flow-definition.xml&_afrLoop=97476727347664&_afrWindowMode=0&_afrWindowId=null
    According to the security evaluation the ;jsessionid=xxx in the header is a security problem, you could in principle copy the url and send it to a different computer and continue the session from there!
    The jsessionid is put there by the loop back script.
    Is there any way of making the loop back script not put the jsessionid in the url?
    Is it a security problem?
    regards
    Johnny

    Hi, thank you for the opinion. I am not talking about hijacking my own session id. But "malware" or a spy in som way could "sniff" the url and send it off to another computer!
    Look at this url, it explains it even better :
    http://fralef.org/tomcat-disable-jsessionid-in-url.html
    Again it is not my opinion but that of a security firm.
    Cookies are not disabled on my computer ( and our security firms), the case is real and how bounded taskflows work.
    Here is the code from the loop back:
    var sess = ";jsessionid=TdJhRvVGHnYZtTfzsMBpmDcSnLVHW0SzgBWl0gQm2tPQ45lwsq1W!-1545839156";
    if (sess.length > 0)
    href += sess;
    After the redirect the cookies "takes" over and the jsession id is not shown again.
    But it is still shown initially.
    And we do use https on our site, my code was just an illustration.
    Johnny
    Edited by: user11345344 on Feb 28, 2013 8:44 PM

  • An old and difficult problem about "UnsatisfiedLinkError"

    Hi dear all,
    I have been struck with the problem about "UnsatisfiedLinkError". I have a c++ class HelloWorld with a method hello(), and I want to call it from within a java class. In fact, I have succeeded in calling it on the windows platform. But when I transfer it to linux, the error "UnsatisfiedLinkError" comes out. I have tried to take the measures as Forum has suggested, but it failed.
    The source code is very simple to demonstrate JNI.
    "HelloWorld.h"
    #ifndef INCLUDEDHELLOWORLD_H
    #define INCLUDEDHELLOWORLD_H
    class HelloWorld
    public:
    void hello();
    #endif
    "HelloWorld.cpp"
    #include <iostream>
    #include "HelloWorld.h"
    using namespace std;
    void HelloWorld::hello()
    cout << "Hello, World!" << endl;
    "JHelloWorld.java"
    public class JHelloWorld
    public native void hello();
    static
    System.loadLibrary("hellolib");
    public static void main(String[] argv)
    JHelloWorld hw = new JHelloWorld();
    hw.hello();
    "JHelloWorld.cpp"
    #include <iostream>
    #include <jni.h>
    #include "HelloWorld.h"
    #include "JHelloWorld.h"
    JNIEXPORT void JNICALL Java_JHelloWorld_hello (JNIEnv * env, jobject obj)
    HelloWorld hw;
    hw.hello();
    All the files are in the same directory and all the processes are under the dirctory:
    1. javac JHelloWorld.java
    2. javah -classpath . JHelloWorld
    3. g++ -c -I/usr/java/jdk1.3/include -I/usr/java/jdk1.3/include/linux JHelloWorld.cpp HelloWorld.cpp
    4. ld -shared -o hellolib.so *.o
    5. java -cp . -Djava.library.path=. JHelloWorld
    Exception in thread "main" java.lang.UnsatisfiedLinkError: no hellolib in java.library.path
    at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1349)
    at java.lang.Runtime.loadLibrary0(Runtime.java:749)
    at java.lang.System.loadLibrary(System.java:820)
    at JHelloWorld.<clinit>(JHelloWorld.java:7)
    Tried another measure:
    i) export LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH
    ii)java -cp . JHelloWorld
    The same error came out as above.
    I really don't know what is wrong with it.
    Would you like to help me as soon as possible?
    Thanks.
    Regards,
    Johnson

    Hi Fabio,
    Thanks a lot for your help.
    It is very kind of you.
    Regards,
    Johnson

  • How do I report a security problem to Firefox?

    Here's the problem: <br />
    Wednesday morning my Mac at home got infected by malware which I believe is usually called the "Google redirect virus". My Mac at home has been upgraded to OSX 10.6.7 and I believe I was using Firefox 3.6.13 (it automatically upgraded tonight). I haven't been able to find any useful information on line about this malware. <br />
    The behavior after infection was that every time I tried to use Google my request would get redirected. If I entered www.google.com in the address bar, the URL would get changed to www.google.com/FuneralHomes/<something> and the browser would try to go there and a "Under Construction" error message or a no-such-page message would be returned. This started happening after I did a Google search and was checking various links in Firefox, but once it started in Firefox I got the same behavior in Safari even without using Safari to look at any links. And it continued to happen in Safari even after I did a "Reset Safari..." <br />
    When I got infected I was using a non-adminstrator account and I was not asked to download anything nor was I prompted for a password. <br />
    I searched on "Google redirect Mac virus" using my (so far) untouched work computer and found several suggestions but no solutions. Apparently this is a PC problem that's been around a few years, but there were some Mac reports from last year. So last night I checked the DNS addresses in my
    Network preferences, looked at /etc/hosts, and removed the only plug-in from the Library:Internet Plug-ins of the infected account, even though it was a Picasa plug-in that predated this infection. None of those seemed to be the problem. I also scanned my disk with an up-to-date "Norton AntiVirus" which
    I got from work some time ago, but it found no viruses. <br />
    What really puzzles me is that the problem gradually went away while I was checking it last night. At first, when I entered www.google.com the browser would still show the redirected address in the prompt that comes up and it had the Legacy.com logo on the left instead of the Google one but it would actually go to the Google website (unless I'm being spoofed). Then at a later attempt, only the wrong logo persisted. Then at an even later attempt the logo got fixed and everything looked fine and appeared to behave correctly. <br />
    Frankly, that's a little scary. It's as if a really smart trojan got
    installed and was covering its tracks while it set up a man-in-the-middle attack (please advise if I'm misusing the jargon). If I'm being too paranoid, great, but I'd still like to know how such behavior could be induced on my machine just by linking to a website. Can anyone help?
    ''moderator- fixed the leading space formatting errors in this posting''

    Thanks, the-edmeister, but the only relevant post I found was from GB Colburn on bleepingcomputer.com, wherein he reported a similar problem about a year ago. I've found a few similar threads in the last year or so (by searching "Google redirect mac virus" in Google) but they are all about the same: someone reports the problem, responders have various random suggestions, the problem seems to go away by itself (at least sometimes), and there's nothing conclusive either good or bad.
    Without myself being as knowledgeable as GB Colburn, it doesn't look to me like the problem is in the DNS system or the router. It acts more like some malware in the automatic completion in the address bar of the browser or maybe in the history system, but I can't figure out how an infection in one browser could affect another browser. And I *really* can't figure out how it could be self-healing.
    It's really frustrating that none of the major parties involved in this—Firefox, Google, Safari (Apple), Verizon (my internet provider)—even have a process for reporting a security issue. At least not one that I, an ordinary semi-naive user, can find.

  • Applet problem with FileWriter() (security problem?)

    btBut1.addActionListener(new ActionListener()
       public void actionPerformed(ActionEvent e)
           FilePermission perm = new FilePermission("<<ALL FILES>>" , "write");
          try {
                FileWriter outputStream = null;
                outputStream = new FileWriter("./bandiere/testouno.txt");
           catch (IOException eX) {
       });This is a bit of code from an APPLET which I'm working on. The code does not work...
    I smell it is a security problem, but I'm not sure...

    You are trying to write to the local file system which is not allowed unless the applet is signed.
    Unless you think you are trying to write to the server, in which case, you can't do that with FileWriters. You'd have to make a connection to the server via a socket or URLConnection or something to pass the data over.

  • Signed applets in 1.4.1: non-trust ignored: severe security problem?

    Hello all,
    I am signing applets with a developer certificate.
    Until know everything worked fine with Plugin 1.3.1.
    Know I changed to Plugin 1.4.1 and encountered a strange behaviour: When I open the HTML page with a browser (tried IE 5.5 and Mozilla 1.1) the certificate-question pops up. The problem: if I choose not to trust the certificate, the applets starts nevertheless and I can use the system clipboard inside my Applet (for what applets needs to be signed)!
    This looks like a severe security problem!
    Does anyone know anything about this? Can you reproduce this?
    thanx!
    Marcus

    Hi,
    I tried to reproduce what you said with plugin 1.4.0 (I don't have 1.4.1 yet) and IE6.0 (It doesn't have anything to do with the browser)
    My Java console said :
    "User has denied the priviledges to the code
    writeFile: caught security exception"
    The security seems to work OK in 1.4.0.
    I will have to try 1.4.1.
    Patrick

  • Problem About J2EE RI and PetStore Demo

    Hello ^^
    I have a problem about j2ee & petstore.
    I trird to set up sun j2ee RI 1.3.1 + pet store on win2000 or redhat.
    Everything run ok. But when I changed web port 8000 to any port (included
    80),
    j2ee ri server showed the error message below :
    java.net.ConnectException: Connection refused: connect
    java.security.PrivilegedActionException: javax.servlet.ServletException:
    An error occurred while evaluating custom action attribute "items" with
    value "${catalog.categories.list}": An error occurred while getting
    property "categories" from an instance of class
    com.sun.j2ee.blueprints.catalog.client.CatalogHelper
    I used root to start j2ee & cloudscape on linux,
    and changed database to postgresql, too.
    but the error is the same.
    How to solve this problem ??
    Thank you ~~
    Jovi

    Hi,
    I dont know how useful my reply would be since the question was posted about 2 yrs back, but just wanted to reply in case somebody faces the same problem.
    If you change the web port to some other port (other than 8000) then please check the sun-j2ee-ri.xml files. Actually the CatalogDAOSQL.xml is read using a url which includes the port you are running the server on. So, you need to change the port even in the sun-j2ee-ri.xml file.
    One of the sun-j2ee-ri.xml files, where you need to make the change is in the $PETSTORE_HOME/src/apps/petstore/src/sun-j2ee-ri.xml file.
    Other one is in $PETSTORE_HOME/src/apps/supplier/src/sun-j2ee-ri.xml file.
    Look for other sun-j2ee-ri.xml files where the url is hardcoded. (I think the two sun-j2ee-ri.xml files mentioned above, are the only places you need to make the change, but still look for other files in case i have missed)
    Change those urls and redeploy the ears.
    Hope this solves the problem.
    Regards,
    Archit

  • Sun Java security problems

    Please any one tel me about Sun Java security problems
    with Desktop application

    Hi.
    If you're using SSGD 4.41, please download the Admin guide from here:
    http://docs.sun.com/app/docs/doc/820-4907
    There, at page #41 you'll find useful info concerning "Client Connections and Security Warnings".
    Hope this helps,
    Rob

  • More about public website option in shared photo stream

    Can you require a password/authentication to enter the public website of the shared photo stream?
    I want to share photos with non-Apple users. I know how to do this - through electing the 'public website' option 'so anyone can view them' when creating the shared photo stream.
    My question focuses on how secure is this public website? Does it really mean "anyone" in the public could technically view them whether or not I added them to the subscriber list? Is it possible to require a password for my subscribers to view the website?
    I'd be sharing family photos of my new baby boy and I'm not wild about the idea that any "Joe Schmoe" out there could potentially view them if they somehow found or got access to the link to the shared photo stream.
    You could do this with MobileMe through the My Gallery. If iCloud is supposed to be "superior" to MobileMe, I would think sharing photos with people, even non-Apple users, securely would be even easier with iCloud.
    Thanks.

    Incidentally you mght like to look at SmugMug - this allows password protection of galleries, together with a password hint if required.

  • Problem about Mac Os X 10.6.3 V.S Labview 2009

    hi,labview~
    i have some problem about Labview 2009.i saw the website of NI wrote the Labview 2009 is not support for Mac OSX 10.6.3,but i have already installed it (English system) in my computer successfully.
    anyway,i cant open the programs which are wrote by labview 8.5(Japanese system) .My labmate who use Labview 2009(Mac OSX 10.5) can open those programs.
    can anyone tell me the possible reason i cant open the programs?
    Thanks a lot! 
    PS i have already tried Labview 8.5 and 8.6(English system),but the problem cant be solved.... 

    Hi mofi, my name is Taiki from National Instruments Japan.
    I assume that the link you referred to is the one below, but as you stated, LabVIEW 2009 is not supported in Mac OS X 10.6 so even though you were able to install it successfully, NI cannot assure that it will fully function on your Mac.
    LabVIEW Support for Mac OS 10.6 (Snow Leopard) and 10.5 (Leopard)
    http://digital.ni.com/public.nsf/allkb/70F17A30DE7B865E8625737F006377F8?OpenDocument
    Since you mentioned that the VI files were able to be opened on LabVIEW 2009, Mac OS X 10.5, the actual VI files should not be the issue which leaves us with the possibility of the software environment.
    You also noted that the issue could not be solved on LabVIEW 8.5 and 8.6 but was this on Mac OS X 10.6 as well?
    If so, there is a good chance that this issue is due to the fact that LabVIEW is running on an supported OS and I would suggest trying opening the files on another different Mac OS X 10.5 system.
    Unfortunately, currently Mac OS X 10.6 is an unsupported OS for any version of LabVIEW so I can only suggest trying on a Mac OS X 10.5.
    Kind regards.
    Taiki Hoshi
    Applications Engineer
    National Instruments Japan

  • Problem about get the workflow context

    There are 2 servers.
    One is Weblogic server (server1), deployed a fusion web project on it.
    Another is BPM server (server2), deployed the bpm process on it.
    On the fusion web project, we use API to get the tasks. But we encountered a problem about get the workflow context.
    There are 2 method to get the workflow context.
    1. getTaskQueryService().authenticate(userId, password, null, null), this method need to pass in useId and password, we can get the user form request but can't get
    password.
    2. getTaskQueryService().createContext(request), we pass the request on server1, but can't get the context on server2, exception thrown.
    Appreciate if you can give some help.

    javax.el.ELException: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[jcooper, ERole]
         at javax.el.BeanELResolver.getValue(BeanELResolver.java:266)
         at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:173)
         at com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:200)
         at com.sun.el.parser.AstValue.getValue(Unknown Source)
         at com.sun.el.ValueExpressionImpl.getValue(Unknown Source)
         Truncated. see log file for complete stacktrace
    Exception thrown when createContext()

  • Debugging JNLP security problems

    As we all know, the latest Java update changed the JNLP security around a bit, and I, like many others, am having trouble with it.
    I'm not really here to ask for help with my specific problem, however. It's not the first time I've had trouble with JNLP security, and almost every time, I've only gotten around it with the help of mere guess-work and a fair bit of luck, and I'm still far from sure I've actually solved the problems correctly. The main problem I experience is that the security messages I get from the JNLP client are oriented towards end-users and thus not very helpful at all for tracking down the root cause of the issues. For instance, after this latest update, the JNLP client is just telling me that "The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel."
    Is there any good way to find out what security problems it is that I'm actually having? "Read the documentation" is of course the easy answer, but the security model seems rather complex and incorporates many parts. Is there some kind of "lint" tool for JNLP out there that can list the problems I'm having? Or is there some way to run the JNLP client in some kind of debug mode?

    Understood guys. But let me make a few points.
    1. Clearly I'm not the only one who had this problem. In fact, I wasn't the first person in this THREAD to have the problem.
    2. I'm fairly computer savvy, and have worked with Photoshop for several years.
    3. Yes, it does say c: in point 3, but I find it odd that in point 4 it does say Program Files/.... A very strange way to write it. Also, the c: drive is the default installation drive, so it's not idiocy for someone to assume that the file would be located on the same drive as you selected for installation.
    4. This is not about technically right or wrong. I never said that the instructions were wrong. I merely was trying to make a suggestion that would help people avoid the same trap I fell into. Was it my mistake? Yes. Would my clarifying suggestion perhaps help others avoid making the mistake I did. I would hope so. Also, as someone else suggested in this thread, Adobe SHOULD have written an installation program for the ACR 3.1 upgrade that did the placing automatically. After all, EVERYONE knew that ACR3.1 would be released shortly after the release for CS2...in fact Mr. Knoll himself was quoted in other forums about when D2X compatibility would actually happen.
    5. The purpose of these forums is to be helpful to other users--not to be patronizing or rude. I'm a big Photoshop fan, and a loyal customer. I'm also in the service industry, and I would bet that customer service experts would raise an eyebrow or two about the tone contained in certain messages in this thread, including from an Adobe employee.
    Just my two cents. Flame away if you must. But you might want to take a look at what I actually suggested in my last message before lighting up the torch.

Maybe you are looking for