[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [aspectj-users] Trapping dodgy method calls
|
Hi Dean,
I just want to clarify something here. And just to warn you I'm new to Java (disclaimer if I sound thick).
From what I read it may be possible with some older JVMs for a malcious object loaded into the same JVM to grab a reference to an existing running object and call it's public methods. Were you saying that the "reflection catcher" proposed below implemented in the already running object would still catch the malicious method call?
I know it's all a bit obscure. Thanks for your patience.
Rob
On 15/12/2007, Dean Wampler <dean@xxxxxxxxxxxxxxxxxxxxx> wrote:
On Dec 15, 2007, at 5:54 AM, Rob Austin wrote:
Hi,
I am currently looking at the extent to which AspectJ can be used to enhance object security.
A good application, but I wouldn't just rely on AJ to solve it! ;)
If I write a pointcut that allows me to trap all calls to the public methods of my objects outside of the package it resides on, I can monitor these calls and make sure they are legal, or at least acceptable,and through reflection I can tell which objects are calling these methods.
Yes
But I understand that its possible (even though I wouldn't have a clue how to do it) for one object to call a public method of another object loaded in the same JVM through introspecting the classloader. In other words there would be no matches on the pointcuts at compile time and the advices would not expect to be applied. So, what would happen at runtime if one object "illegally" called another's method? Is there any further runtime checking which would allow the advice to be matched?
It's true that using reflection would "bypass" the pointcut. This is true because the reflection calls will refer to the classes and methods by name (as a string), so the invocations will be "invisible" to AJ. However, if you want to prevent all reflection calls, you could write a pointcut that looks for anyone calling the reflection API and raise an exception. In fact, for this task and your original plan, you can write an aspect that will detect these calls at compile time!
aspect NoReflectionForYou {
pointcut allReflectionCalls(): call(* java.lang.reflect..*.*(..));
declare error: allReflectionCalls(): "No reflection for you!!";
}
You can also use declare error to prevent calls to objects in package A from the within objects in package B, for example.
If you don't want to prevent all reflection calls from your code, but only those to "sensitive" areas, you could write an aspect that advices specific reflection calls, e.g., calls to the Method class, and look at the method name to pick out the ones you want to prevent.
Hope this helps.
dean
_______________________________________________
aspectj-users mailing list
aspectj-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/aspectj-users
