File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Class based impersonation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Head First Android this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Class based impersonation" Watch "Class based impersonation" New topic

Class based impersonation

Tay Thotheolh
Ranch Hand

Joined: Aug 07, 2008
Posts: 84
Hi. I have a theoretical problem here. is it possible for a class to impersonate it's identity ? E.g. Class A attempts to access Class B methods. Class B methods uses a getClass().getName(); method to attempt to check Class A to ensure it is who it is. Can impersonation take place ? e.g. Class C impersonates Class A to get pass the getclass().getName(); Class B uses for checks ?

If Class B wants to implement getClass().getName() for checks effective on the sample method below, how do I implement it properly in the sample code below ?

The above example is a simulation of a plugin applet in the system trying to access an internal key server database in the system.
Steven van der Baan
Owasp member

Joined: Feb 08, 2011
Posts: 1
To answer your first question:
It is possible to do impersonation. This is an 'flaw' from the classloader. If I create another Class A which has the same FQN as the one that you are refering to, and i load mine before all your Classes (A an B), your A class will not be loaded due to the fact that the classloader already has A class named 'Class A'. If your Class B then checks the FQN it can't determine if it is the Class A it requires like in your example, or the one that I loaded first and in your example I would get access to the private key.

A possible method to avoid it, is not just rely on the name, but also use a method inside the Class A which return a specific value you expect. This will prevent me to extend your Class A and use the same name.
I agree. Here's the link:
subject: Class based impersonation
jQuery in Action, 3rd edition