This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Security and the fly likes Class based impersonation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Class based impersonation" Watch "Class based impersonation" New topic
Author

Class based impersonation

Tay Thotheolh
Ranch Hand

Joined: Aug 07, 2008
Posts: 84
Hi. I have a theoretical problem here. is it possible for a class to impersonate it's identity ? E.g. Class A attempts to access Class B methods. Class B methods uses a getClass().getName(); method to attempt to check Class A to ensure it is who it is. Can impersonation take place ? e.g. Class C impersonates Class A to get pass the getclass().getName(); Class B uses for checks ?

If Class B wants to implement getClass().getName() for checks effective on the sample method below, how do I implement it properly in the sample code below ?



The above example is a simulation of a plugin applet in the system trying to access an internal key server database in the system.
Steven van der Baan
Owasp member
Greenhorn

Joined: Feb 08, 2011
Posts: 1
To answer your first question:
It is possible to do impersonation. This is an 'flaw' from the classloader. If I create another Class A which has the same FQN as the one that you are refering to, and i load mine before all your Classes (A an B), your A class will not be loaded due to the fact that the classloader already has A class named 'Class A'. If your Class B then checks the FQN it can't determine if it is the Class A it requires like in your example, or the one that I loaded first and in your example I would get access to the private key.

A possible method to avoid it, is not just rely on the name, but also use a method inside the Class A which return a specific value you expect. This will prevent me to extend your Class A and use the same name.
 
 
subject: Class based impersonation
 
Similar Threads
basic java question...please advice
Instantiating Interface or Abstract Class
inner class extends enclosing class
Which class are Methods of HttpServletRequest implemented in?
deciding method from which class to call depending upon parameter passed in