wood burning stoves 2.0*
The moose likes Security and the fly likes Class based impersonation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Class based impersonation" Watch "Class based impersonation" New topic
Author

Class based impersonation

Tay Thotheolh
Ranch Hand

Joined: Aug 07, 2008
Posts: 84
Hi. I have a theoretical problem here. is it possible for a class to impersonate it's identity ? E.g. Class A attempts to access Class B methods. Class B methods uses a getClass().getName(); method to attempt to check Class A to ensure it is who it is. Can impersonation take place ? e.g. Class C impersonates Class A to get pass the getclass().getName(); Class B uses for checks ?

If Class B wants to implement getClass().getName() for checks effective on the sample method below, how do I implement it properly in the sample code below ?



The above example is a simulation of a plugin applet in the system trying to access an internal key server database in the system.
Steven van der Baan
Owasp member
Greenhorn

Joined: Feb 08, 2011
Posts: 1
To answer your first question:
It is possible to do impersonation. This is an 'flaw' from the classloader. If I create another Class A which has the same FQN as the one that you are refering to, and i load mine before all your Classes (A an B), your A class will not be loaded due to the fact that the classloader already has A class named 'Class A'. If your Class B then checks the FQN it can't determine if it is the Class A it requires like in your example, or the one that I loaded first and in your example I would get access to the private key.

A possible method to avoid it, is not just rely on the name, but also use a method inside the Class A which return a specific value you expect. This will prevent me to extend your Class A and use the same name.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Class based impersonation