What I want to do is implement some basic security by checking not only what class has called a particular method, but also, which instance of that class.
I tried
StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace();
but that obviously only gives me 开发者_运维技巧the class name. The problem with allowing/requiring the callers to send self, or personal IDs is that all the callers are required to have access to the details of all the others. Can anyone help?
EDIT: More information:
So we have a server which makes connections with several agents. The agents send packets of information which include the name they CLAIM to have. There is a special agent which decides whether or not people should be able to lie about this in each particular case.
The agents make connections to instances of an Agent class on the server, but there is also a possibility that some agents will run natively. The reason I'm interested in this approach is that I will need that technique later (extract the specific instance that called a given method)
I hope this is better, and sorry for not putting enough info before :/
This whole line of attack can't possible secure anything. If users can control the code that runs, they can just run a codegen library and edit your code. If users can't control the code, then this is all unnecessary.
If you can't resist this urge, one approach is to wrap everything in Proxies that communicate the information you need.
By Proxy, I mean java.lang.reflect.Proxy
. That is, wrap every one of these objects in a proxy. The proxy's job would be to store away this
on a stack of your own that the callees could consult.
This is essentially AOP (aspect oriented programming) reinvented, so you might want to read about that. Look at the Spring framework.
You are not securing anything like this.
I think for such problems just check that all contributing code comes from signed jars.
Look up Capability-based security. Instead of knowing which client is doing what, you should give each client separate capability objects (essentially proxy objects with different privileges).
精彩评论