tags:

views:

89

answers:

3
Q: 

Extracting unique caller information in java

What I want to do is implement some basic security by checking not only what class has called a particular method, but also, which instance of that class.

I tried

StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace();

but that obviously only gives me the class name. The problem with allowing/requiring the callers to send self, or personal IDs is that all the callers are required to have access to the details of all the others. Can anyone help?

EDIT: More information:

So we have a server which makes connections with several agents. The agents send packets of information which include the name they CLAIM to have. There is a special agent which decides whether or not people should be able to lie about this in each particular case.

The agents make connections to instances of an Agent class on the server, but there is also a possibility that some agents will run natively. The reason I'm interested in this approach is that I will need that technique later (extract the specific instance that called a given method)

I hope this is better, and sorry for not putting enough info before :/

+4  A: 

This whole line of attack can't possible secure anything. If users can control the code that runs, they can just run a codegen library and edit your code. If users can't control the code, then this is all unnecessary.

If you can't resist this urge, one approach is to wrap everything in Proxies that communicate the information you need.

By Proxy, I mean java.lang.reflect.Proxy. That is, wrap every one of these objects in a proxy. The proxy's job would be to store away this on a stack of your own that the callees could consult.

This is essentially AOP (aspect oriented programming) reinvented, so you might want to read about that. Look at the Spring framework.

bmargulies  2009-12-28 01:35:16
Ok so I think I didn't give enough info. The whole structure is on a server and the agents are already proxies. The problem is that the proxy sends a packet which has some data in it. The server just needs to add a tag to it to say which proxy it's from.
piggles  2009-12-28 01:46:37
+1  A: 

You are not securing anything like this.

I think for such problems just check that all contributing code comes from signed jars.

Suraj Chandran  2009-12-28 03:54:23
I just want to verify identity. People can lie all they like as long as we know which lies were told by the same person.
piggles  2009-12-28 06:02:31
A: 

Look up Capability-based security. Instead of knowing which client is doing what, you should give each client separate capability objects (essentially proxy objects with different privileges).

Laurence Gonsalves  2009-12-28 23:06:12

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java