Securing Java Objects
An Introduction |
Prof. David Bernstein |
Computer Science Department |
bernstdh@jmu.edu |
Steps to Create a SignedObject
:
PrivateKey
/PublicKey
pairSignature
(which is essentially
just a hashing algorithm)SignedObject
Steps to Retrieve a SignedObject
:
PublicKey
Signature
SignedObject
Object
getObject()
returns an
Object
which must be typecastSignedObject
class and
create a method that returns an object of appropriate
typeSignedObject
implement the same interface
as the original class)verify()
method in the
SignedObject
class is declared to
be final
so that it isn't vulnerable to
specialization vulnerabilities.jar
files)
Steps to Create a SealedObject
:
Cipher
SealedObject
Steps to Retrieve a SealedObject
:
Cipher
Object
getObject()
returns an
Object
which must be typecastSealedObject
class and
create a method that returns an object of appropriate
typeSealedObject
implement the same interface
as the original class)getObject()
method in
the SealedObject
class is declared to
be final
so that it isn't vulnerable to
specialization vulnerabilitiesObjectInputStream
and ObjectOutputStream
so that they provide
the necessary security
String filename = "/data/grades.txt" FileInputStream input = new FileInputStream(filename); FilePermission permission = new FilePermission(filename, "read"); GuardedObject guardedInput = new GuardedObject(input, permission);
// If the object doesn't have read access to the file then the // call will cause a SecurityException to be thrown FileInputStream input = (FileInputStream)guardedInput.getObject();