Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Secure Class Loading

Reply
Thread Tools

Secure Class Loading

 
 
Michael Garvie
Guest
Posts: n/a
 
      07-21-2003
Hello everyone,

I have a client - server app where the client is always online and gets
sent objects of type, say, Fruit from the server. However now and again
the server goes down and Fruit gets recompiled for bug fixes etc.

Is there a way of making the client forget all the classes it has seen
so far and load everything again when it sees the next Fruit object?
Some people have suggested using something like URLClassLoader but this
has two problems:
1) Now we must create an instance of the class using no constructor..
So the server isn't really defining what object it sends to the clients
anymore, they read it from a static source.
2) Unsecure, the client must be granted createClassLoader
RuntimePermission which is very unsecure.

Does anyone know a way round this?

Cheers,
Miguel

 
Reply With Quote
 
 
 
 
dhek bhun kho
Guest
Posts: n/a
 
      07-22-2003
Michael Garvie <(E-Mail Removed)>, Mon, 21 Jul 2003 19:11:32 +0100:

> Hello everyone,
>
> I have a client - server app where the client is always online and gets
> sent objects of type, say, Fruit from the server. However now and again
> the server goes down and Fruit gets recompiled for bug fixes etc.
>
> Is there a way of making the client forget all the classes it has seen
> so far and load everything again when it sees the next Fruit object?
> Some people have suggested using something like URLClassLoader but this
> has two problems:
> 1) Now we must create an instance of the class using no constructor..
> So the server isn't really defining what object it sends to the clients
> anymore, they read it from a static source.


Are you sure about this? I do not know what your security policy is, but
there is no requirement that you can only use the default constructor.

I.e. (just a hint, this code does not work, but the sequence of method
calls are correct)

ClassLoader cl = ...;
Class dynamicClass = cl.loadClass("classname");
Class[] arguments = new Class[] {String.class};
Object[] arguments = new Object[] {"argument"};
Constructor constructor = dynamicClass.getConstructor(arguments);
Object newObject = constructor.newInstance(arguments);

So point (1) does not stand.

> 2) Unsecure, the client must be granted createClassLoader
> RuntimePermission which is very unsecure.


I'm not sure about this, but I thought that an applet context do not have
this permission. And by all means the applet security policy is very
restrictive. But you can still instantiate a new copy of the current
class loader like this (assuming it is an URLClassLoader, which is the one
you should be working with anyway):

<code>
// again, this code is non-functional.
URL[] urls = new URL[] { new URL(..) , ..., new URL(...) }; // classpath
((URLClassLoader)getClass().getClassLoader()).newI nstance(urls);
</code>

> Does anyone know a way round this?


Try the above. It's hard to tell from here.

> Cheers,
> Miguel



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure your digital information assets with Secure Auditor. SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:53 AM
Secure your digital information assets with Secure Auditor SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:52 AM
Nested Class, Member Class, Inner Class, Local Class, Anonymous Class E11 Java 1 10-12-2005 03:34 PM
This page contains both secure and non secure items. A.M ASP .Net 5 06-08-2004 05:43 PM



Advertisments