Restricting package access when using reflection/casting

Thread view:

Stu - 03 Mar 2006 16:32 GMT

Here's a scenario.. I have the following interface:

===============================

package com.mypublicpackage;

public interface MyInterface {
public void foo();
}

===============================

and the following class:

===============================

package com.myprivatepackage;

public class MyClass implements com.mypublicpackage.MyInterface {
public void foo() {}
public void bar() {}
}

===============================

I have a method in another class that returns a reference to
MyInterface, eg:

package com.mypublicpackage;

public class MyImplementation {
public MyInterface getMyInterface() { return new
com.myprivatepackage.MyClass(); }
}

I want to protect applications (loaded with my class loader) from
accessing anything directly in com.myprivatepackage. So if I call
MyImplementation.getMyInterface() then I should NOT be able to cast
MyInterface to MyClass or use reflection to call MyClass.bar() without
getting an AccessControlException etc.

I have my own SecurityManager and Policy implementation so is it just a
question of adding "com.myprivatepackage." to the package.access line
in java.security or is there more to it than that?

Thanks,

Stu

Reply to this Message

shotwave@gmail.com - 04 Mar 2006 10:15 GMT

this problem can be solved in a number of ways. For example:
you can achieve this by using a DynamicProxy
(http://java.sun.com/j2se/1.5.0/docs/guide/reflection/proxy.html) that
would be implementing MyInterface by means of dynamically (in runtime)
delegating it's calls to MyClass instance. In that case
MyImplmenetation should return this proxy, which wont be downcastable
to MyClass.

Reply to this Message

Restricting package access when using reflection/casting

Free Magazines