• Post Reply Bookmark Topic Watch Topic
  • New Topic

Simple question  RSS feed

 
raja singh kumar
Ranch Hand
Posts: 189
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Suppose there is a developer who created a class A and he creates a jar with that class inside it. The class consists of two private variables. Now if there is a 2nd developer who wants to use his jar to work further on it. If the 2nd developer has the jar is it not possible for him to modify the private variables to public. Where is the security?
 
Dave Tolls
Ranch Foreman
Posts: 3068
37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How are you thinking they will modify the class?

Decompile, edit and recompile?
Or something else?
 
Henry Wong
author
Sheriff
Posts: 23295
125
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is true for any language. Given an executable, there is no way to guarantee that it won't be decompiled. Or in this case, for the class file to be extracted from the jar, and decompiled. You can obfuscate the code. Heck, I have seen (on the ranch) some discussion regarding encrypting the jar. However, neither of these are guaranteed.

The only way to guarantee it, is to make it a service, running on a server that you control.

Henry

 
raja singh kumar
Ranch Hand
Posts: 189
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Decompile, edit and recompile?

Yes.

If I have a jar I can extract the classes from it, right?
 
Dave Tolls
Ranch Foreman
Posts: 3068
37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, sort of.
There's no guarantee it will decompile in a recompilable form.

What is it about the fields in question that is the issue?
 
Junilu Lacar
Sheriff
Posts: 11494
180
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can you say specifically what aspect of security you're thinking about?  Even if the second developer were able to decompile, edit, and recompile, and rebuild the JAR file, how do you envision the story going forward from there such that some kind of security concern is compromised? What's the bigger security picture here?
 
Henry Wong
author
Sheriff
Posts: 23295
125
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

And also, if the goal is to change private fields, then I wouldn't even need to decompile.

This can simply be done via using a class loader (without any security manager), which is actually the case for Java applications started from the command line. And then, use the reflection library to access (and change) the private fields.

Henry
 
Campbell Ritchie
Marshal
Posts: 56578
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Too difficult for beginning forum. Moving.
 
raja singh kumar
Ranch Hand
Posts: 189
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Suppose I have a private variable in a class. Now if anyone outside the class wants to access the private variable, he has to do it through public method (which has some validation) and by creating an object of the class or through the class name if the method is static. Now assume someone who has access to the jar converts private variables to public. Now, is it not possible that someone outside the class accesses the variable directly by-passing the validation logic written inside the public method?
 
Paul Clapham
Sheriff
Posts: 22835
43
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Of course it's possible. That's how public variables work. But as the others said, more or less, so what?
 
Junilu Lacar
Sheriff
Posts: 11494
180
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

@OP, let me draw an analogy so you understand why a few people have questioned your line of thinking.

You seem to be worrying about someone coming into your house and messing around with your underwear drawer. You ask, "Well, how is my drawer secure if anybody can just come in and mess around with my private possessions?" And we're here thinking, "Well, why don't you lock your house instead of worry about how secure your drawer is?"
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!