Val's Blog
Lots of stuff for Web 2.0 freaks and Java addicts
Feeds RSS | Atom | RDF
 
 
Albert Einstein: "Intellectuals solve problems: geniuses prevent them."
 [ Login ]

May 2004
SunMonTueWedThuFriSat
       1 
 2  3  4  5  6  7  8 
 9  10  11  12  13  14  15 
 16  17  18  19  20  21  22 
 23  24  25  26  27  28  29 
 30  31      
Apr  |  Today  |  Jun
XML Feeds   Subscribe with Bloglines

Javaranch Sheriff   My LinkedIn Profile
Drop me a line or two   Bloglines Blogroll
JavaRSS   Referers
How cool are you?   My Reviews

Next trips...
SpringOne 2008 (Jun 11-12, 08)
Ajax Exp. 2008 (Sep 29-Oct 1, 08)
Top 10 entries (#hits)
Hack any Java class... (27'829)
Generate Word docs... (27'308)
Faking pass-by-ref... (7'141)
Native XML support (6'911)
Bring the MS World... (6'169)
Native XML not worth it... (4'959)
"Rethinking Java SOAP"... (4'514)
AspectJ/AspectWerkz... (4'308)
"Alps" Defender strikes... (4'156)
Review: "Lucene in Action" (3'961)
(As of Nov 30, 2007)


Top 10 entries (#hits/day)
Generate Word docs... (23.933)
Hack any Java class... (21.539)
Native XML support (7.696)
Bring the MS World... (6.373)
Native XML not worth it... (5.746)
Faking pass-by-ref... (5.54)
Come Back (5.032)
"Rethinking Java SOAP"... (4.982)
Review: "Pro Eclipse JST" (4.917)
"Alps" Defender strikes... (4.597)
(As of Nov 30, 2007)
Recent Blog Entries
Spot the bug #1: reading characters from a stream
Announcing new "Spot the bug" series
My JavaOne 2008 Schedule
Recent Blog Comments
Re: Review of "Marketing Management 12th"
i know marketing management by kotler is good book but the problem is that the management part of this book is totally missing as fare as i know managemet is complete different subject and it should not be mixed i am student of MBA i was looking at ass...

Re: Review of "Pro Spring"
Using simple POJOs + factories without Spring for "echo" and "counter" would be a lot more easier. No need to write those XML files... So, in this case using Spring makes me write a lot more code... (OK, you can generate everything with the help of And...

pls urgent
Hi I am trying to generate the word doc but i m not understanding wats happening any one pls figure it out /* * WordAPI.java * * Created on May 30, 2006, 10:50 AM * * To change this template, choose Tools | Template Manager * and open the te...
Archives (# entries)
February 2008 (3)
December 2007 (2)
September 2007 (1)
May 2006 (1)
April 2006 (1)
March 2006 (2)
December 2005 (1)
November 2005 (1)
October 2005 (2)
September 2005 (2)
August 2005 (3)
July 2005 (3)
June 2005 (7)
May 2005 (5)
April 2005 (4)
March 2005 (3)
December 2004 (1)
November 2004 (1)
October 2004 (5)
September 2004 (3)
August 2004 (2)
July 2004 (7)
June 2004 (4)
Mai 2004 (11)
Links
Pebble
Other Blogs
Val's Blog
Dirk's Blog
Nate's weblog
Ajith Kallambella
Lasse's weblog
Gregg's Weblog
Hershey's Blog
My Cave Online
Bounces amongst neurons
Six Sides To A Box
Jia Yo!
Moose in Headlights
Unresolved References
This That and The Other...
Just My Thoughts
Balaji's blog
Java Ranch Book Reviews
Corey's SCJP Tipline, etc.
JavaRanch News
Eric's weblog
Barry's weblog
Mike Curwen's Blog
David's blog
In through the out door
Frank Carver's weblog
Peabody's
Uncontrolled Vocabularies
The Bear Den
I've Been Wondering...
Simon Brown
Other Blogs
Alex - dynamic AOP
Alan Williamson
Anne Thomas Manes
Bertrand Delacrétaz
Bill Burke
Cedric Beust
Codehaus blogs
Code:Q
Euxx
Gavin King
Grady Booch
Hani Suleiman
Jack Tang
James Gosling
James Strachan
Jason Carreira
Javalobby Front Page
Jean Bézivin
Johanna Rothman
Jonathan Schwartz
.: Manageability :.
MaryMaryQuiteContrary
Pandey Punit
Pradeep Chopra
Richard Monson-Haefel
Rickard Oeberg
Robert Watkins
Shared Memory
Simon Brown
Stuart Kent
techno.blog("Dion")
The Aspects Blog
The Codist
The Technologist
Total Perspective Vortex
Vasanth Dharmaraj
Vinny Carpenter
Web service patterns
Xyling Java Blog
zonic-temple
Reviewing
Reading

Founders at work by Jessica Livingston

Locations of visitors to this page
What they once said...
Frederik Brooks: Adding manpower to a late software project makes it later.
Alan M. Davis: "If you believe that you know the requirements better than the customer, you are part of the problem, not the solution."
Rod Johnson: Software design is as much art as science.
Chinese proverb: Experience without learning is better than learning without experience.
C.A.R. Hoare: The unavoidable price of reliability is simplicity.
Jane Cleland-Huang: Software development should integrate and consider project metrics that assess its financial impact.
John F. Woods: Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
Ed Yourdan: There is nothing in the programming field more despicable than an undocumented program.
Albert Einstein: We cannot solve our problems with the same thinking we used when we created them.
Albert Einstein: Intellectuals solve problems: geniuses prevent them.
Alan Kay: 90% of code written today is getting around other people's mistakes.
 
Permalink
 Hack any Java class using Reflection

Ever wondered what evil power can be unleashed when using reflection? Do you think private methods are really only accessible from within the declaring class? Do you think that a private field can only be modified from within the declaring class? No? That's what I thought!! In this blog, I will try to demonstrate that it is always important to correctly set the security properties of your applications. For instance, let's look at the following example where we successfully retrieve a private password from another class: 

1.  class A {
2.    private static String getPassword() {
3.      return "someHighlyPreciousPassword";
4.    }
5.  }
6.
7. public class Test {
8.   public static void main(String[] args) throws Exception {
9.     Class cl = Class.forName("A");
10.    java.lang.reflect.Method[] m = cl.getDeclaredMethods();
11.    m[0].setAccessible(true);
12.    String password = (String) m[0].invoke(null, null);
13.    System.out.println("I got it:" + password);
14.  }	
15.}
Output: 
 I got it: someHighlyPreciousPassword

Ok, the example is not really sexy. Let's mess up a class that implements the Singleton pattern. In the normal case, a singleton object is supposed to be the only instance of a given class. To achieve this, we usually declare the class constructor private, so that no one can invoke it. Well, as demonstrated below, with reflection we can bypass this restriction and create a second "singleton object". 

1.  class A {
2.    public static final A singleton = new A("I'm the only instance of class A");
3.    private String name; 
4.    private A(String name) {
5.      this.name = name;
6.    }
7.    public String toString() {
8.      return this.name;
9.    }
10. }
11.
12. public class Test {
13.   public static void main(String[] args) throws Exception {
14.     Class cl = Class.forName("A");
15.     java.lang.reflect.Constructor[] c = cl.getDeclaredConstructors();
16.     c[0].setAccessible(true);
17.     A anotherA  = (A) c[0].newInstance(new Object[]{"Not anymore!!"});
18.     System.out.println(A.singleton);
19.     System.out.println(anotherA);
20.   }	
21. }
Output: 
 I'm the only instance of class A
 Not anymore!!

Using this technique, you can create an instance of any non-abstract class, even if all its constructors are declared private. For instance, below we create an instance of the Math class even though it is useless since the Math class has no instance method. Still, it is possible to do it. 

1.  public class Test {
2.  public static void main(String[] args) throws Exception {
3.      Class cl = Class.forName("java.lang.Math");
4.      java.lang.reflect.Constructor[] c = cl.getDeclaredConstructors();
5.      c[0].setAccessible(true);
6.      Math mathInstance = (Math) c[0].newInstance(null);
7.      System.out.println(mathInstance);
8.    }
9.  }
Output: 
 java.lang.Math@1cde100

Finally, let's mess with the Runtime class which has one private static field for storing the current Runtime instance. This is another example of a badly implemented singleton class. Let's look at the code below. We first retrieve the current runtime object and display it (3-4). Then, we set the Runtime.currentRuntime static field to null, which means that all successive calls to Runtime.getRuntime() will yield null (6-9) since currentRuntime is initialized at class loading time. We then get the currentRuntime field again and display its value (11-12). And finally, we try to use the current runtime to execute a command for displaying the content of the current directory (14). The output talks for itself. 

1.  public class Test {
2.    public static void main(String[] args) throws Exception {
3.      Runtime r = Runtime.getRuntime();
4.      System.out.println("Before: Runtime.getRuntime() yields " + r);
5.
6.      Class cl = Class.forName("java.lang.Runtime");
7.      java.lang.reflect.Field f = cl.getDeclaredField("currentRuntime");
8.      f.setAccessible(true);
9.      f.set(null, null);
10.
11.     r = Runtime.getRuntime();
12.     System.out.println("After: Runtime.getRuntime() yields " + r);
13.
14.     r.exec("dir"); //raises NullPointerException!!
15.   }
16. }
Output: 
 Before: Runtime.getRuntime() yields java.lang.Runtime@cac268
 After: Runtime.getRuntime() yields null
 Exception in thread "main" java.lang.NullPointerException
       at Test.main(Test.java:59)

All this could have been avoided if the currentRuntime field had been declared final. Nothing prevents setAccessible(true) to be called on the field (8) but when the set(null, null) method is called, IllegalAccessException is thrown with the message "Field is final".

I'm pretty sure that there is a huge amount of code out there that could be broken this way. Watch out!!
Bottom line: singleton fields should always be declared private static final!!! Moreover, make sure you never grant ReflectPermission and RuntimePermission.accessDeclaredMembers in the java.policy file of your production code.

TrackBacks[1] Comments[14] Posted by val on May 18, 2004 4:49:53 PM CEST
Permalink
[Reviews] Review of "Secure XML"

I have just finished reading "Secure XML - The New Syntax for Signatures and Encryption" by Donald E. Eastlake and Kitty Niles. I'm pretty much happy with what I have read in this book. It wouldn't have hurt to see the presented standards applied on concrete case studies, though. This is what cost the book two horseshoes. No big deal!!

My review follows (also available at Javaranch.com):

When looking back, it is safe to say that using XML has become one of the most preferred ways of transferring data across the web. With the rise of web services and given the way the Internet is organized and governed, this ubiquity raises the fundamental issue of how to effectively protect the content of an XML transmission at the application level.

This book presents the efforts of two well-known consortia (IETF and W3C) working on the XML Digital Signature, XML Encryption and XML Key Management System standards. This book is meant to be within anybody's range as prerequisite knowledge in neither XML nor cryptography is required. Consequently, this means that about a third of this 500 pages book is dedicated to introducing both topics.

The authors do an outstanding job of presenting the technical details and cover areas such as, XML basics, digital cryptography fundamentals, XML canonicalization techniques, XML encryption, and key management. This is one of the most comprehensive resources on the subject currently available in store. I really enjoyed reading it and I would recommend it to any developer in need of a solid understanding of how XML communications can be protected against undesirable intrusions.

On the downside, even though the authors have presented two concrete applications of XML digital signatures (i.e., P3P XMLDSIG and SOAP XMLDSIG profiles), I would have much appreciated to see a case study about a plausible application of the technologies presented and how they fit into the big picture.

TrackBacks[0] Comments[0] Posted by val on May 18, 2004 9:30:26 AM CEST
 
About this Blog
Powered by Pebble

Content © Val Powered by Pebble 1.9.1