-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gregory,
On 2/12/16 2:49 PM, Dougherty, Gregory T., M.S. wrote:
> You can honestly tell who¹s calling you, since you can throw an
> exception, catch it, then look at the stack trace.
Sure. There are easier ways to do that (see Chuck's post), but it
doesn't get you anything. The idea here is that the environment is known
:
1. Tomcat is available (and trustworthy), invokes web application code
2. Web application is untrustworthy, calls library code
3. Library code wants to be sure the web application hasn't
tampered with any data
In this case, the library will discover that (*gasp*!) an untrusted
application has calls methods within itself! Oh noes! Well, actually,
that was entirely expected. And the fact that Tomcat is up in the
stack trace somewhere doesn't prove anything about the validity of the
data.
So the stack trace idea is a red herring.
> If you have an object, you can get its class, you can get what
> methods it implements, and you can get its parent class and
> recurse.
>
> So that should let you figure out which class will be implementing
> the method you¹re calling, unless I¹m totally confused.
Sure, but what happens if the classes all look legit?
How about this?
HttpServletRequest request = [original, real request];
final String requestURI = "/forged";
library.doSomething(new HttpServletRequestWrapper(new
HttpServletRequestWrapper(request) {
@Override
public String getRequestURI() { return requestURI; }
}
});
The library code wants to check to see if the HttpServletRequest
object is legit, so it looks at its runtime type. The runtime type is
javax.servlet.http.HttpServletRequestWrapper. That's not evil, is it?
But there are two layers of wrapper: one that is evil (the internal
one) and then a nice, clean, shiny, no-op wrapper around it. And you
can't penetrate the wrapper to find out what kind of object it's wrappin
g.
Yes, you can use introspection and look at the
ServletRequestWrapper.request field, but you will be prohibited from
checking that value under a SecurityManager. And if you don't trust
your web applications, then you should be running under a SecurityManage
r.
Ultimately, I think this is going to boil-down to "I have a library
that I want to license only for certain applications and I don't want
it used outside of those". You should fix that kind of thing with
legal contracts instead of trying to enforce it with technology.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAla+ZdkACgkQ9CaO5/Lv0PARbgCfSjBWkpBZn1bUuVDdfQsdQK9F
Oz8AoKGVsDA9+NS6aCU/obV8sXiYBUfP
=UrFH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
