-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gregory,
On 2/12/16 2:49 PM, Dougherty, Gregory T., M.S. wrote: > You can honestly tell who¹s calling you, since you can throw an > exception, catch it, then look at the stack trace. Sure. There are easier ways to do that (see Chuck's post), but it doesn't get you anything. The idea here is that the environment is known : 1. Tomcat is available (and trustworthy), invokes web application code 2. Web application is untrustworthy, calls library code 3. Library code wants to be sure the web application hasn't tampered with any data In this case, the library will discover that (*gasp*!) an untrusted application has calls methods within itself! Oh noes! Well, actually, that was entirely expected. And the fact that Tomcat is up in the stack trace somewhere doesn't prove anything about the validity of the data. So the stack trace idea is a red herring. > If you have an object, you can get its class, you can get what > methods it implements, and you can get its parent class and > recurse. > > So that should let you figure out which class will be implementing > the method you¹re calling, unless I¹m totally confused. Sure, but what happens if the classes all look legit? How about this? HttpServletRequest request = [original, real request]; final String requestURI = "/forged"; library.doSomething(new HttpServletRequestWrapper(new HttpServletRequestWrapper(request) { @Override public String getRequestURI() { return requestURI; } } }); The library code wants to check to see if the HttpServletRequest object is legit, so it looks at its runtime type. The runtime type is javax.servlet.http.HttpServletRequestWrapper. That's not evil, is it? But there are two layers of wrapper: one that is evil (the internal one) and then a nice, clean, shiny, no-op wrapper around it. And you can't penetrate the wrapper to find out what kind of object it's wrappin g. Yes, you can use introspection and look at the ServletRequestWrapper.request field, but you will be prohibited from checking that value under a SecurityManager. And if you don't trust your web applications, then you should be running under a SecurityManage r. Ultimately, I think this is going to boil-down to "I have a library that I want to license only for certain applications and I don't want it used outside of those". You should fix that kind of thing with legal contracts instead of trying to enforce it with technology. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla+ZdkACgkQ9CaO5/Lv0PARbgCfSjBWkpBZn1bUuVDdfQsdQK9F Oz8AoKGVsDA9+NS6aCU/obV8sXiYBUfP =UrFH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org