[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU Crypto] how to deal with weak keys. was: Documentation
From: |
Marcel Winandy |
Subject: |
Re: [GNU Crypto] how to deal with weak keys. was: Documentation |
Date: |
Fri, 6 Jun 2003 15:26:21 +0200 |
User-agent: |
KMail/1.4.3 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Raif!
Raif S. Naffah wrote:
> > There is another issue about the security manager. The security
> > manager can be exchanged or even absent. Since J2SE, it is better to
> > use the Access Controller directly because it is always present and
> > cannot be exchanged.
>
> can you point to example code?
Consider a class "A" providing a method "getSecret()". There is a permission
class, "MyPermission", to access A's getSecret() method. A named permission,
called "getSecret" is created and checked in the getSecret() method.
Using the security manager you would first check for its presence:
- -------------------------------------------
if (sm != null) {
/* verify permission */
}
- -------------------------------------------
However, newer Java versions delegate all requests to the AccessController
which implements the standard access control algorithm. The AccessController
is always present and cannot be altered during runtime. The example code
according to class "A" will look like this when using the AccessController
directly:
-
--------------------------------------------------------------------------------------------------------
public Object getSecret() {
try {
AccessController.checkPermission(new MyPermission("getSecret"));
}
catch (AccessControlException) {
// output: Access denied!
}
return secret;
}
-
--------------------------------------------------------------------------------------------------------
It is strongly recommended to use the AccessController instead of a security
manager (see [2]). The example is taken from [1].
Bye,
Marcel
[1] M. Winandy, A.B. Cremers, A. Spalka, H. Langweg, "Protecting Java
Component Integrity Against Trojan Horse Programs", Integrity and Internal
Control in Information Systems V, Kluwer, 2003.
[2] L. Gong, "Inside Java 2 Platform Security", Addison-Wesley, 1999.
- --
Marcel Winandy
EMail: address@hidden
http://www-student.informatik.uni-bonn.de/~winandy/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD4DBQE+4JaAjqlzsXwzXNwRAkgfAKCCHigdxKOTCSgMBuGSpBA+6TelTgCXRd02
2yRDHvzgzY2zfCe7hPn4Ug==
=S7FN
-----END PGP SIGNATURE-----
- Re: [GNU Crypto] how to deal with weak keys. was: Documentation,
Marcel Winandy <=