有没有办法在内部类中使用或不使用反射来访问私有方法 [英] Is there a way to access private method in inner-class with or without reflection

问题描述

我正在尝试举一个用户和银行程序的简单示例，在该示例中，您必须保证钱不能被可以添加，继承，实现当前现有类但不能编辑初始类的人所欺骗. 因此，我问您是否可以通过某种方式设置某人的帐户余额，而无需使用提供的转帐功能.

I'm trying to make a simple example of a user and bank program where you must guarantee that money cannot be cheated by someone who can add, inherit, implement current existing classes but cannot edit the initial ones. So I ask if you somehow can set someone's account's balance without the provided function for money transfer.

我尝试使用反射，但是您必须具有公共构造函数才能创建一个对象，您可以在该对象上调用私有方法，但是由于所有内容都是私有的，因此无法对其进行调用.

I've tried using reflection but you have to have public constructors to make an object on which you call the private methods but since everything is private I cant call it.

public class Bank {
    private static Bank ourInstance = new Bank();
    public static Bank getInstance() {
        return ourInstance;
    }

    private Bank() {}

    public boolean requestTransfer(User user1, User user2, double amount) {
        BankAccount ba1 = (BankAccount) user1.getBankAccount();
        BankAccount ba2 = (BankAccount) user2.getBankAccount();
        if (!(hasAccount(ba1) && hasAccount(ba2)))
            return false;

        if (ba1.getBalance() >= amount)
        {
            ba1.setBalance(ba1.getBalance() - amount);
            ba2.setBalance(ba2.getBalance() + amount);
            return true;
        }
        return false;
    }

    private class BankAccount implements BankAccountInterface {
        private double balance;
        private User user;

        private BankAccount(double balance) {
            this.balance = balance;
        }

        @Override
        public double getBalance() {
            return balance;
        }

        @Override
        public User getUser() {
            return user;
        }

        public void setUser(User user) {
            this.user = user;
        }

        private void setBalance(double balance) {
            this.balance = balance;
        }
    }
}

public interface BankAccountInterface {
    double getBalance();
    User getUser();
}

public class User {
    private String username;
    private String password;
    private Date created_at;
    private BankAccountInterface bankAccount;
    //constructor getters and setters etc..
}

如果您可以添加自己的类继承当前的类，则可以使用反射或您可以随意使用的任何东西来非法地给用户钱.

If you can add your own classes inherit current ones, use reflection or anything at your disposal can you illegally give a user money.

推荐答案

这是一个安全问题.您可以使用安全管理器设置来防止反射，请参见此，接口按字节更改加载类后，代码处理就毫无疑问了，请参阅官方列表，其中包含臭名昭著的零日漏洞.这是关于复杂性的更多详细讨论安全管理器和与此漏洞相关的某些API的说明.

That's a security question. You can use security manager settings preventing reflection, see this and this, interface changes by byte code manipulation is out of question after the class has loaded, see this. There are are other security vulnerabilities though, here's the official list, with the infamous deserialization vulnerability initially being there by design. Those are known issues without taking into consideration zero day exploits. Here's a more detailed discussion about the intricacies of security manager and certain APIs related to this exploit.

这篇关于有没有办法在内部类中使用或不使用反射来访问私有方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！