从 Java 反射中隐藏我的安全密钥 [英] Hiding my security key from java reflection

问题描述

下面的类是我用于加密的安全密钥提供程序.

The below class is my security key provider for encryption.

public class MySecretKey {
private String key="2sfdsdf7787fgrtdfg#$%@cj5";
...
//Some Util methods goes on  Here .
}

首先，我不相信没有 getter 就可以访问 private 数据，但是，天哪，我现在可以在控制台中看到密钥了.

First I didn't belive that one can access the private data without a getter, but, My goodness, I am able to see the key in the console now .

在其他地方使用反射我们可以看到如下代码:

And somewhere else using reflection we can see the code like below :

public static void main(String[] args) throws Exception {
        Stacker myClass = new Stacker();
        Field key= myClass.getClass().getDeclaredField("key");
        field1.setAccessible(true);
        System.out.println(key.get(myClass));
    }

如何在课堂外隐藏我的密钥:(，即使 private 关键字在反射的情况下也无济于事.

How can I hide my key from outside my class :( ,even private keyword also not helping me in case of Reflection.

请给我一些提示.

提前致谢.

推荐答案

setAccessible 说

首先，如果有一个安全管理器，它的 checkPermission 方法被调用并带有 ReflectPermission("suppressAccessChecks") 权限.

First, if there is a security manager, its checkPermission method is called with a ReflectPermission("suppressAccessChecks") permission.

因此您可以通过拒绝 suppressAccessChecks 权限来防止这种情况发生.

so you can prevent this by denying the suppressAccessChecks permission.

尽管如此，最好避免依赖 JVM 来保持对象不可侵犯性.Joe-E 允许 JVM 中的类之间相互怀疑，但 JVM不是为此而设计的.

Really though, it'd be better to avoid relying on the JVM to preserve object inviolability. Joe-E allows for mutual-suspicion between classes within a JVM, but the JVM wasn't designed for that.

这篇关于从 Java 反射中隐藏我的安全密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！