从 Java 反射中隐藏我的安全密钥 [英] Hiding my security key from java reflection
问题描述
下面的类是我用于加密的安全密钥提供程序.
The below class is my security key provider for encryption.
public class MySecretKey {
private String key="2sfdsdf7787fgrtdfg#$%@cj5";
...
//Some Util methods goes on Here .
}
首先,我不相信没有 getter 就可以访问 private
数据,但是,天哪,我现在可以在控制台中看到密钥了.
First I didn't belive that one can access the private
data without a getter, but, My goodness, I am able to see the key in the console now .
在其他地方使用反射我们可以看到如下代码:
And somewhere else using reflection we can see the code like below :
public static void main(String[] args) throws Exception {
Stacker myClass = new Stacker();
Field key= myClass.getClass().getDeclaredField("key");
field1.setAccessible(true);
System.out.println(key.get(myClass));
}
如何在课堂外隐藏我的密钥:(,即使 private
关键字在反射的情况下也无济于事.
How can I hide my key from outside my class :( ,even private
keyword also not helping me in case of Reflection.
请给我一些提示.
提前致谢.
推荐答案
首先,如果有一个安全管理器,它的 checkPermission 方法被调用并带有 ReflectPermission("suppressAccessChecks")
权限.
First, if there is a security manager, its checkPermission method is called with a
ReflectPermission("suppressAccessChecks")
permission.
因此您可以通过拒绝 suppressAccessChecks 权限来防止这种情况发生.
so you can prevent this by denying the suppressAccessChecks permission.
尽管如此,最好避免依赖 JVM 来保持对象不可侵犯性.Joe-E 允许 JVM 中的类之间相互怀疑,但 JVM不是为此而设计的.
Really though, it'd be better to avoid relying on the JVM to preserve object inviolability. Joe-E allows for mutual-suspicion between classes within a JVM, but the JVM wasn't designed for that.
这篇关于从 Java 反射中隐藏我的安全密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!