public class SecurityCheck
extends java.lang.Object
Modifier and Type | Field and Description |
---|---|
private static java.util.SortedMap<java.lang.String,java.lang.String> |
allInspectedClasses
Map of all classes that have been inspected.
|
private static java.lang.String[] |
EMBEDDED_PUBLIC_API
List of classes in the public api for the embedded engine.
|
Constructor and Description |
---|
SecurityCheck() |
Modifier and Type | Method and Description |
---|---|
static void |
assertSourceSecurity(java.lang.Object o,
java.lang.String declared)
Inspect the class of the passed in Object for security risks.
|
static void |
checkEmbeddedPublicApi()
Perform security analysis of the public api for the embedded engine.
|
private static boolean |
inspectClass(java.lang.Class c,
java.lang.String declared)
Inspect a Derby class for security risks.
|
static void |
inspectClass(java.lang.String className)
Inspect a class for security risks.
|
private static boolean |
isPublicApi(java.lang.Class c)
Is the passed in class part of the declared public api.
|
static void |
report()
Produce a report on System.out of all inspected classes
that have risks associated with them.
|
private static void |
report(boolean reportClear)
Produce a report on System.out of all inspected classes
that have risks associated with them.
|
private static final java.lang.String[] EMBEDDED_PUBLIC_API
private static final java.util.SortedMap<java.lang.String,java.lang.String> allInspectedClasses
private static boolean isPublicApi(java.lang.Class c)
c
- class to be checkedpublic static void checkEmbeddedPublicApi() throws java.lang.ClassNotFoundException
java.lang.ClassNotFoundException
public static void report()
private static void report(boolean reportClear)
public static void inspectClass(java.lang.String className) throws java.lang.ClassNotFoundException
className
- java.lang.ClassNotFoundException
public static void assertSourceSecurity(java.lang.Object o, java.lang.String declared)
Connection conn = DriverManager.getConnection(url);
// will inspect the implementation call, eg. EmbedConnection30
SecurityManager.inspect(conn);
No output is generated by this call,
the caller must call report() to obtain the risks.o
- Obejct to be inspecteddeclared
- the declared type of the object.private static boolean inspectClass(java.lang.Class c, java.lang.String declared)
Risks looked at:
The type of any public field or return type of any public method is also inspected. The assumption is that if such a field or method exists they have the potential to be called and return a valid object.
Note that this inspection is through the declared type of exposed references, not the actual runtime type. The actual runtime type might expose other classes that should be inspected.
c
- the class to inspectjava.lang.ClassNotFoundException
Apache Derby V10.13 Internals - Copyright © 2004,2016 The Apache Software Foundation. All Rights Reserved.