Package sealing
One has frequently encountered a surfeit of
To guarantee that all classes in a package come from the same source code, add an entry like this to the JAR's Manifest file:
The value across the
protected
methods within classes, where there is no need for that level of access. Instance variables inadvertently exposed by a class could be changed by malicious code or even by accident. While the correct approach would be to scan through your code and clean up such occurences (by making them package protected or even private, as the case may be), one can adopt the package sealing feature for added security.
To guarantee that all classes in a package come from the same source code, add an entry like this to the JAR's Manifest file:
Name: org/nerddawg/util/
Sealed: true
The value across the
Name
header represents the package name (notice the trailing slash). When the classloader needs to load a class from such a sealed package, it recognizes that classes from within that package can only be loaded from that JAR file.
2 Comments:
... and then you should SIGN your package since otherwise it is extremely easy to modify the manifest file ...
By Anonymous, at August 20, 2004 at 9:34 AM
Good point! Here's how.
By Ashish Shetty, at August 20, 2004 at 10:36 AM
Post a Comment | Home | Inference: my personal blog