1 21 22 package org.apache.derbyTesting.functionTests.util; 23 24 import java.lang.reflect.Constructor ; 25 import java.lang.reflect.Field ; 26 import java.lang.reflect.Method ; 27 import java.lang.reflect.Modifier ; 28 import java.util.Iterator ; 29 import java.util.SortedMap ; 30 import java.util.TreeMap ; 31 32 33 38 public class SecurityCheck { 39 40 43 private static final String [] EMBEDDED_PUBLIC_API = 44 { 45 "org.apache.derby.jdbc.EmbeddedDriver", 46 "org.apache.derby.jdbc.EmbeddedDataSource", 47 "org.apache.derby.jdbc.EmbeddedSimpleDataSource", 48 "org.apache.derby.jdbc.EmbeddedConnectionPoolDataSource", 49 "org.apache.derby.jdbc.EmbeddedXADataSource", 50 "org.apache.derby.authentication.UserAuthenticator", 51 }; 52 53 59 private static boolean isPublicApi(Class c) 60 { 61 for (int i = 0; i < EMBEDDED_PUBLIC_API.length; i++) 62 { 63 if (EMBEDDED_PUBLIC_API[i].equals(c.getName())) 64 return true; 65 } 66 return false; 67 } 68 69 75 private static final SortedMap allInspectedClasses = new TreeMap (); 76 77 82 public static void checkEmbeddedPublicApi() throws ClassNotFoundException 83 { 84 System.out.println("SecurityCheck: embedded public api classes"); 85 allInspectedClasses.clear(); 86 for (int i = 0; i < EMBEDDED_PUBLIC_API.length; i++) 87 SecurityCheck.inspectClass(EMBEDDED_PUBLIC_API[i]); 88 89 SecurityCheck.report(true); 90 } 91 92 97 public static void report() 98 { 99 SecurityCheck.report(false); 100 } 101 102 109 private static void report(boolean reportClear) 110 { 111 synchronized (allInspectedClasses) 112 { 113 for (Iterator it = allInspectedClasses.keySet().iterator(); it.hasNext(); ) 114 { 115 Object key = it.next(); 116 Object value = allInspectedClasses.get(key); 117 if (value == null) 118 { 119 if (reportClear) 120 System.out.println("CLEAR: " + key); 121 } 122 else 123 { 124 System.out.print(value); 125 } 126 } 127 } 128 } 129 130 136 public static void inspectClass(String className) throws ClassNotFoundException 137 { 138 SecurityCheck.inspectClass(Class.forName(className), null); 139 } 140 141 158 public static void inspect(Object o, String declared) 159 { 160 if (o == null) 161 return; 162 163 SecurityCheck.inspectClass(o.getClass(), declared); 164 } 165 166 191 private static boolean inspectClass(Class c, String declared) 192 { 193 if (!c.getName().startsWith("org.apache.derby.")) 194 return false; 195 196 if (c.getName().startsWith("org.apache.derby.client.")) 198 return false; 199 200 synchronized (allInspectedClasses) 201 { 202 if (allInspectedClasses.containsKey(c.getName())) 203 return true; 204 205 allInspectedClasses.put(c.getName(), null); 206 207 StringBuffer sb = new StringBuffer (); 208 209 sb.append("Class "); 210 sb.append(c.getName()); 211 sb.append('\n'); 212 213 if (declared != null) 214 { 215 allInspectedClasses.put(declared, "Checked class declared as: " + declared + "\n"); 216 217 } 218 219 boolean isPublicApi = SecurityCheck.isPublicApi(c); 220 221 boolean hasIssues = false; 222 223 boolean isSealed = c.getPackage().isSealed(); 224 boolean isFinal = Modifier.isFinal(c.getModifiers()); 225 boolean isPublic = Modifier.isPublic(c.getModifiers()); 226 boolean isAbstract = Modifier.isAbstract(c.getModifiers()); 227 228 Constructor [] constructors = c.getConstructors(); 229 230 boolean hasPublicConstructor = constructors.length != 0; 231 232 if (hasPublicConstructor && !isPublic) 233 { 234 hasIssues = true; 235 236 sb.append("..public constructors in non-public class\n"); 238 239 if (!isFinal && !isSealed) 241 sb.append("..public constructors in non-final class and non-sealed package\n"); 242 } 243 244 if (hasPublicConstructor && isPublic) 245 { 246 if (!isPublicApi) 248 { 249 251 } 254 255 if (!isFinal) 257 { 258 } 261 } 262 263 for (int i = 0; i < constructors.length; i++) 264 { 265 if (hasIssues) 266 { 267 sb.append("..public constructor: "); 268 sb.append(constructors[i].toString()); 269 sb.append('\n'); 270 } 271 } 272 273 Field [] fields = c.getFields(); 274 for (int i = 0; i < fields.length; i++) 275 { 276 Field f = fields[i]; 277 boolean isStatic = Modifier.isStatic(f.getModifiers()); 278 279 Class fieldType = f.getType(); 280 SecurityCheck.inspectClass(fieldType, null); 281 282 if (Modifier.isFinal(f.getModifiers())) 283 { 284 continue; 286 } 287 288 hasIssues = true; 289 sb.append("..public non-final field: "); 290 sb.append(f.toString()); 291 sb.append('\n'); 292 } 293 294 Method [] methods = c.getMethods(); 295 for (int i = 0; i < methods.length; i++) 296 { 297 Method m = methods[i]; 298 299 Class methodType = m.getReturnType(); 300 if (SecurityCheck.inspectClass(methodType, null)) 301 { 302 304 if (SecurityCheck.isPublicApi(methodType)) 306 continue; 307 308 315 } 316 317 } 318 if (hasIssues) 319 allInspectedClasses.put(c.getName(), sb.toString()); 320 } 321 322 return true; 323 324 } 325 } | Popular Tags |