问题
I'm trying to make a simple example of a user and bank program where you must guarantee that money cannot be cheated by someone who can add, inherit, implement current existing classes but cannot edit the initial ones. So I ask if you somehow can set someone's account's balance without the provided function for money transfer.
I've tried using reflection but you have to have public constructors to make an object on which you call the private methods but since everything is private I cant call it.
public class Bank {
private static Bank ourInstance = new Bank();
public static Bank getInstance() {
return ourInstance;
}
private Bank() {}
public boolean requestTransfer(User user1, User user2, double amount) {
BankAccount ba1 = (BankAccount) user1.getBankAccount();
BankAccount ba2 = (BankAccount) user2.getBankAccount();
if (!(hasAccount(ba1) && hasAccount(ba2)))
return false;
if (ba1.getBalance() >= amount)
{
ba1.setBalance(ba1.getBalance() - amount);
ba2.setBalance(ba2.getBalance() + amount);
return true;
}
return false;
}
private class BankAccount implements BankAccountInterface {
private double balance;
private User user;
private BankAccount(double balance) {
this.balance = balance;
}
@Override
public double getBalance() {
return balance;
}
@Override
public User getUser() {
return user;
}
public void setUser(User user) {
this.user = user;
}
private void setBalance(double balance) {
this.balance = balance;
}
}
}
public interface BankAccountInterface {
double getBalance();
User getUser();
}
public class User {
private String username;
private String password;
private Date created_at;
private BankAccountInterface bankAccount;
//constructor getters and setters etc..
}
If you can add your own classes inherit current ones, use reflection or anything at your disposal can you illegally give a user money.
回答1:
That's a security question. You can use security manager settings preventing reflection, see this and this, interface changes by byte code manipulation is out of question after the class has loaded, see this. There are are other security vulnerabilities though, here's the official list, with the infamous deserialization vulnerability initially being there by design. Those are known issues without taking into consideration zero day exploits. Here's a more detailed discussion about the intricacies of security manager and certain APIs related to this exploit.
回答2:
Here is reflection code for giving a known user $1,000,000:
User user = /*assigned elsewhere*/;
// Get users bank account
Field bankAccountField = user.getClass().getDeclaredField("bankAccount");
bankAccountField.setAccessible(true); // Bypass 'private'
Object bankAccount = bankAccountField.get(user);
// Get bank account balance
Field balanceField = bankAccount.getClass().getDeclaredField("balance");
balanceField.setAccessible(true); // Bypass 'private'
double balance = (Double) balanceField.get(bankAccount);
// Add $1,000,000 to bank account
balance += 1_000_000;
balanceField.set(bankAccount, balance);
回答3:
Once you have an instance of the inner object, you can use reflection to invoke the method itself:
Method someMethod = innerObject.getClass().getDeclaredMethod("someMethod", Integer.class);
someMethod.setAccessible(true);
someMethod.invoke(innerObject, 5);
in this example you provided,you can still use reflection for getting methods in User Class.
If you can add your own classes inherit current ones, use reflection or anything at your disposal can you illegally give a user money?Yes possible if methods are implemented without access restrictions for outer class,it is about security rather about java code.
来源:https://stackoverflow.com/questions/58515983/is-there-a-way-to-access-private-method-in-inner-class-with-or-without-reflectio