Java Reference
In-Depth Information
The client program runs through the sequence of all possible hash codes using
Craf-
tedLicenseType
until it successfully matches the hash code of the demo license key ob-
jectstoredinthe
LicenseManager
class.Consequently,theattackercandiscoverthesens-
itive data present within the
licenseMap
in only a few minutes. The attack operates by
discovering at least one hash collision with respect to the key of the map.
Compliant Solution (
IdentityHashMap
)
This compliant solution uses an
IdentityHashMap
rather than a
HashMap
to store the li-
cense information:
public class LicenseManager {
Map<LicenseType, String> licenseMap =
new IdentityHashMap<LicenseType, String>();
// ...
}
According to the Java API class
IdentityHashMap
documentation [API 2006],
This class implements the
Map
interface with a hash table, using reference-equality
in place of object-equality when comparing keys (and values). In other words, in an
IdentityHashMap
,twokeys
k1
and
k2
areconsideredequalifandonlyif
(k1==k2)
.
(In normal
Map
implementations (like
HashMap
) two keys
k1
and
k2
are considered
equal if and only if
(k1==null ? k2==null : k1.equals(k2))
.)
Consequently, the overridden methods cannot expose internal class details. The client
program can continue to add license keys, and can even retrieve the added key-value
pairs, as demonstrated by the following client code.
public class DemoClient {
public static void main(String[] args) {
LicenseManager licenseManager = new LicenseManager();
LicenseType type = new LicenseType();
type.setType("custom-license-key");
licenseManager.setLicenseKey(type, "CUS-TOM-LIC-KEY");
Object licenseKeyValue = licenseManager.getLicenseKey(type);
// Prints CUS-TOM-LIC-KEY
System.out.println(licenseKeyValue);