...
| Code Block | ||
|---|---|---|
| ||
private class Account { // Maintains all banking related data such as account balance
boolean overdraft() {
balance += 300; // Add 300 in case there is an overdraft
System.out.println("Added back-up amount. The balance is :" + balance);
return true;
}
// other Account methods
}
public class BankAccount extends Account { // Subclass handles authentication
//NOTE: unchanged from previous version
//NOTE: lacks override of overdraft method
}
public class Client {
public static void main(String[] args) {
Account account = new BankAccount();
boolean result = account.withdraw(200.0); // Enforce security manager check
if (!result) {
result = account.overdraft();
}
System.out.println("Withdrawl successful? " + result);
}
}
|
While this code works as expected, it adds a dangerous vector of attack. Because there is no security check on the overdraft() method, a malicious client can invoke it without authentication:
| Code Block | bgColor | #FFCCCC
|---|
public class MaliciousClient {
public static void main(String[] args) {
Account account = new BankAccount();
boolean result = account.overdraft(200.0); // No security check performed
System.out.println("Withdrawl successful? " + result);
}
}
|
...