How to know the invoker of my classes and methods in java?

Question

I have a container class, nothing but the servlet part and the data access layer is one which interacts with my database and provides result for the query params.

I have my data access layer classes and methods as public so that any one could read the content stored in the database in a belief that only right person access it.

Usually the read/write to database happens after the validation is completed (ie; the authorization is completed). This authorization of user over the data is performed in my container layer (say servlet) after which I start read/write data to my database.

Sounds too much of theory right? Here is my sample snippet of my data access layer:

DataStore.java

//This is my interface

public interface DataStore {

public String[] selectData(query params) throws Exception;

public String[] addData(query params) throws Exception;

public String[] editData(query params) throws Exception;

public String[] deleteData(query params) throws Exception;

}

DataStoreImpl.java

//This is my implemetation part of my above interface

public class DataStoreImpl implements DataStore {

    public String[] selectData(query params) throws Exception {

          //Code implementing select query logic
    }

    public String[] addData(query params) throws Exception {

          //Code implementing insert query logic
    }

    public String[] editData(query params) throws Exception {

          //Code implementing update query logic
    }

    public String[] deleteData(query params) throws Exception {

         //Code implementing delete query logic
    }
}

Now my worst nightmare is, what if someone read/write data in my database without authorization since all my classes and methods in my data access layer are "public". How can I overcome this?

Ie, how can I make sure that some one is accessing my classes and methods over data access layer after doing authorization?

How can I know the invoker of my classes and methods in DataStore or DataStoreImpl? Or is there any other alternative?

Answer 1

To begin with, this does not look anything to do with Data Access Layer IMHO. This looks you want to implement Code Access Security on your own. As far I think, you should not worry about "un-authorized user calling DAL method" because this responsibility lies on BLL or Application code. You can train your colleagues how to use your code. End user will never access your code, he will only interact with it through your application. So if application is written properly, issue will never occur.

By the way, following points come to my mind if you need it anyway: -

• Inject Authorazation object in constructor of DataStoreImpl and validate it. If not valid, throw appropriate exception. Similar solution using flag variable is already proposed by "El Marce" in comments.
• Implement licensing or locking on your DAL. Protecting your application and DAL against unauthentic use (someone unauthentic copying your DAL dll and writing his own code to call methods) and reverse engineering is another topic; I will not discuss it here.
• Encrypt your data in database (again as proposed by "El Marce") does not look suitable to me as it will not handle INSERT, UPDATE, DELETE cases.
• Put minimum access specifiers on classes and methods. If you can move Data Access Layer Code to your BLL layer, you can mark classes as internal (this is C#. Not sure what's it's equivalent in Java) which will add protection to your methods.