As my Mod handles the Users Password which could be accessed via Reflection i have made the handlerclass package-private
package reauth;
class Secure{
...
}
As other mods can declare a class in that package they can access the "secure" classtherefore i turned on the path-seal vie the MANIFEST.MF
Manifest-Version: 1.0
sealed: true
but i get an error: "\minecraft\mods\ReAuth-1.4.jar has a security seal for path reauth, but that path is defined and not secure" and i can still declare classes in that package from a different jarfile which should be disabled by the seal
I really just want to commend you for thinking properly about security, but I can reply to the question too.
I suspect the way Minecraft Forge loads mods is breaking some of the .jar security features. You might be able to seal the package somehow, but it's never truly safe. Java's access modifiers are not created for security, they are created for improved code structure and simplicity. The sad truth is as long as you deal with the password in cleartext, there is always a way to get around and access it. For instance, someone could intercept the ClassLoader and modify the code in your password handling class, maybe grab the string from the garbage collector, etc.
My suggestion: Stay faaaar away from security. It is extremely dangerous and complicated. So you should dig into it only if you really really reeeally need to.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumAs my Mod handles the Users Password which could be accessed via Reflection i have made the handlerclass package-private
package reauth; class Secure{ ... }As other mods can declare a class in that package they can access the "secure" classtherefore i turned on the path-seal vie the MANIFEST.MF
but i get an error: "\minecraft\mods\ReAuth-1.4.jar has a security seal for path reauth, but that path is defined and not secure" and i can still declare classes in that package from a different jarfile which should be disabled by the seal
is there a way to make the seal working?
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumI really just want to commend you for thinking properly about security, but I can reply to the question too.
I suspect the way Minecraft Forge loads mods is breaking some of the .jar security features. You might be able to seal the package somehow, but it's never truly safe. Java's access modifiers are not created for security, they are created for improved code structure and simplicity. The sad truth is as long as you deal with the password in cleartext, there is always a way to get around and access it. For instance, someone could intercept the ClassLoader and modify the code in your password handling class, maybe grab the string from the garbage collector, etc.
My suggestion: Stay faaaar away from security. It is extremely dangerous and complicated. So you should dig into it only if you really really reeeally need to.
Not doing mc modding that much anymore because I am making a full blown game that does not have limitations that mc has. (rip Magiology for now)
I may come back if MC fixes it's rendering pipeline.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumGot the Security working now ....