What is the problem?
I described a lot of this detail in the following Blog posts:
- https://www.josephkirwin.com/2022/05/14/protecting-data-in-a-runtime-environment/
- https://www.josephkirwin.com/2022/05/24/part-2-protecting-data-in-a-runtime-environment/
Trying out with Java firstly due to the ease of runtime introspection.
| Approach | Link | Notes |
|---|---|---|
| Using manifold.systems to extend classes at compile time | manifold.systems | It does work, though it could be a lot of maintainence to do these wrappers for all basic data classes |
| Dynamic Proxy Classes | Core JavaSE | Only works on interfaces, stuff like String only implements CharSequence which is insufficient coverage |
| Javassist | ProxyFactory | Works on classes, not just interfaces, however cannot intercept final classes e.g.String, Integer, which is exactly what we wanted it to do. |
$ bazel clean --expunge
$ bazel build //...
$ bazel run //authorizer
$ bazel run //java-wrappers:example
You'll see that the client was able to access the data and the server logs something like
Starting Authorizer Service at localhost:9000
2022/08/07 13:53:32 IsAuthorized called: authContext:"foo" dataType:"String" verb:"READ"
N.B the eventual ideal (perf and security) is to use GRPC over IPC not over TCP/IP, but for now I'm saving that complexity for later!