问题
To get the name of the current user in a Java program, you can simply fetch the value of the user.name system property:
System.getProperty("user.name");
But how secure is that? Can a user executing the program easily set this property to an arbitrary value (using a command-line argument of the JVM, for example) for common runtime environments? Can a user easily spoof this user name?
I ask because I am writing a command-line program that can be run by anyone, but allows some privileged operations only if the user is a special administrative user.
Note that since Java 11 the user.name property is effectively read only once the program starts, so malicious program code can not spoof it.
回答1:
Yes this value can be 'spoofed' and cannot be relied upon if the user is free to start the application.
Simply starting the app with the JVM arg -Duser.name=someothername will cause System.getProperty("user.name") to return that value.
回答2:
For anyone possible landing on this ever again:
Using the cmd-command whoami and reading the input using this post should be a more secure way of using the username as "validation".
Except, this can be spoofed as well, which might be harder for a cmd-command than for a JVM argument...
来源:https://stackoverflow.com/questions/27899676/can-user-name-be-spoofed