...
| Wiki Markup |
|---|
This noncompliant code example installs a security manager check in the constructor of the {{BigInteger}} class. The security manager denies access when it detects that a subclass without the requisite permissions is attempting to instantiate the superclass \[[SCG 2009|AA. References#SCG 09]\]. It also compares class types, in compliance with rule [OBJ09-J. Compare classes and not class names]. Note that this check does not prevent malicious extensions of {{BigInteger}}, it instead prevents the creation of {{BigInteger}} objects from untrusted code, which also prevents creation of objects of malicious extensions of {{BigInteger}}. |
| Code Block | ||
|---|---|---|
| ||
public class BigInteger {
public BigInteger(String str) {
securityManagerCheck();
// ...
}
| ||
| Code Block | ||
| ||
public class BigInteger { public BigInteger(String str) { // java.lang.Object.getClass(), which is final Class c = getClass(); // Confirm class type if (c != java.math.BigInteger.class) { // Check the permission needed to subclass BigInteger // throws a security exception if not allowed private void securityManagerCheck(); } { // ... } } |
Unfortunately, throwing an exception from the constructor of a non-final class is insecure because it allows a finalizer attack. (See rule OBJ11-J. Be wary of letting constructors throw exceptions.)
...
| Code Block | ||
|---|---|---|
| ||
public class BigInteger {
public BigInteger(String str) {
// throws a security exception if not allowed
this(str, check(BigInteger.class));
}
private BigInteger(String str, boolean securityManagerCheck) {
// regular construction goes here
}
private static boolean check(Class c) {
// Confirm class type
if (c != java.math.BigInteger.class) {
this(str, check());
//}
Check theprivate permission needed to subclass BigInteger
BigInteger(String str, boolean dummy) {
// throwsregular aconstruction securitygoes exceptionhere
if not allowed}
private static boolean securityManagerCheckcheck(); {
} securityManagerCheck();
return true;
}
}
|
Noncompliant Code Example (Data-Driven Execution)
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="487c9eaa7cabba8f-07088c92-4eaa4d2d-bbc088c3-cb6bf55841ef860bc107fbcf"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. References#API 06]] | Class BigInteger | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8070416a8a2fac08-4caf923d-44714071-b2e29867-96ee2a81b8e6eede4d25d3b6"><ac:plain-text-body><![CDATA[ | [[Bloch 2008 | AA. References#Bloch 08]] | Item 1. Consider static factory methods instead of constructors | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d4926aecaecce201-561739a1-495e42ec-86ce8916-494eabc41b1171fe850c241a"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. References#Gong 03]] | Chapter 6, Enforcing Security Policy | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e15a7c680b6cf806-f01149ba-42dd448a-8667b309-2d44b64589d42ac57e0d72a7"><ac:plain-text-body><![CDATA[ | [[Lai 2008 | AA. References#Lai 08]] | Java Insecurity, Accounting for Subtleties That Can Compromise Code | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="98a5fc03e67affae-8d15a1d0-455440e1-a6848f07-3b89efd7f4d328552e9112ce"><ac:plain-text-body><![CDATA[ | [[McGraw 1999 | AA. References#McGraw 99]] | Chapter Seven, Rule 3. Make everything final, unless there's a good reason not to | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="adc867cb05003aba-1cf2a377-4d7e4fd4-9394be84-185224f26f37b0ac9694100f"><ac:plain-text-body><![CDATA[ | [[Ware 2008 | AA. References#Ware 08]] | ]]></ac:plain-text-body></ac:structured-macro> |
...