...
If a class, interface, method, or field is part of a published API, such as a web service end point, it may be declared public. Other classes and members should be declared either package-private or private. For example, non-security critical classes are encouraged to provide public static factories to implement instance control with a private constructor.
Noncompliant Code Example (Public Class)
This noncompliant code example concerns a class that is internal to a system, and not part of any public API. Nonetheless, the class Point is declared public. Even though this example complies with rule OBJ01-J. Declare data members as private and provide accessible wrapper methods, untrusted code could instantiate Point and invoke the public getPoint() to obtain the coordinates.
| Code Block | ||
|---|---|---|
| ||
public final class Point {
private final int x;
private final int y;
public Point(int x, int y) {
this.x = x;
this.y = y;
}
public void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
|
Compliant Solution (Final Classes With Public Methods)
This compliant solution declares the Point class as package-private, in accordance with its status as not part of any public API.
...
Because the class is final, the getPoint() method can be declared public. (A public subclass that violates this rule cannot override the method and expose it to untrusted code, so its accessibility is irrelevant). For non-final classes, reducing the accessibility of methods to private or package-private eliminates this threat.
Compliant Solution (Non-Final Classes With Non-Public Methods)
This compliant solution declares the Point class and its getPoint() method as package-private. This allows the Point class to be non-final and allows getPoint() to be invoked by classes present within the same package and loaded by a common class loader.
| Code Block | ||
|---|---|---|
| ||
class Point {
private final int x;
private final int y;
Point(int x, int y) {
this.x = x;
this.y = y;
}
void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
|
Noncompliant Code Example (Public Class With Public Static Method)
This noncompliant code example again concerns a class that is internal to a system, and not part of any public API. Nonetheless, the class Point is declared public. Even though this example complies with rule OBJ01-J. Declare data members as private and provide accessible wrapper methods, untrusted code could instantiate Point and invoke the public getPoint() to obtain the coordinates.
...
| Code Block | ||
|---|---|---|
| ||
public final class Point {
private static final int x = 1;
private static final int y = 2;
private Point(int x, int y) {}
public static void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
|
Compliant Solution (Package-Private Class)
This compliant solution reduces the accessibility of the class to package-private. As a consequence, access to the getPoint() method is restricted to classes located within the same package. This prevents untrusted code from invoking getPoint() and obtaining the coordinates.
| Code Block | ||
|---|---|---|
| ||
final class Point {
private static final int x = 1;
private static final int y = 2;
private Point(int x, int y) {}
public static void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
|
Exceptions
OBJ02-EX0: A system with an API designed to be used (and possibly extended) by third-party code, must have classes and methods sufficiently public to provide that API. The demands of such an API override this rule.
Risk Assessment
Granting unnecessary access breaks encapsulation and weakens the security of Java applications.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
OBJ02-J | medium | likely | medium | P12 | L1 |
Automated Detection
For any given body of code, we can compute the minimum accessibility for each class and member so that we do not introduce new compilation errors. The limitation of this is that this could not bear any resemblance to what the designer intended when they wrote it. For example, unused members can obviously be marked private. However, such members could be unused because the particular body of code examined coincidentally lacks references to the members.
Related Guidelines
Secure Coding Guidelines for the Java Programming Language, Version 3.0 | Guideline 1-1 Limit the accessibility of classes, interfaces, methods, and fields |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9674c9c3ec75ac13-127df953-4f634236-bc17849c-36ee0365e73a15aa1187d5f0"><ac:plain-text-body><![CDATA[ | [java:[Bloch 2008 | AA. Bibliography#Bloch 08]] | Item 13: Minimize the accessibility of classes and members; Item 16: Prefer interfaces to abstract classes | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="54d39a45a99b2b49-dd7d07c1-42854fcc-899d9ac2-95041a86d3f0d68fe05ef820"><ac:plain-text-body><![CDATA[ | [java:[Campione 1996 | AA. Bibliography#Campione 96]] | [Access Control | http://www.telecom.ntua.gr/HTML.Tutorials/java/javaOO/accesscontrol.html] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c06af7757d51ab4a-d9bbbf7b-478c4aa0-94c88076-cd1b580601a3900ef3ec5973"><ac:plain-text-body><![CDATA[ | [java:[JLS 2005 | AA. Bibliography#JLS 05]] | [§6.6, Access Control | http://java.sun.com/docs/books/jls/third_edition/html/names.html#6.6] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4f1a8104d0ef53a1-32a4b78e-49c04195-830d8834-dfe5f3231bb3b1423bffbe92"><ac:plain-text-body><![CDATA[ | [java:[McGraw 1999 | AA. Bibliography#McGraw 99]] | Chapter 3, Java Language Security Constructs | ]]></ac:plain-text-body></ac:structured-macro> |
...