SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 44

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 45

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFcccc
public class PublicClass {
  public int x;
  public int y;
	
  public void getPoint() {
     System.out.println("(""(" + x + ",""," + y + ")"")");  
  }	
}

Compliant Solution

Limiting the scope of classes, interfaces, methods and fields as far as possible reduces the chance of malicious manipulation. Limit the accessibility depending on the desired implementation scope. For non-final classes, reducing the accessibility of methods also eliminates the threat of malicious overriding. This compliant solution demonstrates the most restrictive accessibility.

Code Block
bgColor#ccccff
final class PrivateClass {
  private int x;
  private int y;
	
  private void getPoint() { 
     System.out.println("(""(" + x + ",""," + y + ")"")");  
  }	
}

A top level class such as this one, cannot be declared as private. Package-private accessibility is admissible in this case. However, nested classes may be declared as private.

...

Code Block
bgColor#ccccff
final class PrivateClass {
  private int x;
  private int y;
	
  void getPoint() { 
    System.out.println("(""(" + x + ",""," + y + ")"")");  
  }	
}

Exceptions

EX1: If a class, interface, method or field is part of a published Application Programming Interface (API), it may be declared public. If not, they should be declared either package-private, protected or private for compliance with this guideline.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[JLS 05|AA. Java References#JLS 05]\] [Section 6.6, Access Control|http://java.sun.com/docs/books/jls/third_edition/html/names.html#6.6]
\[[SCG 07|AA. Java References#SCG 07]\] Guideline 1-1 Limit the accessibility of classes, interfaces, methods, and fields
\[[Campione 96|AA. Java References#Campione 96]\] [Access Control|http://www.telecom.ntua.gr/HTML.Tutorials/java/javaOO/accesscontrol.html]
\[[McGraw 00|AA. Java References#McGraw 00]\] Chapter 3, Java Language Security Constructs
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 13: Minimize the accessibility of classes and members

...

SEC04-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar            02. Platform Security (SEC)            SEC06-J. Sign and seal sensitive objects before transit