...
If a class, interface, method, or field is part of a published API, such as a web service end point, it may be declared public. Other classes and members should be declared either package-private or private. For example, non-security critical classes are encouraged to provide public static factories to implement instance control with a private constructor.
Noncompliant Code Example (Public Class)
In this noncompliant code example, the class Point is declared public. Even though this example complies with rule OBJ01-J. Declare data members as private and provide accessible wrapper methods, untrusted code could instantiate Point and invoke the public getPoint() to obtain the coordinates.
| Code Block | ||
|---|---|---|
| ||
public final class Point {
private final int x;
private final int y;
public Point(int x, int y) {
this.x = x;
this.y = y;
}
public void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
|
Compliant Solution (Final Classes With Public Methods)
This compliant solution declares the Point class as package-private.
...
Because the class is final, the getPoint() method can be declared public. (A public subclass that violates this rule cannot override the method and expose it to untrusted code, so its accessibility is irrelevant). For non-final classes, reducing the accessibility of methods to private or package-private eliminates this threat.
Compliant Solution (Non-Final Classes With Non-Public Methods)
This compliant solution declares the Point class and its getPoint() method as package-private. This allows the Point class to be non-final and allows getPoint() to be invoked by classes present within the same package and loaded by a common class loader.
| Code Block | ||
|---|---|---|
| ||
class Point {
private final int x;
private final int y;
Point(int x, int y) {
this.x = x;
this.y = y;
}
void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
|
Noncompliant Code Example (Public Class With Public Static Method)
This noncompliant code example shows a public Point class that attempts to implement instance control using a private constructor. However, untrusted code may invoke the public static getPoint() method without instantiating the class because the class is public.
| Code Block | ||
|---|---|---|
| ||
public final class Point {
private static final int x = 1;
private static final int y = 2;
private Point(int x, int y) {}
public static void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
|
Compliant Solution (Package-Private Class)
This compliant solution reduces the accessibility of the class to package-private. As a consequence, access to the getPoint() method is restricted to classes located within the same package. This prevents untrusted code from invoking getPoint() and obtaining the coordinates.
| Code Block | ||
|---|---|---|
| ||
final class Point {
private static final int x = 1;
private static final int y = 2;
private Point(int x, int y) {}
public static void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
|
Exceptions
OBJ15-EX0: A system with an API designed to be used (and possibly extended) by third-party code, must have classes and methods sufficiently public to provide that API. The demands of such an API override this rule.
Risk Assessment
Granting unnecessary access breaks encapsulation and weakens the security of Java applications.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SEC01 OBJ15-J | medium | likely | medium | P12 | L1 |
Automated Detection
For any given body of code, we can compute the minimum accessibility for each class and member so that we do not introduce new compilation errors. The limitation of this is that this could not bear any resemblance to what the designer intended when they wrote it. For example, unused members can obviously be marked private. However, such members could be unused because the particular body of code examined coincidentally lacks references to the members.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SCG 2007 Guideline 1-1. Limit the accessibility of classes, interfaces, methods, and fields
Bibliography
| Wiki Markup |
|---|
\[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 13: Minimize the accessibility of classes and members; Item 16: Prefer interfaces to abstract classes \[[Campione 1996|AA. Bibliography#Campione 96]\] [Access Control|http://www.telecom.ntua.gr/HTML.Tutorials/java/javaOO/accesscontrol.html] \[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 6.6, Access Control|http://java.sun.com/docs/books/jls/third_edition/html/names.html#6.6] \[[McGraw 1999|AA. Bibliography#McGraw 99]\] Chapter 3, Java Language Security Constructs |
...