It is possible that an exception gets thrown in the finally block even though it escapes detection at compile time. This can prevent other clean-up statements from being executed.
The finally clause closes the reader object in this noncompliant code example. However, it is incorrectly assumed that the statements within the finally block cannot throw exceptions. Notably, close() can throw an IOException which prevents any subsequent clean-up lines from being executed. This is not detected at compile time as the type of exception that close() throws is the same as the ones that read and write throw.
| 
public class Login {
  static void checkPassword(String password_file) throws IOException {
    StringBuffer fileData = new StringBuffer(1000);
    BufferedReader reader = new BufferedReader(new FileReader(password_file));
    try {
      int n;
      char[] passwd = new char[1024];
      while ((n = reader.read(passwd)) >= 0) {
        String readData = String.valueOf(passwd, 0, n);
        fileData.append(readData);
        passwd = new char[1024];
      }
    
      String realPassword = "javac<at:var at:name="f3b" />b3";
      System.out.println(fileData.toString());
        
      if (fileData.toString().equals(realPassword)) {
        System.out.println("Login successful");
      }
      else {
        System.out.println("Login failed");
      }
    } finally {
      reader.close();
      //other clean-up code 
    }
}
  public static void main(String[] args) throws IOException {
    String path = "c:\\password.txt";
    checkPassword(path);
  }
}
 | 
This compliant solution correctly places the close() statement in a try-catch block. As a result, an IOException can be handled without letting it propagate any further. 
| 
public class Login {
  static void checkPassword(String password_file) throws IOException {
  
    StringBuffer fileData = new StringBuffer(1000);
    BufferedReader reader = new BufferedReader(new FileReader(password_file));
    try {
      int n;
      char[] passwd = new char[1024];
      while ((n = reader.read(passwd)) >= 0) {
        String readData = String.valueOf(passwd, 0, n);
        fileData.append(readData);
        passwd = new char[1024];
      }
      
      String realPassword = "javac<at:var at:name="f3b" />b3";
      System.out.println(fileData.toString());
        
      if (fileData.toString().equals(realPassword)) {
        System.out.println("Login successful");
      }
      else {
        System.out.println("Login failed");
      }
    } finally {
        try {     //enclose in try-catch block
          reader.close();
        } catch (IOException ie) {ie.getMessage();}
          //other clean-up code
        }
    }
  public static void main(String[] args) throws IOException {
    String path = "c:\\password.txt";
    checkPassword(path);
  }
}
 | 
If the need to close a stream without throwing an exception occurs often, then an alternative solution to wrapping every call of close() in its own try-catch block is, to write a closeIgnoringException method as shown in this compliant solution.
| 
public class Login {
  static void checkPassword(String password_file) throws IOException {
  
    StringBuffer fileData = new StringBuffer(1000);
    BufferedReader reader = new BufferedReader(new FileReader(password_file));
    try {
      int n;
      char[] passwd = new char[1024];
      while ((n = reader.read(passwd)) >= 0) {
        String readData = String.valueOf(passwd, 0, n);
        fileData.append(readData);
        passwd = new char[1024];
      }
      String realPassword = "javac<at:var at:name="f3b" />b3";
      System.out.println(fileData.toString());
        
      if (fileData.toString().equals(realPassword)) {
        System.out.println("Login successful");
      }
      else {
        System.out.println("Login failed");
      }
    } finally {
        closeIgnoringException(reader);
        //other clean-up code 
    }
}
  private static void closeIgnoringException(BufferredReader s) {
    if (s != null) {
      try {
        s.close();
      } catch (IOException ie) {
        // Ignore exception if close fails
      }
    }
  }
  public static void main(String[] args) throws IOException {
    String path = "c:\\password.txt";
    checkPassword(path);
  }
}
 | 
Failing to handle an exception in a finally block can lead to unexpected results.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| EXC31- J | low | unlikely | medium | P2 | L3 | 
TODO
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
| \[[Bloch 05|AA. Java References#Bloch 05]\] Puzzle 41: Field and Stream \[[Harold 99|AA. Java References#Harold 99]\] \[[Chess 07|AA. Java References#Chess 07]\] 8.3 Preventing Resource Leaks (Java) | 
EXC30-J. Do not exit abruptly from a finally block 13. Exceptional Behavior (EXC) EXC32-J. Catch specific exceptions as opposed to the more general RuntimeException