...
| Wiki Markup |
|---|
This noncompliant code example installs a security manager check in the constructor of the {{BigInteger}} class. The security manager denies access when it detects that a subclass without the requisite permissions is attempting to instantiate the superclass \[[SCG 2009|AA. References#SCG 09]\]. It also compares class types, in compliance with rule [OBJ09-J. Compare classes and not class names]. Note that this check does not prevent malicious extensions of {{BigInteger}}, it instead prevents the creation of {{BigInteger}} objects from untrusted code, which also prevents creation of objects of malicious extensions of {{BigInteger}}. |
| Code Block | ||
|---|---|---|
| ||
public class BigInteger {
public BigInteger(String str) {
securityManagerCheck();
// ...
}
| ||
| Code Block | ||
| ||
public class BigInteger { public BigInteger(String str) { // java.lang.Object.getClass(), which is final Class c = getClass(); // Confirm class type if (c != java.math.BigInteger.class) { // Check the permission needed to subclass BigInteger // throws a security exception if not allowed private void securityManagerCheck(); } { // ... } } |
Unfortunately, throwing an exception from the constructor of a non-final class is insecure because it allows a finalizer attack. (See rule OBJ11-J. Be wary of letting constructors throw exceptions.)
...
| Code Block | ||
|---|---|---|
| ||
public class BigInteger {
public BigInteger(String str) {
// throws a security exception if not allowed
this(str, check(BigInteger.class));
}
private BigInteger(String str, boolean securityManagerCheck) {
// regular construction goes here
}
private static boolean check(Class c) {
// Confirm class type
if (c != java.math.BigInteger.class) {
this(str, check());
//}
Check theprivate permission needed to subclass BigInteger
BigInteger(String str, boolean dummy) {
// throwsregular aconstruction securitygoes exceptionhere
if not allowed}
private static boolean securityManagerCheckcheck(); {
} securityManagerCheck();
return true;
}
}
|
Noncompliant Code Example (Data-Driven Execution)
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f68f3eedc30403c5-f5054ea4-476c482a-b7c2b42f-fd10a64548cb2b513c042964"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. References#API 06]] | Class BigInteger | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a9855fd49506c415-5849c441-44514f5a-909b8985-f6938dc96180a8b5878199a6"><ac:plain-text-body><![CDATA[ | [[Bloch 2008 | AA. References#Bloch 08]] | Item 1. Consider static factory methods instead of constructors | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6c1d2db492e532a4-2b688e00-45ce4831-ab4aa487-a1d0e9c1dff5e8aa2f957ddf"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. References#Gong 03]] | Chapter 6, Enforcing Security Policy | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6293b060bc7f0631-aee5d1a0-40d244f7-aebca937-09610ddeda9a27753af76e4e"><ac:plain-text-body><![CDATA[ | [[Lai 2008 | AA. References#Lai 08]] | Java Insecurity, Accounting for Subtleties That Can Compromise Code | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7d89468d86950400-29e4cfec-43e04174-ba7c8442-f9796ff077d20d0d444e6842"><ac:plain-text-body><![CDATA[ | [[McGraw 1999 | AA. References#McGraw 99]] | Chapter Seven, Rule 3. Make everything final, unless there's a good reason not to | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a2f171f3e338b01e-040f88ad-41054884-a4afae9c-ad833f4647db9abaf2699e68"><ac:plain-text-body><![CDATA[ | [[Ware 2008 | AA. References#Ware 08]] | ]]></ac:plain-text-body></ac:structured-macro> |
...