Page History

Callers can trivially access and modify {{public}} {{static}} non-final fields. Neither accesses nor any modifications are checked by a security manager, and newly set values cannot be validated. Classes loaded by the same or different class loaders can access each others' {{public static}} members, unless appropriate protection is installed. For example, consider Java applets \[[Sun 2008|AA. JavaBibliography#Sun References#Sun 08]\]:

Improper use of {{public static}} fields can also result in type safety issues. For example, untrusted code may supply an unexpected subtype when the variable is defined to be of a more general type such as {{java.lang.Object}} \[[Gong 2003|AA. Java References#GongBibliography#Gong 03]\].

This noncompliant code example is adopted from JDK v1.4.2 \[[FT 2008|AA. JavaBibliography#FT References#FT 08]\]. It declares a function table containing a {{public static}} field.

\[[FT 2008|AA. JavaBibliography#FT References#FT 08]\] 
\[[Sterbenz 2006|AA. Java References#SterbenzBibliography#Sterbenz 06]\] Antipattern 5, Misusing Public Static Variables
\[[Nisewanger 2007|AA. JavaBibliography#Nisewanger References#Nisewanger 07]\] Antipattern 5, Misusing Public Static Variables
\[[SCG 2007|AA. Java References#SCGBibliography#SCG 07]\] Guideline 3.1, Treat public static fields as constants
\[[Gong 2003|AA. JavaBibliography#Gong References#Gong 03]\] 9.3 Static Fields
\[[MITRE 2009|AA. Java References#MITREBibliography#MITRE 09]\] [CWE ID 582|http://cwe.mitre.org/data/definitions/582.html] "Array Declared Public, Final, and Static", [CWE ID 493|http://cwe.mitre.org/data/definitions/493.html] "Critical Public Variable Without Final Modifier", [CWE ID 500|http://cwe.mitre.org/data/definitions/500.html] "Public Static Field Not Marked Final"