Non-final classes containing methods that perform security checks can be compromised if a malicious subclass overrides the method methods and omits the checks. For this reason, it is recommended that the methods be prohibited from being extended by declaring them private or final.
...
| Code Block | ||
|---|---|---|
| ||
private void readSensitiveFile() { try { SecurityManager sm = System.getSecurityManager(); if(sm != null) { // check if file can be read sm.checkRead("/temp/tempFile"); } // Access the file } catch (SecurityException se) { // Log exception }// ... } |
Exceptions
EX1: Classes that are declared final are exempt from this guideline as they imply that the contained methods cannot be overridden.
...