...
| Code Block | ||
|---|---|---|
| ||
class BaseClass {
public BaseClass() {
doLogic();
}
public final void doLogic() {
System.out.println("This is super-class!");
}
}
|
In addition to constructors, do not call overridable methods from the clone, readObject and readObjectNoData methods as it would allow attackers to obtain partially initialized instances of classes. An equally dangerous idea is to disobey this advice by calling an overridden method from a finalize method. This can prolong the subclass' life and in fact render the finalization call useless (See the example in OBJ02-J. Avoid using finalizers).
Risk Assessment
Allowing a constructor to call overridable methods may give an attacker access to this before an object is fully initialized which, in turn, could lead to a vulnerability.
...