Page History

Increasing the accessibility of overridden or hidden methods permits a malicious subclass to offer wider access to the restricted method than was originally intended. Consequently, programs must override methods only when necessary and must declare methods final whenever possible to prevent malicious subclassing. When methods cannot be declared final, programs must refrain from increasing the accessibility of overridden methods.

Wiki MarkupThe access modifier of an overriding or hiding method must provide at least as much access as the overridden or hidden method (_Java Language Specification_, [§8, §8.4.8.3, "Requirements in Overriding and Hiding" |http://java.sun.com/docs/books/jls/third_edition/html/classes.html#8.4.8.3] \[ [JLS 2005|AA. References#JLS 05]]). The following are the allowed accesses:

Overridden/hidden method modifier	Overriding/hiding method modifier
`public`	`public`
`protected`	`protected` or `public`
default	default or `protected` or `public`
`private`	Cannot be overridden

...

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
MET04-J	medium	probable	medium	P8	L2

Automated Detection

Detecting violations of this rule is straightforward.

...

MITRE CWE	CWE-487. Reliance on package-level scope
Secure Coding Guidelines for the Java Programming Language, Version 3.0	Guideline 1-1. Limit the accessibility of classes, interfaces, methods, and fields

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a6801fa4-4eef-4a41-a131-3902b6e5d2fe"><ac:plain-text-body><![CDATA [ [[JLS 2005AA. References#JLS 05]]

[§8.4.8.3http://java.sun.com/docs/books/jls/third_edition/html/classes.html#8.4.8.3], Requirements in Overriding and Hiding ]]></ac:plain-text-body></ac:structured-macro>

...

05. Methods (MET)

Space shortcuts

Page tree

Versions Compared

Old Version 99

New Version 100

Key

Automated Detection

Bibliography