...
The introduction of the entrySet() method in the java.util.Hashtable superclass in JDK 1.2 left the java.security.Provider subclass class vulnerable to a security attack. The Provider class extends java.util.Properties, which in turn extends Hashtable. The Provider class maps a cryptographic algorithm name (for example "RSA") to a class that provides its implementation.
The Provider class inherits the put() and remove() methods from Hashtable and adds security manager checks to each. These checks ensure that malicious code cannot add or remove the mappings. When entrySet() was introduced, it became possible for untrusted code to remove the mappings from the Hashtable because Provider failed to override this method to provide the necessary security manager check SCG 2009. This problem is commonly known as a fragile class hierarchy in other object-oriented languages, such as C++.
Related Guidelines
Secure Coding Guidelines for the Java Programming Language, Version 3.0 | Guideline 1-3. Understand how a superclass can affect subclass behavior |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2bc5818e13e1669a-fb491dc6-4aaf4512-a278834f-7b0a8053fd3ead33f6db4f5b"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [Class | http://download.oracle.com/javase/6/docs/api/java/util/Calendar.html] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="73b69776f6c619f9-d5f14cec-415844f5-a4ad8ce5-db1b09922b72695d1c23431a"><ac:plain-text-body><![CDATA[ | [[Bloch 2008 | AA. Bibliography#Bloch 08]] | Item 16. Favor composition over inheritance | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9dd47add12b59881-9a3f1544-4b684f39-9d70a59a-4b16358f1b1233b75d2642c6"><ac:plain-text-body><![CDATA[ | [[Gamma 1995 | AA. Bibliography#Gamma 95]] | Design Patterns, Elements of Reusable Object-Oriented Software | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5d8322ae129ccb3a-0e60c550-43bf47ed-9d35aff4-e80a4aa60276e3c6043eb647"><ac:plain-text-body><![CDATA[ | [[Lieberman 1986 | AA. Bibliography#Lieberman 86]] | Using prototypical objects to implement shared behavior in object-oriented systems | ]]></ac:plain-text-body></ac:structured-macro> |
...