| Wiki Markup |
|---|
In a Java Virtual Machine (JVM), a class is identified by its fully qualified class name and its class loader. A class with the same name but a different package name is different, and a class with the same fully qualified name but which has been loaded by a different class loader is also different. ""Two classes are the same class (and consequently the same type) if they are loaded by the same class loader and they have the same fully qualified name"" \[[JVMSpec 99|AA. Java References#JVMSpec 99]\]. |
...
| Code Block | ||
|---|---|---|
| ||
// Determine whether object h has required/expected class name if (h.getClass().getName().equals(""com.application.auth.DefaultAuthenticationHandler"")) { // ... } |
The main issue is that another class may exist with the same name in the JVM.
...
| Code Block | ||
|---|---|---|
| ||
// Determine whether object h has required/expected class name if (h.getClass() == this.getClassLoader().loadClass(""com.application.auth.DefaultAuthenticationHandler"")) { // ... } |
The call to loadClass() returns the class having the specified name in the current namespace (of the classloader), and the comparison is correctly performed on the two class objects.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[JVMSpec 99|AA. Java References#JVMSpec 99]\] [§2.8.1 Class Names|http://java.sun.com/docs/books/jvms/second_edition/html/Concepts.doc.html] \[[Christudas 05|AA. Java References#Christudas 05]\] \[[Mcgraw 98|AA. Java References#Mcgraw 98]\] \[[Wheeler 03|AA. Java References#Wheeler 03]\] [Java|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/java.html] \[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 486|http://cwe.mitre.org/data/definitions/486.html] ""Comparison of Classes by Name"" |
...
OBJ33-J. Limit the extensibility of non-final classes and methods to only trusted subclasses 08. Object Orientation (OBJ) OBJ35-J. Use checked collections against external code