SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 71

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 72

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFCCCC
  
// Exception handling has been omitted for the sake of brevity
class EchoServer { 
  public static void main(String[] args) throws IOException {
    ServerSocket serverSocket = null;
    try {
      serverSocket = new ServerSocket(100079999); 
      Socket socket = serverSocket.accept();
      PrintWriter out = new PrintWriter(socket.getOutputStream(), true); 
      BufferedReader in = new BufferedReader(
          new InputStreamReader(socket.getInputStream())); 
      String inputLine; 
      while ((inputLine = in.readLine()) != null) { 
        System.out.println(inputLine); 
        out.println(inputLine); 
      }
    } finally {
      if (serverSocket != null) {
        try {
          serverSocket.close();
        } catch (IOException x) {
          // handle error
        }
      }
    }
  }
}

class EchoClient {
  public static void main(String[] args) 
                          throws UnknownHostException, IOException {
    Socket socket = null;
    try {
      socket = new Socket("localhost", 9999);
      PrintWriter out = new PrintWriter(socket.getOutputStream(), true);
      BufferedReader in = new BufferedReader(
          new InputStreamReader(socket.getInputStream()));
      BufferedReader stdIn = new BufferedReader(
          new InputStreamReader(System.in));
      String userInput;
      while ((userInput = stdIn.readLine()) != null) {
        out.println(userInput);
        System.out.println(in.readLine());
      } 
    } finally {
      if (socket != null) {
        try {
          socket.close();
        } catch (IOException x) {
          // handle error
        }
      }
    }
  }
}

Note that the sockets are properly closed in accordance with rule ERR05-J. Do not let checked exceptions escape from a finally block. Although simply printing out exceptions thrown while closing a socket is poor practice, the exceptions may be suppressed as per exception ERR00-EX0 of ERR00-J. Do not suppress or ignore checked exceptions.

Compliant Solution

This compliant solution uses SSLSocket to protect packets using the SSL/TLS security protocols.

Code Block
bgColor#CCCCFF
// Exception handling has been omitted for the sake of brevity
class EchoServer {
  public static void main(String[] args) throws IOException {
    SSLServerSocket sslServerSocket = null;
    try {
      SSLServerSocketFactory sslServerSocketFactory =
          (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
      sslServerSocket = (SSLServerSocket) sslServerSocketFactory.
            (SSLServerSocket) sslServerSocketFactory.            createServerSocket(9999);
      SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
      PrintWriter out = new PrintWriter(sslSocket.getOutputStream(),true);
      BufferedReader in = new BufferedReader(
          new InputStreamReader(sslSocket.getInputStream()));
      String inputLine;
      while ((inputLine = in.readLine()) != null) { 
        System.out.println(inputLine); 
        out.println(inputLine); 
      } 
    } finally {
      if (sslServerSocket != null) {
        try {
          sslServerSocket.close();
        } catch (IOException x) {
          // handle error
        }
      }
    }
  }
}

class EchoClient {
  public static void main(String[] args) throws IOException {
    SSLSocket sslSocket = null;
    try {
      SSLSocketFactory sslSocketFactory =
          (SSLSocketFactory) SSLSocketFactory.getDefault();
      sslSocket = 
          (SSLSocket) sslSocketFactory.createSocket("localhost", 9999);
      PrintWriter out = new PrintWriter(sslSocket.getOutputStream(), true);
      BufferedReader in = new BufferedReader(
          new InputStreamReader(sslSocket.getInputStream()));
      BufferedReader stdIn = new BufferedReader(
          new InputStreamReader(System.in));
      String userInput;
      while ((userInput = stdIn.readLine()) != null) {
        out.println(userInput);
        System.out.println(in.readLine());
      }
    } finally {
      if (sslSocket != null) {
        try {
          sslSocket.close();
        } catch (IOException x) {
          // handle error
        }
      }
    }
  }
}

...

MSC00-EX0: Because of the mechanisms that SSLSocket provide provides to ensure the secure transfer of packets, significant performance overhead may result. Regular sockets are sufficient when

...

The general case of automated detection appears to be infeasible because determining which specific data may be passed through the socket is not statically computable. An approach that introduces a custom API for passing sensitive data via secure sockets may be feasible. User tagging of sensitive data would be is a necessary requirement for such an approach.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f734564eb73cf1e1-8c1e83cc-44e948f6-b0ce9c9a-d173eba4c0e59f8524c02f2a"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="235e3a69e6126411-7cdbc3f3-441741dc-a3169094-9d7cfe935dbcc143736b81f6"><ac:plain-text-body><![CDATA[

[[Gong 2003

AA. Bibliography#Gong 03]]

11.3.3, Securing RMI Communications

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6d41332061e44db7-541e9dc8-4d87422e-903ca54a-dab61454dd86e0704b7ae6b4"><ac:plain-text-body><![CDATA[

[[Ware 2008

AA. Bibliography#Ware 08]]

 

]]></ac:plain-text-body></ac:structured-macro>

...