SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Jose Sandoval Chaverri

Saved on

compared with

New Version 6

changes.mady.by.user Jose Sandoval Chaverri

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Noncompliant code example

Code for the server side, using SocketsThis example shows the use of regular Sockets for a server application. Using this kind of Sockets does not protect sensitive information while being in transit.

Code Block
bgColor#F7D6C1
 
import java.net.ServerSocket;
import java.net.Socket;
import java.io.*; 

public class EchoServer { 
    public static void main(String[] args) { 
        try { 
	    ServerSocket serverSocket = new ServerSocket(10007); 
	    Socket socket = serverSocket.accept();
			
	    PrintWriter out = new PrintWriter( socket.getOutputStream(),true); 
	    BufferedReader in = new BufferedReader(new InputStreamReader( socket.getInputStream())); 

	    String inputLine; 

	    while ((inputLine = in.readLine()) != null) { 
	        System.out.println (inputLine); 
	        out.println(inputLine); 
	    } 

	    out.close(); 
  	    in.close(); 
	    socket.close();  
	}
	catch (Exception e) { 
	    /*Handle exception*/
	}   
    }
}

Compliant solution

Code for the server side, using SSLSockets.This is a better solution to the previous example, making use of SSLSockets. By doing so, packets are protected with SSL and TLS security protocols.

Code Block
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
import java.io.*;

public class EchoServer {
    public static void main(String[] args) {
        try {
            SSLServerSocketFactory sslserversocketfactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
            SSLServerSocket sslserversocket = (SSLServerSocket) sslserversocketfactory.createServerSocket(9999);
            SSLSocket sslsocket = (SSLSocket) sslserversocket.accept();

            PrintWriter out = new PrintWriter( sslsocket.getOutputStream(),true);
            BufferedReader in = new BufferedReader(new InputStreamReader( sslsocket.getInputStream()));
            
            String inputLine; 
            
   	    while ((inputLine = in.readLine()) != null) { 
		System.out.println (inputLine); 
		out.println(inputLine); 
	    } 
			
	    out.close(); 
	    in.close(); 
	    sslsocket.close(); 
        } 
	catch (Exception e) { 
	    /*Handle exception*/
	} 
    }
}

Noncompliant code example

Code This is a similar insecure code for the client side, using Socketsapplication.

Code Block
bgColor#F7D6C1
 
import java.io.*;
import java.net.*;

public class EchoClient {
    public static void main(String[] args) {
	try {
 	    Socket socket = new Socket("localhost", 9999);
						
	    PrintWriter out = new PrintWriter(socket.getOutputStream(), true);
	    BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));

	    BufferedReader stdIn = new BufferedReader(new InputStreamReader(System.in));
			
	    String userInput;

	    while ((userInput = stdIn.readLine()) != null) {
		out.println(userInput);
		System.out.println(in.readLine());
	    }

	    out.close();
	    in.close();
	    stdIn.close();
	    socket.close();
	}
	catch (Exception e) { 
	    /*Handle exception*/
	} 
    }
}

Compliant solution

Code for This is the client side, using application making use of SSLSockets.

Code Block
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

public class EchoClient {
    public static void main(String[] args) {
        try {
            SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
            SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("localhost", 9999);

  	    PrintWriter out = new PrintWriter(sslsocket.getOutputStream(), true);
	    BufferedReader in = new BufferedReader(new InputStreamReader(sslsocket.getInputStream()));
			
	    BufferedReader stdIn = new BufferedReader(new InputStreamReader(System.in));
            
	    String userInput;

	    while ((userInput = stdIn.readLine()) != null) {
		out.println(userInput);
		System.out.println(in.readLine());
	    }

	    out.close();
	    in.close();
	    stdIn.close();
	    sslsocket.close();		
        } 
	catch (Exception e) { 
	    /*Handle exception*/
	} 
    }
}

...