SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 49

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 50

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: code now uses proper closing of sockets

...

Wiki Markup
The principal protections included in {{SSLSockets}} that are not provided by the {{Socket}} class are \[[Java API|AA. Bibliography#API 06]\]:

  • Integrity Protection. SSL protects against modification of messages by an active wiretapper.
  • Authentication. In most modes, SSL provides peer authentication. Servers are usually authenticated, and clients may be authenticated as requested by servers.
  • Confidentiality (Privacy Protection). In most modes, SSL encrypts data being sent between client and server. This protects the confidentiality of data, so that passive wiretappers won't see sensitive data such as financial information or personal information of many kinds.

...

Code Block
bgColor#FFCCCC
  
// Exception handling has been omitted for the sake of brevity
class EchoServer { 
  public static void main(String[] args) throws IOException {
    ServerSocket serverSocket = null;
     ServerSockettry {
      serverSocket = new ServerSocket(10007); 
      Socket socket = serverSocket.accept();
			
      PrintWriter out = new PrintWriter(socket.getOutputStream(), true); 
      BufferedReader in = new BufferedReader(
                  new InputStreamReader(socket.getInputStream())); 

      String inputLine; 
      while ((inputLine = in.readLine()) != null) { 
        System.out.println(inputLine); 
        out.println(inputLine); 
      }
    } finally {
      try {
       // serverSocket.close out, in, socket (preferably in a try-finally block)   ();
      } catch (IOException x) {
        System.err.println(x.toString());
      }
    }
  }
}

class EchoClient {
  public static void main(String[] args) throws UnknownHostException, IOException {
    Socket socket = null;
    try {
     Socket socket = new Socket("localhost", 9999);
						
      PrintWriter out = new PrintWriter(socket.getOutputStream(), true);
      BufferedReader in = new BufferedReader(
                  new InputStreamReader(socket.getInputStream()));

      BufferedReader stdIn = new BufferedReader(
                   new InputStreamReader(System.in));
			
      String userInput;
      while ((userInput = stdIn.readLine()) != null) {
        out.println(userInput);
        System.out.println(in.readLine());
      } 

     // close out, in, stdIn, socket (preferably in a try-finally block)   } finally {
      try {
        socket.close();
      } catch (IOException x) {
        System.err.println(x.toString());
      }
    }
  }
}

...

Note that the sockets are closed in accordance with ERR05-J. Do not let checked exceptions escape from a finally block. While merely printing close exceptions is frowned upon, the exceptions may be suppresed as per EX0 of ERR00-J. Do not suppress or ignore checked exceptions.
Compliant Solution
This compliant solution makes use of SSLSockets to protect packets using the SSL/TLS security protocols.
 Code Block
bgColor#CCCCFF
// Exception handling has been omitted for the sake of brevity
class EchoServer {
  public static void main(String[] args) throws IOException {
    SSLServerSocket sslServerSocket = null;
    try {
      SSLServerSocketFactory sslserversocketfactorysslServerSocketFactory =
        (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
    SSLServerSocket  sslserversocketsslServerSocket =
      (SSLServerSocket) sslserversocketfactorysslServerSocketFactory.createServerSocket(9999);
      SSLSocket sslsocketsslSocket = (SSLSocket) sslserversocketsslServerSocket.accept();

      PrintWriter out = new PrintWriter( sslsocketsslSocket.getOutputStream(),true);
      BufferedReader in = new BufferedReader(
                  new InputStreamReader( sslsocketsslSocket.getInputStream()));
       
     
    String inputLine;          
   
    while ((inputLine = in.readLine()) != null) { 
        System.out.println(inputLine); 
        out.println(inputLine); 
      } 

    } finally {
  // close out, in, sslsocket (preferably in a try-finally block)
  }
}

    try {
        sslServerSocket.close();
      } catch (IOException x) {
        System.err.println(x.toString());
      }
    }
  }
}

class EchoClient {
  public static void main(String[] args) throws IOException {
    SSLSocket sslSocket = null;
    try {
      SSLSocketFactory sslsocketfactorysslSocketFactory =
        (SSLSocketFactory) SSLSocketFactory.getDefault();
    SSLSocket  sslsocketsslSocket =
      (SSLSocket) sslsocketfactorysslSocketFactory.createSocket("localhost", 9999);

      PrintWriter out = new PrintWriter(sslsocketsslSocket.getOutputStream(), true);
      BufferedReader in = new BufferedReader(
                  new InputStreamReader(sslsocketsslSocket.getInputStream()));
			
      BufferedReader stdIn = new BufferedReader(
                   new InputStreamReader(System.in));
      
      
    String userInput;
      while ((userInput = stdIn.readLine()) != null) {
        out.println(userInput);
        System.out.println(in.readLine());
      }
  
    // close out, in, stdIn, sslsocket (preferably in a try-finally block)
  }
}} finally {
      try {
        sslSocket.close();
      } catch (IOException x) {
        System.err.println(x.toString());
      }
    }
  }
}

Note that a program that makes use of SSLSockets will block indefinitely if it tries to connect to a port that is not using SSL. Similarly, a program that does not use SSLSockets will block when trying to establish a connection through a port that uses SSL.
...