Composition or inheritance may be used to create a new class that both encapsulates an existing class and adds one or more fields. When a subclass extends another in this way, the concept of equality for the subclass may or may not involve its new fields. That is, when comparing two subclass objects for equality, sometimes their respective fields must also be equal, and other times they need not be equal. Depending on the concept of equality for the subclass, the subclass might override equals()
. Furthermore, this method must follow the general contract for equals()
as specified by the Java Language Specification [[JLS 2005]].
An object is characterized both by its identity (location in memory) and by its state (actual data). The ==
operator compares only the identities of two objects (to check whether the references refer to the same object); the equals
method defined in java.lang.Object
can be overridden to compare the state as well. When a class defines an equals()
method, it implies that the method compares state. When the class lacks a customized equals()
method (either locally declared or inherited from a parent class), it uses the default Object.equals()
implementation that is inherited from Object
. The default Object.equals()
implementation compares only the references and may produce unexpected results.
The equals()
method applies only to objects, not primitives.
Enumerated types have a fixed set of distinct values that may be compared using ==
rather than the equals()
method. Note that enumerated types provide an equals()
implementation that uses ==
internally; this default cannot be overridden. More generally, subclasses that both inherit an implementation of equals()
from a superclass and also lack a requirement for additional functionality need not override the equals()
method.
The general usage contract for equals()
as specified by the Java Language Specification establishes five requirements:
- It is reflexive: For any reference value
x
,x.equals(x)
must returntrue
. - It is symmetric: For any reference values
x
andy
,x.equals(y)
must returntrue
if and only ify.equals(x)
returnstrue
. - It is transitive: For any reference values
x
,y
, andz
, ifx.equals(y)
returnstrue
andy.equals(z)
returnstrue
, thenx.equals(z)
must returntrue
. - It is consistent: For any reference values
x
andy
, multiple invocations ofx.equals(y)
consistently returntrue
or consistently returnfalse
, provided no information used inequals
comparisons on the object is modified. - For any non-null reference value
x
,x.equals(null)
must returnfalse
.
Never violate any of these requirements when overriding the equals()
method.
Noncompliant Code Example (Symmetry)
This noncompliant code example defines a CaseInsensitiveString
class that includes a String
and overrides the equals()
method. The CaseInsensitiveString
class knows about ordinary strings but the String
class has no knowledge of case-insensitive strings. Consequently, CaseInsensitiveString.equals()
method should not attempt to interoperate with objects of the String
class.
public final class CaseInsensitiveString { private String s; public CaseInsensitiveString(String s) { if (s == null) { throw new NullPointerException(); } this.s = s; } // This method violates symmetry public boolean equals(Object o) { if (o instanceof CaseInsensitiveString) { return s.equalsIgnoreCase(((CaseInsensitiveString)o).s); } if (o instanceof String) { return s.equalsIgnoreCase((String)o); } return false; } public static void main(String[] args) { CaseInsensitiveString cis = new CaseInsensitiveString("Java"); String s = "java"; System.out.println(cis.equals(s)); // Returns true System.out.println(s.equals(cis)); // Returns false } }
By operating on String
objects, the CaseInsensitiveString.equals()
method violates the second contract requirement (symmetry). Because of the asymmetry, given a String
object s
and a CaseInsensitiveString
object cis
that differ only in case, cis.equals(s))
returns true
while s.equals(cis)
returns false
.
Note that this code also violates MET13-J. Classes that define an equals() method must also define a hashCode() method.
Compliant Solution
In this compliant solution, the CaseInsensitiveString.equals()
method is simplified to operate only on instances of the CaseInsensitiveString
class, consequently preserving symmetry. The class also defines a hashCode()
method.
public final class CaseInsensitiveString { private String s; public CaseInsensitiveString(String s) { if (s == null) { throw new NullPointerException(); } this.s = s; } public boolean equals(Object o) { return o instanceof CaseInsensitiveString && ((CaseInsensitiveString)o).s.equalsIgnoreCase(s); } public int hashCode() { // ... } public static void main(String[] args) { CaseInsensitiveString cis = new CaseInsensitiveString("Java"); String s = "java"; System.out.println(cis.equals(s)); // Returns false now System.out.println(s.equals(cis)); // Returns false now } }
Noncompliant Code Example (Transitivity)
This noncompliant code example defines an XCard
class that extends the Card
class.
public class Card { private final int number; public Card(int number) { this.number = number; } public boolean equals(Object o) { if (!(o instanceof Card)) { return false; } Card c = (Card)o; return c.number == number; } } class XCard extends Card { private String type; public XCard(int number, String type) { super(number); this.type = type; } public boolean equals(Object o) { if (!(o instanceof Card)) { return false; } // Normal Card, do not compare type if (!(o instanceof XCard)) { return o.equals(this); } // It is an XCard, compare type as well XCard xc = (XCard)o; return super.equals(o) && xc.type == type; } public static void main(String[] args) { XCard p1 = new XCard(1, "type1"); Card p2 = new Card(1); XCard p3 = new XCard(1, "type2"); System.out.println(p1.equals(p2)); // Returns true System.out.println(p2.equals(p3)); // Returns true System.out.println(p1.equals(p3)); // Returns false, violating transitivity } }
In the noncompliant code example, p1
and p2
compare equal and p2
and p3
compare equal, but p1
and p3
compare unequal; this violates the transitivity requirement. The problem is that the Card
class has no knowledge of the XCard
class and consequently cannot determine that p2
and p3
have different values for the field type
.
Compliant Solution
Unfortunately, it is impossible to extend an instantiable class (as opposed to an abstract
class) by adding a value or field in the subclass while preserving the equals()
contract. Use composition rather than inheritance to achieve the desired effect [[Bloch 2008]]. This compliant solution adopts this approach by adding a private card
field to the XCard
class and providing a public
viewCard()
method.
class XCard { private String type; private Card card; // Composition public XCard(int number, String type) { card = new Card(number); this.type = type; } public Card viewCard() { return card; } public boolean equals(Object o) { if (!(o instanceof XCard)) { return false; } XCard cp = (XCard)o; return cp.card.equals(card) && cp.type.equals(type); } public static void main(String[] args) { XCard p1 = new XCard(1, "type1"); Card p2 = new Card(1); XCard p3 = new XCard(1, "type2"); XCard p4 = new XCard(1, "type1"); System.out.println(p1.equals(p2)); // Prints false System.out.println(p2.equals(p3)); // Prints false System.out.println(p1.equals(p3)); // Prints false System.out.println(p1.equals(p4)); // Prints true } }
Noncompliant Code Example (Consistency)
A Uniform Resource Locator (URL) specifies both the location of a resource and also a method to access it. According to the Java API documentation for Class URL [[API 2006]],
Two URL objects are equal if they have the same protocol, reference equivalent hosts, have the same port number on the host, and the same file and fragment of the file.
Two hosts are considered equivalent if both host names can be resolved into the same IP addresses; else if either host name can't be resolved, the host names must be equal without regard to case; or both host names equal to null.
The defined behavior for the equals()
method is known to be inconsistent with virtual hosting in HTTP.
Virtual hosting allows a web server to host multiple websites on the same computer, sometimes sharing the same IP address. Unfortunately, this technique was unanticipated when the URL
class was designed. Consequently, when two completely different URLs resolve to the same IP address, the URL class considers them to be equal.
Another risk associated with the equals()
method for URL
objects is that the logic it uses when connected to the Internet differs from that used when disconnected. When connected to the Internet, the equals()
method follows the steps described in the Java API; when disconnected, it performs a string compare on the two URLs. Consequently, the URL.equals()
method violates the consistency requirement for equals()
.
Consider an application that allows an organization's employees to access an external mail service via http://mailwebsite.com
. The application is designed to deny access to other websites by behaving as a makeshift firewall. However, a crafty or malicious user can nevertheless access an illegitimate website http://illegitimatewebsite.com
that is hosted on the same computer as the legitimate website and consequently shares the same IP address. Even worse, an attacker can register multiple websites (for phishing purposes) until one is registered on the same computer, consequently defeating the firewall.
public class Filter { public static void main(String[] args) throws MalformedURLException { final URL allowed = new URL("http://mailwebsite.com"); if (!allowed.equals(new URL(args[0]))) { throw new SecurityException("Access Denied"); } // Else proceed } }
Compliant Solution (strings)
This compliant solution compares two URLs' string representations, thereby avoiding the pitfalls of URL.equals()
.
public class Filter { public static void main(String[] args) throws MalformedURLException { final URL allowed = new URL("http://mailwebsite.com"); if (!allowed.toString().equals(new URL(args[0]).toString())) { throw new SecurityException("Access Denied"); } // Else proceed } }
This solution still has problems. Two URLs with different string representation can still refer to the same resource. However, the solution fails safe in this case because the equals()
contract is preserved, and the system will never allow a malicious URL to be accepted by mistake.
Compliant Solution (URI.equals()
)
A Uniform Resource Identifier (URI) contains a string of characters used to identify a resource; this is a more general concept than an URL. The java.net.URI
class provides string-based equals()
and hashCode()
methods that satisfy the general contracts for Object.equals()
and Object.hashCode()
; they do not invoke hostname resolution and are unaffected by network connectivity. URI
also provides methods for normalization and canonicalization that URL
lacks. Finally, the URL.toURI()
and URI.toURL()
methods provide easy conversion between the two classes. It is recommended to use URIs instead of URLs whenever possible. According to the Java API [[API 2006]] URI
class documentation,
A
URI
may be either absolute or relative. AURI
string is parsed according to the generic syntax without regard to the scheme, if any, that it specifies. No lookup of the host, if any, is performed, and no scheme-dependent stream handler is constructed.
This compliant solution uses a URI
object instead of a URL
. The filter appropriately blocks the website when present with a string different from http://mailwebsite.com
because the comparison fails.
public class Filter { public static void main(String[] args) throws MalformedURLException, URISyntaxException { final URI allowed = new URI("http://mailwebsite.com"); if (!allowed.equals(new URI(args[0]))) { throw new SecurityException("Access Denied"); } // Else proceed } }
Additionally, the URI
class also performs normalization (removing extraneous path segments like '..') and relativization of paths [[API 2006]] and [[Darwin 2004]].
Noncompliant Code Example (java.security.Key
)
The method java.lang.Object.equals()
by default, is unable to compare composite objects such as cryptographic keys. Most Key
classes lack an equals()
implementation that overrides Object's default implementation. In such cases, the components of the composite object must be compared individually to ensure correctness.
This noncompliant code example compares two keys using the equals()
method. The comparison may return false even when the key instances represent the same logical key.
private static boolean keysEqual(Key key1, Key key2) { if (key1.equals(key2)) { return true; } }
Compliant Solution (java.security.Key
)
This compliant solution uses the equals()
method as a first test, then compares the encoded version of the keys to facilitate provider-independent behavior. For example, this code can determine whether a RSAPrivateKey
and RSAPrivateCrtKey
represent equivalent private keys [[Sun 2006]].
private static boolean keysEqual(Key key1, Key key2) { if (key1.equals(key2)) { return true; } if (Arrays.equals(key1.getEncoded(), key2.getEncoded())) { return true; } // More code for different types of keys here. // For example, the following code can check if // an RSAPrivateKey and an RSAPrivateCrtKey are equal: if ((key1 instanceof RSAPrivateKey) && (key2 instanceof RSAPrivateKey)) { if ((((RSAKey) key1).getModulus().equals(((RSAKey) key2).getModulus())) && (((RSAPrivateKey) key1).getPrivateExponent().equals( ((RSAPrivateKey) key2).getPrivateExponent()))) { return true; } } return false; }
Exceptions
MET08-EX0: This rule may be violated provided that the incompatible types are never compared. There are classes in the Java platform libraries (and elsewhere) that extend an instantiable class by adding a value component. For example, java.sql.Timestamp
extends java.util.Date
and adds a nanoseconds field. The equals
implementation for Timestamp
violates symmetry and can cause erratic behavior if Timestamp
and Date
objects are used in the same collection or are otherwise intermixed [[Bloch 2008]].
Risk Assessment
Violating the general contract when overriding the equals()
method can lead to unexpected results.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
MET08-J |
low |
unlikely |
medium |
P2 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CWE ID 697, "Insufficient Comparison" |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8ec4cd74-eb84-437d-b120-6768f9a417e9"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
[method equals() |
http://java.sun.com/j2se/1.4.2/docs/api/java/lang/Object.html#equals(java.lang.Object)] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="34c1cfb1-eb96-4ab0-bcd2-c2c4a13f4d12"><ac:plain-text-body><![CDATA[ |
[[Bloch 2008 |
AA. Bibliography#Bloch 08]] |
Item 8: Obey the general contract when overriding equals |
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2b39e086-6d3e-4618-af6a-f5a1a2914adc"><ac:plain-text-body><![CDATA[ |
[[Darwin 2004 |
AA. Bibliography#Darwin 04]] |
9.2 Overriding the equals method |
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cbe3b677-c91b-4275-88f6-f021541e5819"><ac:plain-text-body><![CDATA[ |
[[Harold 1997 |
AA. Bibliography#Harold 97]] |
Chapter 3: Classes, Strings, and Arrays, The Object Class (equality) |
]]></ac:plain-text-body></ac:structured-macro> |
[[Sun 2006]] Determining If Two Keys Are Equal (JCA Reference Guide)
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="054e0905-0693-4041-a7d4-13c4e090a02a"><ac:plain-text-body><![CDATA[ |
[[Techtalk 2007 |
AA. Bibliography#Techtalk 07]] |
"More Joy of Sets" |
]]></ac:plain-text-body></ac:structured-macro> |
05. Methods (MET) MET09-J. Classes that define an equals() method must also define a hashCode() method