Newsletter sign-up
View all newsletters

Enterprise Java Newsletter
Stay up to date on the latest tutorials and Java community news posted on JavaWorld

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

JavaWorld.com > Java Standard Edition >

Twelve rules for developing more secure Java code

Writing security-conscious Java code can help you avoid security surprises

By Gary Mcgraw and Edward Felten, JavaWorld.com, 12/01/98

  • Print
  • Feedback
. What's this?

Page 2 of 5

  • Make all static variables private. If you want to allow outside code to access static variables in the class, this should be done via static get and set methods. This keeps outside code from accessing noninitialized static variables. If you're following Rule 3, you'll make the get and set methods final.

  • Add a new private static boolean variable, classInitialized, to the class.

  • Have the static constructor set the initialized variable as its last action before returning.

  • Before doing anything, have each static method and each constructor verify that classInitialized is true. (Note: constructors are required to call a constructor of the superclass, or another constructor of the same class, as their first action. So you will have to do that before you check classInitialized.)


Rule 2: Limit access to your classes, methods, and variables

Every class, method, and variable that is not private provides a potential entry point for an attacker. By default, everything should be private. Make something nonprivate only with good reason, and document that reason.

Rule 3: Make everything final (unless there's a good reason not to)



If a class or method isn't final, an attacker could try to extend it in a dangerous and unforeseen way. By default, everything should be final. Make something nonfinal only if there is a good reason, and document that reason.

You might think you can prevent an attacker from extending your class or its methods by declaring the class nonpublic. But if a class isn't public, it must be accessible from within the same package, and as Rule 4 (below) says, you shouldn't to rely on package scope access restrictions for security.

This advice may seem harsh. After all, the rule is asking you to give up extensibility, which is one of the main benefits of using an object-oriented language like Java. But when you're trying to provide security, extensibility is your enemy: it just provides an attacker with more ways to cause trouble.

Rule 4: Don't depend on package scope

Classes, methods, and variables that aren't explicitly labeled as public, private, or protected are accessible within the same package. Don't rely on this for security. Java classes aren't closed, so an attacker could introduce a new class into your package and use this new class to access the things you thought you were hiding. (A few packages, such as java.lang, are closed by default, and a few Java virtual machines (JVMs) let you close your own packages. But you're better off assuming packages aren't closed.)

Package scope makes a lot of sense from a software-engineering standpoint, since it prevents innocent, accidental access to things you want to hide. But don't depend on it for security.

Maybe we'll get sealed classes in the future.

Rule 5: Don't use inner classes

Some Java language books say inner classes can be accessed only by the outer classes that enclose them. But this isn't true. Java bytecode has no concept of inner classes, so inner classes are translated by the compiler into ordinary classes that happen to be accessible to any code in the same package. And Rule 4 says not to depend on package scope for protection.

  • Print
  • Feedback
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?

Resources
  • McGraw, G. and Felten, E. (1998) Securing JavaGetting down to business with mobile code. John Wiley & Sons, New York. http://www.rstcorp.com/java-security.html
  • The Java Security Web site -- this splash page for Securing Java includes pointers to trade articles, a mailing list, and information about author events http://www.rstcorp.com/java-security.html
  • Splash page for Securing Java includes pointers to trade articles,
  • a mailing list, and information about author events
  • The Java Security Hotlist offers more than 100 links in 9 categories, covering every Java security Web site the authors have found http://www.rstcorp.com/javasecurity/links.html
  • Princeton's Secure Internet Programming Team -- the Princeton team's Website, featuring 2 FAQs and several technical articles http://www.cs.princeton.edu/sip
  • Java's Security Architect, Li Gong, has a Java Security Home Page that includes pointers to Li's security articles http://java.sun.com/people/gong/java/security.html
  • Javasoft's Java Security Page (straight from the horse's mouth; take with grain of salt) http://java.sun.com/security/
  • "Privileged code in JavaWhy the API changed from JDK1.2beta3 to JDK1.2beta4," a technical article by Gary McGraw and John Viega explaining the resoning behind the security API change and what could be improved http://www.developer.com/journal/techfocus/083198_jsecur.html