[英]Difference between non- final public static and non- final public instance fields in terms of security?
I am going through this link , OBJ10-J. 我正在浏览这个链接, OBJ10-J。 Do not use public static nonfinal fields and it says that , 不要使用公共静态非最终字段 ,它说,
Client code can trivially access public static fields because access to such fields are not checked by a security manager. 客户端代码可以简单地访问公共静态字段,因为安全管理器不会检查对这些字段的访问。
what do they actually mean by that? 那是什么意思呢? ie what do they mean by escaping from security manager? 即逃离安全经理他们是什么意思?
If they simply meant it because field being non-final and public
, then how come non-final , public
instance fields different than their static
counterparts? 如果它们只是意味着因为字段是非最终的和public
,那么非最终的 public
实例字段与static
字段的不同之处呢? ( as far as code security is concerned ) (就代码安全而言)
I have been through this question and have not seen any mention in terms of security , Why are static variables considered evil 我已经经历过这个问题并且在安全方面没有看到任何提及, 为什么静态变量被认为是邪恶的
public
class's public static
fields would be accessible from anywhere and so public
instance fields too, so where is the difference? public
类的public static
字段可以从任何地方访问,因此也可以访问public
实例字段,那么区别在哪里? Why non-final public
instance fields not a security issue but being static
is? 为什么非最终 public
实例字段不是安全问题而是static
?
That's because the case of non-static fields is already covered by OBJ01-J. 那是因为OBJ01-J已经涵盖了非静态字段的情况。 Limit accessibility of fields 限制字段的可访问性
public
instance field are covered by OBJ01-J for slightly different reasons. OBJ01-J涵盖public
实例字段,原因略有不同。 For one, you need to have a reference to an instance before you can change public instance fields, while public static fields can be accessed directly at class level. 首先,您需要在更改公共实例字段之前引用实例,而可以在类级别直接访问公共静态字段。 But both are against the CERT rules. 但两者都违反了CERT规则。
Why non-final public instance fields not a security issue but being static is? 为什么非最终公共实例字段不是安全问题而是静态?
If you want to access an instance field you need the reference to that object instance. 如果要访问实例字段,则需要对该对象实例的引用。 If you don't have a reference you can't access it. 如果您没有参考,则无法访问它。
So your code can control to which objects a refernce is passed. 因此,您的代码可以控制传递引用的对象。 If malicious code tries to hijack one of your objects using reflection to get a reference you can install a security manager to prevent this. 如果恶意代码试图使用反射来劫持您的一个对象以获取引用,则可以安装安全管理器来防止这种情况发生。
On the other side a public static
field can be accessed from everybody that has access to the class, because the Class
object is accessible. 另一方面,可以从有权访问该类的每个人访问public static
字段,因为可以访问Class
对象。 So malicious code might only use 所以恶意代码可能只会使用
YourClass.PUBLIC_INSTANCE_FIELD = someValue;
or the reflection way 或反思方式
Class clazz = Class.forName("YourClass");
Field publicStaticField = clazz.getDeclaredField("PUBLIC_INSTANCE_FIELD");
publicStaticField.set(null, someValue);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.