堆栈内存溢出
  简体   繁体   English

在安全性方面,非最终公共实例和非最终公共实例字段之间的区别?

[英]Difference between non- final public static and non- final public instance fields in terms of security?

 原文  2016-01-11 09:12:21       java/ java-security

问题描述

I am going through this link , OBJ10-J. 我正在浏览这个链接, OBJ10-J。 Do not use public static nonfinal fields and it says that , 不要使用公共静态非最终字段 ,它说,

Client code can trivially access public static fields because access to such fields are not checked by a security manager. 客户端代码可以简单地访问公共静态字段,因为安全管理器不会检查对这些字段的访问。

what do they actually mean by that? 那是什么意思呢? ie what do they mean by escaping from security manager? 即逃离安全经理他们是什么意思?

If they simply meant it because field being non-final and public , then how come non-final , public instance fields different than their static counterparts? 如果它们只是意味着因为字段是非最终的public ,那么非最终的 public实例字段与static字段的不同之处呢? ( as far as code security is concerned ) (就代码安全而言)

I have been through this question and have not seen any mention in terms of security , Why are static variables considered evil 我已经经历过这个问题并且在安全方面没有看到任何提及, 为什么静态变量被认为是邪恶的

public class's public static fields would be accessible from anywhere and so public instance fields too, so where is the difference? public类的public static字段可以从任何地方访问,因此也可以访问public实例字段,那么区别在哪里? Why non-final public instance fields not a security issue but being static is? 为什么非最终 public实例字段不是安全问题而是static

2 个解决方案

解决方案1
 4  2016-01-11 09:17:16

That's because the case of non-static fields is already covered by OBJ01-J. 那是因为OBJ01-J已经涵盖了非静态字段的情况 Limit accessibility of fields 限制字段​​的可访问性

public instance field are covered by OBJ01-J for slightly different reasons. OBJ01-J涵盖public实例字段,原因略有不同。 For one, you need to have a reference to an instance before you can change public instance fields, while public static fields can be accessed directly at class level. 首先,您需要在更改公共实例字段之前引用实例,而可以在类级别直接访问公共静态字段。 But both are against the CERT rules. 但两者都违反了CERT规则。

解决方案2
 4 已采纳  2016-01-11 09:28:25

Why non-final public instance fields not a security issue but being static is? 为什么非最终公共实例字段不是安全问题而是静态?

If you want to access an instance field you need the reference to that object instance. 如果要访问实例字段,则需要对该对象实例的引用。 If you don't have a reference you can't access it. 如果您没有参考,则无法访问它。

So your code can control to which objects a refernce is passed. 因此,您的代码可以控制传递引用的对象。 If malicious code tries to hijack one of your objects using reflection to get a reference you can install a security manager to prevent this. 如果恶意代码试图使用反射来劫持您的一个对象以获取引用,则可以安装安全管理器来防止这种情况发生。

On the other side a public static field can be accessed from everybody that has access to the class, because the Class object is accessible. 另一方面,可以从有权访问该类的每个人访问public static字段,因为可以访问Class对象。 So malicious code might only use 所以恶意代码可能只会使用 

YourClass.PUBLIC_INSTANCE_FIELD = someValue;

or the reflection way 或反思方式 

Class clazz = Class.forName("YourClass");
Field publicStaticField = clazz.getDeclaredField("PUBLIC_INSTANCE_FIELD");
publicStaticField.set(null, someValue);

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用非静态公共最终变量公开实例常量 - Exposing instance constants with non-static public final variables 是否可以将非`final`变量重命名为`final`名称样式,或者在Eclipse中将其重命名? - Is it possible to rename a non-`final` variable to a `final` name style or the other way around in Eclipse? 覆盖(非)静态类中的私有方法 - Overriding private methods in (non-)static classes 为什么公共静态最终数组是安全漏洞? - Why are public static final array a security hole? 等同于Scala中的公共静态最终字段 - Equivalent of public static final fields in Scala 公共静态决赛需要初始化,但公共决赛不需要 - Initialization required for public static final but not for public final 单例公共静态最终 - singleton public static final 公共静态最终Lambda? - public static final Lambda? 通过反射改变最终变量,为什么静态和非静态最终变量之间存在差异 - changing final variables through reflection, why difference between static and non-static final variable 最终静态与最终非静态字段和JVM优化 - final static vs final non-static fields and JVM optimization
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM