- •Table of Contents
- •Foreword
- •Preface
- •Acknowledgments
- •Item 1: Consider providing static factory methods instead of constructors
- •Item 2: Enforce the singleton property with a private constructor
- •Item 3: Enforce noninstantiability with a private constructor
- •Item 4: Avoid creating duplicate objects
- •Item 5: Eliminate obsolete object references
- •Item 6: Avoid finalizers
- •Item 7: Obey the general contract when overriding equals
- •Item 8: Always override hashCode when you override equals
- •Item 9: Always override toString
- •Item 10: Override clone judiciously
- •Item 11: Consider implementing Comparable
- •Item 12: Minimize the accessibility of classes and members
- •Item 13: Favor immutability
- •Item 14: Favor composition over inheritance
- •Item 15: Design and document for inheritance or else prohibit it
- •Item 16: Prefer interfaces to abstract classes
- •Item 17: Use interfaces only to define types
- •Item 18: Favor static member classes over nonstatic
- •Item 19: Replace structures with classes
- •Item 20: Replace unions with class hierarchies
- •Item 21: Replace enum constructs with classes
- •Item 22: Replace function pointers with classes and interfaces
- •Item 23: Check parameters for validity
- •Item 24: Make defensive copies when needed
- •Item 25: Design method signatures carefully
- •Item 26: Use overloading judiciously
- •Item 27: Return zero-length arrays, not nulls
- •Item 28: Write doc comments for all exposed API elements
- •Item 29: Minimize the scope of local variables
- •Item 30: Know and use the libraries
- •Item 31: Avoid float and double if exact answers are required
- •Item 32: Avoid strings where other types are more appropriate
- •Item 33: Beware the performance of string concatenation
- •Item 34: Refer to objects by their interfaces
- •Item 35: Prefer interfaces to reflection
- •Item 36: Use native methods judiciously
- •Item 37: Optimize judiciously
- •Item 38: Adhere to generally accepted naming conventions
- •Item 39:Use exceptions only for exceptional conditions
- •Item 40:Use checked exceptions for recoverable conditions and run-time exceptions for programming errors
- •Item 41:Avoid unnecessary use of checked exceptions
- •Item 42:Favor the use of standard exceptions
- •Item 43: Throw exceptions appropriate to the abstraction
- •Item 44:Document all exceptions thrown by each method
- •Item 45:Include failure-capture information in detail messages
- •Item 46:Strive for </vetbfailure atomicity
- •Item 47:Don't ignore exceptions
- •Item 48: Synchronize access to shared mutable data
- •Item 49: Avoid excessive synchronization
- •Item 50: Never invoke wait outside a loop
- •Item 51: Don't depend on the thread scheduler
- •Item 52: Document thread safety
- •Item 53: Avoid thread groups
- •Item 54: Implement Serializable judiciously
- •Item 55:Consider using a custom serialized form
- •Item 56:Write readObject methods defensively
- •Item 57: Provide a readResolve method when necessary
- •References
Effective Java: Programming Language Guide
fields, you must provide a readObject method that invokes the defaultReadObject method and then restores transient fields to acceptable values (Item 56). Alternatively, these fields can be lazily initialized the first time they are used.
Regardless of what serialized form you choose, declare an explicit serial version UID in every serializable class you write. This eliminates the serial version UID as a potential source of incompatibility (Item 54). There is also a small performance benefit. If no serial version UID is provided, an expensive computation is required to generate one at run time.
Declaring a serial version UID is simple. Just add this line to your class:
private static final long serialVersionUID = randomLongValue ;
It doesn't much matter which value you choose for randomLongValue. Common practice dictates that you generate the value by running the serialver utility on the class, but it's also fine to pick a number out of thin air. If you ever want to make a new version of the class that is incompatible with existing versions, merely change the value in the declaration. This will cause attempts to deserialize serialized instances of previous versions to fail with an
InvalidClassException.
To summarize, when you have decided that a class should be serializable (Item 54), think hard about what the serialized form should be. Only use the default serialized form if it is a reasonable description of the logical state of the object; otherwise design a custom serialized form that aptly describes the object. You should allocate as much time to designing the serialized form of a class as you allocate to designing its exported methods. Just as you cannot eliminate exported methods from future versions, you cannot eliminate fields from the serialized form; they must be preserved forever to ensure serialization compatibility. Choosing the wrong serialized form can have permanent, negative impact on the complexity and performance of a class.
Item 56:Write readObject methods defensively
Item 24 contains an immutable date-range class containing mutable private date fields. The class goes to great lengths to preserve its invariants and its immutability by defensively copying Date objects in its constructor and accessors. Here is the class:
//Immutable class that uses defensive copying public final class Period {
private final Date start; private final Date end;
/**
*@param start the beginning of the period.
*@param end the end of the period; must not precede start.
*@throws IllegalArgument if start is after end.
*@throws NullPointerException if start or end is null.
*/
public Period(Date start, Date end) {
this.start |
= |
new |
Date(start.getTime()); |
this.end |
= |
new |
Date(end.getTime()); |
166
Effective Java: Programming Language Guide
if (this.start.compareTo(this.end) > 0)
throw new IllegalArgumentException(start +" > "+ end);
}
public Date start () { return (Date) start.clone(); } public Date end () { return (Date) end.clone(); } public String toString() { return start + " - " + end; }
... // Remainder omitted
}
Suppose you decide that you want this class to be serializable. Because the physical representation of a Period object exactly mirrors its logical data content, it is not unreasonable to use the default serialized form (Item 55). Therefore, it might seem that all you have to do to make the class serializable is to add the words “implements Serializable” to the class declaration. If you did so, however, the class would no longer guarantee its critical invariants.
The problem is that the readObject method is effectively another public constructor, and it demands all of the same care as any other constructor. Just as a constructor must check its arguments for validity (Item 23) and make defensive copies of parameters where appropriate (Item 24), so must a readObject method. If a readObject method fails to do either of these things, it is a relatively simple matter for an attacker to violate the class's invariants.
Loosely speaking, readObject is a constructor that takes a byte stream as its sole parameter. In normal use, the byte stream is generated by serializing a normally constructed instance. The problem arises when readObject is presented with a byte stream that is artificially constructed to generate an object that violates the invariants of its class. Assume that we simply added “implements Serializable” to the class declaration for Period. This ugly program generates a Period instance whose end precedes its start:
public class BogusPeriod {
//Byte stream could not have come from real Period instance private static final byte[] serializedForm = new byte[] { (byte)0xac, (byte)0xed, 0x00, 0x05, 0x73, 0x72, 0x00, 0x06, 0x50, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x40, 0x7e, (byte)0xf8, 0x2b, 0x4f, 0x46, (byte)0xc0, (byte)0xf4, 0x02, 0x00, 0x02, 0x4c, 0x00, 0x03, 0x65, 0x6e, 0x64, 0x74, 0x00, 0x10, 0x4c, 0x6a, 0x61, 0x76, 0x61, 0x2f, 0x75, 0x74, 0x69, 0x6c, 0x2f, 0x44, 0x61, 0x74, 0x65, 0x3b, 0x4c, 0x00, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x71, 0x00, 0x7e, 0x00, 0x01, 0x78, 0x70, 0x73, 0x72, 0x00, 0x0e, 0x6a, 0x61, 0x76, 0x61, 0x2e, 0x75, 0x74, 0x69, 0x6c, 0x2e, 0x44, 0x61, 0x74, 0x65, 0x68, 0x6a, (byte)0x81, 0x01, 0x4b, 0x59, 0x74, 0x19, 0x03, 0x00, 0x00, 0x78, 0x70, 0x77, 0x08, 0x00, 0x00, 0x00, 0x66, (byte)0xdf, 0x6e, 0x1e, 0x00, 0x78, 0x73, 0x71, 0x00, 0x7e, 0x00, 0x03, 0x77, 0x08, 0x00, 0x00, 0x00, (byte)0xd5, 0x17, 0x69, 0x22, 0x00, 0x78 };
public static void main(String[] args) {
Period p = (Period) deserialize(serializedForm); System.out.println(p);
}
167
Effective Java: Programming Language Guide
//Returns the object with the specified serialized form public static Object deserialize(byte[] sf) {
try {
InputStream is = new ByteArrayInputStream(sf); ObjectInputStream ois = new ObjectInputStream(is); return ois.readObject();
} catch (Exception e) {
throw new IllegalArgumentException(e.toString());
}
}
}
The byte array literal used to initialize serializedForm was generated by serializing a normal Period instance and hand-editing the resulting byte stream. The details of the stream are unimportant to the example, but if you're curious, the serialization byte stream format is described in the Java™ Object Serialization Specification [Serialization, 6]. If you run this program, it prints “Fri Jan 01 12:00:00 PST 1999 - Sun Jan 01 12:00:00 PST 1984.”
Making Period serializable enabled us to create an object that violates its class invariants. To fix this problem, provide a readObject method for Period that calls defaultReadObject and then checks the validity of the deserialized object. If the validity check fails, the readObject method throws an InvalidObjectException, preventing the deserialization from completing:
private void readObject(ObjectInputStream s)
throws IOException, ClassNotFoundException { s.defaultReadObject();
// Check that our invariants are satisfied if (start.compareTo(end) > 0)
throw new InvalidObjectException(start +" after "+ end);
}
While this fix prevents an attacker from creating an invalid Period instance, there is a more subtle problem still lurking. It is possible to create a mutable Period instance by fabricating a byte stream that begins with a byte stream representing a valid Period instance and then appends extra references to the private Date fields internal to the Period instance. The attacker reads the Period instance from the ObjectInputStream and then reads the “rogue object references” that were appended to the stream. These references give the attacker access to the objects referenced by the private Date fields within the Period object. By mutating these Date instances, the attacker can mutate the Period instance. The following class demonstrates this attack:
public class MutablePeriod {
//A period instance public final Period period;
//period's start field, to which we shouldn't have access public final Date start;
//period's end field, to which we shouldn't have access public final Date end;
168
Effective Java: Programming Language Guide
public MutablePeriod() { try {
ByteArrayOutputStream bos =
new ByteArrayOutputStream(); ObjectOutputStream out =
new ObjectOutputStream(bos);
// Serialize a valid Period instance out.writeObject(new Period(new Date(), new Date()));
/*
*Append rogue "previous object refs" for internal
*Date fields in Period. For details, see "Java
*Object Serialization Specification," Section 6.4. */
byte[] ref = { 0x71, 0, 0x7e, 0, 5 }; // Ref #5 bos.write(ref); // The start field
ref[4] = 4; // Ref # 4 bos.write(ref); // The end field
// Deserialize Period and "stolen" Date references
ObjectInputStream |
in = new ObjectInputStream( |
|
new ByteArrayInputStream(bos.toByteArray())); |
||
period = (Period) |
in.readObject(); |
|
start |
= (Date) |
in.readObject(); |
end |
= (Date) |
in.readObject(); |
} catch (Exception e) |
{ |
|
throw new RuntimeException(e.toString());
}
}
}
To see the attack in action, run the following program:
public static void main(String[] args) { MutablePeriod mp = new MutablePeriod(); Period p = mp.period;
Date pEnd = mp.end;
//Let's turn back the clock pEnd.setYear(78); System.out.println(p);
//Bring back the 60's! pEnd.setYear(69); System.out.println(p);
}
Running this program produces the following output:
Wed Mar 07 23:30:01 PST 2001 - Tue Mar 07 23:30:01 PST 1978 Wed Mar 07 23:30:01 PST 2001 - Fri Mar 07 23:30:01 PST 1969
While the Period instance is created with its invariants intact, it is possible to modify its internal components at will. Once in possession of a mutable Period instance, an attacker might cause great harm by passing the instance on to a class that depends on Period's
169
Effective Java: Programming Language Guide
immutability for its security. This is not so farfetched: There are classes that depend on String's immutability for their security.
The source of the problem is that Period's readObject method is not doing enough defensive copying. When an object is deserialized, it is critical to defensively copy any field containing an object reference that a client must not possess. Therefore every serializable immutable class containing private mutable components must defensively copy these components in its readObject method. The following readObject method suffices to ensure Period's invariants and to maintain its immutability:
private void readObject(ObjectInputStream s) throws IOException, ClassNotFoundException { s.defaultReadObject();
// Defensively copy our mutable components start = new Date(start.getTime());
end = new Date(end.getTime());
// Check that our invariants are satisfied if (start.compareTo(end) > 0)
throw new InvalidObjectException(start +" after "+ end);
}
Note that the defensive copy is performed prior to the validity check and that we did not use Date's clone method to perform the defensive copy. Both of these details are required to protect Period against attack (Item 24). Note also that defensive copying is not possible for final fields. To use the readObject method, we must make the start and end fields nonfinal. This is unfortunate, but it is clearly the lesser of two evils. With the new readObject method in place and the final modifier removed from the start and end fields, the MutablePeriod class is rendered ineffective. The above attack program now generates this output:
Thu Mar 08 00:03:45 PST 2001 - Thu Mar 08 00:03:45 PST 2001 Thu Mar 08 00:03:45 PST 2001 - Thu Mar 08 00:03:45 PST 2001
There is a simple litmus test for deciding whether the default readObject method is acceptable. Would you feel comfortable adding a public constructor that took as parameters the values for each nontransient field in your object and stored the values in the fields with no validation whatsoever? If you can't answer yes to this question, then you must provide an explicit readObject method, and it must perform all of the validity checking and defensive copying that would be required of a constructor.
There is one other similarity between readObject methods and constructors, concerning nonfinal serializable classes. A readObject method must not invoke an overridable method, directly or indirectly (Item 15). If this rule is violated and the method is overridden, the overriding method will run before the subclass's state has been deserialized. A program failure is likely to result.
To summarize, any time you write a readObject method, adopt the mind-set that you are writing a public constructor that must produce a valid instance regardless of what byte stream it is given. Do not assume that the byte stream represents an actual serialized instance. While the examples in this item concern a class that uses the default serialized form, all of the issues
170