Welcome Guest!
Create Account | Login
Locator+ Code:

Search:
FTPOnline Channels Conferences Resources Hot Topics Partner Sites Magazines About FTP RSS 2.0 Feed

Free Subscription to Java Pro

email article
printer friendly
more resources

Rule 3: Avoid Comparing Class Objects by Name
Ensure your Java code is secure

Posted March 24, 2004

Editor's Note: Java Pro Online presents a weekly rule for ensuring the security of Java systems. This discussion provides the third rule to follow as you begin your strategy for ensuring your Java applications are secure. See the entire index of Java code security rules here.

This rule prohibits comparing class objects with the getName() method. More than one class in a running Java Virtual Machine (JVM) may have the same name. As a result, a hacker can create a class with malicious code and give it the same name as your class. When you compare classes by name, the comparison would not recognize this difference. When you compare classes by object equality, the difference would be detected. Here is sample code that violates this rule:

package examples.rules.security;

public class CMP {
  public boolean sameClass (
    Object o) {
    Class thisClass = 
      this.getClass();
    Class otherClass = 
      o.getClass();
    return (thisClass.getName() == 
      otherClass.getName());  
      //VIOLATION
  }
}

To correct this code, modify it to directly compare thisClass and otherClass for equality:

package examples.rules.security;

public class CMP {
  public boolean sameClass (
    Object o) {
    Class thisClass = 
      this.getClass();
    Class otherClass = 
      o.getClass();
    return (thisClass == 
      otherClass);  // FIXED
  }
}

Rule sources: " IEEE Software: "Statically Scanning Java Code: Finding Security Vulnerabilities" John Viega, Gary McGraw, Tom Mutdosch, and Edward W. Felten (September/October 2000).

"Twelve Rules for Developing More Secure Java Code" Gary McGraw and Edward Felten. JavaWorld (December, 1998)

About the Author
Adam Kolawa, Ph.D, is the chairman and CEO of Parasoft. He is a writer and speaker on industry issues and in 2001 was awarded the Los Angeles Ernst & Young Entrepreneur of the Year Award in the software category. Gina Assaf has been developing, designing, testing, and implementing applications in Java for over six years, and has researched and developed coding standards for Parasoft, many of which provide security for Java applications. Roberto Scaramuzzi, Ph.D., is a Java and Perl Developer for Parasoft in San Diego, California. Born in Italy, he later moved to the United States to obtain his doctorate in Mathematics from Yale University. Contact the authors at .




Back to top











Java Pro | Visual Studio Magazine | Windows Server System Magazine
.NET Magazine | Enterprise Architect | XML & Web Services Magazine
VSLive! | Thunder Lizard Events | Discussions | Newsletters | FTP Home
 
© Copyright 2001-2006 Fawcette Technical Publications | Privacy Policy | Contact Us

Benidorm

Clitheroe

Faliraki

Katsaros (Skiathos)

Maspalomas (Gran Canaria)

Didim

Dhigurah (Gaafu Alifu Atoll)

Llanddarog

Felton (Somerset)

Side

Mullion

Oludeniz

Cala Mesquida (Mallorca)

Taghazout

Gateshead

Sunny Beach

Port de Alcudia (Mallorca)

Newent