If the list needs something to talk about, I have a question about
Java and inner classes. (Back in 2000 there was a Security Focus
thread on this topic, but things may have changed.)
Some of the security guidelines contain an item that inner classes
(or at least public, non-static inner classes) are to be avoided. The
alleged problem is that a Java compiler has to change the access
modifiers of any members accessed by the inner class because the JVM
can't treat an inner class any differently from a regular class. A
private member will be recast into package scope, that is, what a
class as marked as private becomes accessible to any class in the
package.
As far as I can tell, this item comes from a set of guidelines
written by Gary McGraw and Edward Felten back in 1998.
(http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules_p.htm
l)
I don't have a Java 1.1 compiler to experiment with, but the Java 1.4
compilers (Sun's javac and IBM's jikes) do not seem to actually
change the access specifier, according to javap.)
What these compilers do is add new static access methods that the
inner classes can call to do things with the private members of the
outer class. The inner class gets an extra member that is a reference
to the outer class so it knows which instance of the outer class it
belongs to.
The counter argument asserts that what this really shows is that the
Java language is treating all class members orthogonally, which is a
good thing. A class member is a class member. (In C++, inner classes
do not get this access to the outer class automatically. This is an
indicator that C++ is less orthogonal in its treatment of class
members and this is a weakness in the language.)
Although I haven't actually made it work, it seems to me that calls
to these access methods used by the inner classes could be inserted
into third party classes. Does anyone know of a case where this has
been done? Are the problems with inner classes historical or do they
still exist?
Craig
--
Internet: cew (at) ACM (dot) ORG [email concealed]
"There are 10 kinds of people in the world: Those who understand
binary and those who don't."
Java and inner classes. (Back in 2000 there was a Security Focus
thread on this topic, but things may have changed.)
Some of the security guidelines contain an item that inner classes
(or at least public, non-static inner classes) are to be avoided. The
alleged problem is that a Java compiler has to change the access
modifiers of any members accessed by the inner class because the JVM
can't treat an inner class any differently from a regular class. A
private member will be recast into package scope, that is, what a
class as marked as private becomes accessible to any class in the
package.
As far as I can tell, this item comes from a set of guidelines
written by Gary McGraw and Edward Felten back in 1998.
(http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules_p.htm
l)
I don't have a Java 1.1 compiler to experiment with, but the Java 1.4
compilers (Sun's javac and IBM's jikes) do not seem to actually
change the access specifier, according to javap.)
What these compilers do is add new static access methods that the
inner classes can call to do things with the private members of the
outer class. The inner class gets an extra member that is a reference
to the outer class so it knows which instance of the outer class it
belongs to.
The counter argument asserts that what this really shows is that the
Java language is treating all class members orthogonally, which is a
good thing. A class member is a class member. (In C++, inner classes
do not get this access to the outer class automatically. This is an
indicator that C++ is less orthogonal in its treatment of class
members and this is a weakness in the language.)
Although I haven't actually made it work, it seems to me that calls
to these access methods used by the inner classes could be inserted
into third party classes. Does anyone know of a case where this has
been done? Are the problems with inner classes historical or do they
still exist?
Craig
--
Internet: cew (at) ACM (dot) ORG [email concealed]
"There are 10 kinds of people in the world: Those who understand
binary and those who don't."
[ reply ]