first, lazy single case mode, resolution of reflection and deserialization vulnerabilities
Package Com.iter.devbox.singleton;
Import java.io.ObjectStreamException;
Import java.io.Serializable; /** * Lazy (how to prevent reflection and deserialization vulnerabilities) * @author Shearer * * */public class SINGLETONDEMO6 implements serializable{//class initialization, do not initialize this
Objects (deferred loading, and then created when they are really used) private static SINGLETONDEMO6 instance;
Private SingletonDemo6 () {///prevent reflection from getting multiple objects vulnerability if (null!= instance) {throw new RuntimeException (); }//method synchronization, invoke inefficient public static synchronized SingletonDemo6 getinstance () {if (null = = Instance) Instance = new
SingletonDemo6 ();
return instance;
//Prevent deserialization of a vulnerability that obtains multiple objects.
Either implementing the Serializable interface or the Externalizable interface, the Readresolve () method is invoked when the object is read from the I/O stream.
In effect, the object that is created during deserialization is replaced directly with the object returned in Readresolve ().
Private Object Readresolve () throws objectstreamexception {return instance;
}} package Com.iter.devbox.singleton;
Import Java.io.FileInputStream;
Import Java.io.FileOutputStream;
Import Java.io.ObjectInputStream;
Import Java.io.ObjectOutputStream; public class Client2 {public static void Main (string[] args) throws Exception {SingletonDemo6 SC1 = singletondemo6.getinstance ();
SingletonDemo6 SC2 = Singletondemo6.getinstance (); System.out.println (SC1);
SC1,SC2 is the same object System.out.println (SC2); Calling a private constructor directly by reflection (by throwing an exception in the constructor resolves the vulnerability)/* class<singletondemo6> clazz = (class<singletondemo6>)
Class.forName ("Com.iter.devbox.singleton.SingletonDemo6");
constructor<singletondemo6> c = clazz.getdeclaredconstructor (null); C.setaccessible (TRUE);
Skip permission Check SingletonDemo6 sc3 = C.newinstance ();
SingletonDemo6 SC4 = C.newinstance (); System.out.println (SC3); SC3,SC4 is not the same object System.out.println (SC4);/////////////////////////1 to implement the serializable interface for the class.
Write the object SC1 to the hard disk file FileOutputStream fos = new FileOutputStream ("Object.out");
ObjectOutputStream oos = new ObjectOutputStream (FOS);
Oos.writeobject (SC1);
Oos.close ();
Fos.close (); 2. Read the object on the hard drive file ObjectInputStream ois = new ObjectInputStream (New FileInputStream("Object.out")); If the object defines the Readresolve () method, ReadObject () invokes the Readresolve () method.
This resolves the SingletonDemo6 sc5 = (SINGLETONDEMO6) ois.readobject () of the deserialized vulnerability. The deserialized object, and the original object, is not the same object.
This problem can be resolved if the object defines the Readresolve () method.
System.out.println (SC5);
Ois.close ();
}
}
second, static internal class-style single case mode (resolution of reflection and deserialization vulnerability)
Package Com.iter.devbox.singleton;
Import java.io.ObjectStreamException;
Import java.io.Serializable; /** * Static inner class implementation (also a lazy loading method) * This way: thread-safe, efficient invocation, and implementation of deferred loading * Resolution of reflection and deserialization vulnerability * @author Shearer */public class Singletonde Mo7 implements serializable{private static class Singletonclassinstance {private static final SingletonDemo7 Instan
CE = new SingletonDemo7 ();
}//method is not synchronized, the call efficiency high public static SingletonDemo7 getinstance () {return singletonclassinstance.instance; //Prevent reflection from getting multiple objects Private SingletonDemo7 () {if (null!= singletonclassinstance.instance) throw new Runtimeexcep
tion (); //Prevent deserialization of a vulnerability to get multiple objects Private object Readresolve () throws Objectstreamexception {return singletonclassinstance.ins
tance;
}} package Com.iter.devbox.singleton;
Import Java.io.FileInputStream;
Import Java.io.FileOutputStream;
Import Java.io.ObjectInputStream;
Import Java.io.ObjectOutputStream;
Import Java.lang.reflect.Constructor; public class Client3 {public static void Main (string[] args) throws Exception {SingletonDemo7 SC1 = singletondemo7.getinstance ();
SingletonDemo7 SC2 = Singletondemo7.getinstance (); System.out.println (SC1);
SC1,SC2 is the same object System.out.println (SC2); Call a private constructor directly by reflection (by throwing an exception in the constructor to resolve the vulnerability) class<singletondemo7> Clazz = (class<singletondemo7>)
Class.forName ("Com.iter.devbox.singleton.SingletonDemo7");
constructor<singletondemo7> c = clazz.getdeclaredconstructor (null); C.setaccessible (TRUE);
Skip permission Check SingletonDemo7 sc3 = C.newinstance ();
SingletonDemo7 SC4 = C.newinstance (); System.out.println ("Object acquired by means of reflection SC3:" + sc3);
SC3,SC4 is not the same object System.out.println ("the object obtained by means of reflection SC4:" + sc4); Construct multiple objects by deserialization (class needs to implement Serializable interface)//1.
Write the object SC1 to the hard disk file FileOutputStream fos = new FileOutputStream ("Object.out");
ObjectOutputStream oos = new ObjectOutputStream (FOS);
Oos.writeobject (SC1);
Oos.close ();
Fos.close (); 2. Read the object on the hard drive file ObjectInputStream ois = new ObjectInputStream (New FileInputStream ("Object.out")); If the object defines the Readresolve () method, ReadObject () invokes the Readresolve () method.
This resolves the SingletonDemo7 sc5 = (SingletonDemo7) ois.readobject () of the deserialized vulnerability. The deserialized object, and the original object, is not the same object.
This problem can be resolved if the object defines the Readresolve () method.
The SYSTEM.OUT.PRINTLN ("object defines the Readresolve () method, by deserializing the object:" + sc5);
Ois.close ();
}
}