Java design Pattern (i): Single case mode to prevent reflection and deserialization vulnerabilities _

Java design Pattern (i): Single case mode to prevent reflection and deserialization vulnerabilities __java

Last Update:2018-07-26 Source: Internet

Author: User

Tags reflection static class

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

first, lazy single case mode, resolution of reflection and deserialization vulnerabilities

Package Com.iter.devbox.singleton;
Import java.io.ObjectStreamException;

Import java.io.Serializable; /** * Lazy (how to prevent reflection and deserialization vulnerabilities) * @author Shearer * * */public class SINGLETONDEMO6 implements serializable{//class initialization, do not initialize this
	
	Objects (deferred loading, and then created when they are really used) private static SINGLETONDEMO6 instance;
		Private SingletonDemo6 () {///prevent reflection from getting multiple objects vulnerability if (null!= instance) {throw new RuntimeException ();  }//method synchronization, invoke inefficient public static synchronized SingletonDemo6 getinstance () {if (null = = Instance) Instance = new
		SingletonDemo6 ();
	return instance;
	//Prevent deserialization of a vulnerability that obtains multiple objects.
	Either implementing the Serializable interface or the Externalizable interface, the Readresolve () method is invoked when the object is read from the I/O stream.
	In effect, the object that is created during deserialization is replaced directly with the object returned in Readresolve ().
	Private Object Readresolve () throws objectstreamexception {return instance;

}} package Com.iter.devbox.singleton;
Import Java.io.FileInputStream;
Import Java.io.FileOutputStream;
Import Java.io.ObjectInputStream;

Import Java.io.ObjectOutputStream; public class Client2 {public static void Main (string[] args) throws Exception {SingletonDemo6 SC1 = singletondemo6.getinstance ();
		SingletonDemo6 SC2 = Singletondemo6.getinstance (); System.out.println (SC1);
		
		SC1,SC2 is the same object System.out.println (SC2); Calling a private constructor directly by reflection (by throwing an exception in the constructor resolves the vulnerability)/* class<singletondemo6> clazz = (class<singletondemo6>)
		Class.forName ("Com.iter.devbox.singleton.SingletonDemo6");
		constructor<singletondemo6> c = clazz.getdeclaredconstructor (null); C.setaccessible (TRUE);
		Skip permission Check SingletonDemo6 sc3 = C.newinstance ();
		SingletonDemo6 SC4 = C.newinstance ();  System.out.println (SC3); SC3,SC4 is not the same object System.out.println (SC4);/////////////////////////1 to implement the serializable interface for the class.
		Write the object SC1 to the hard disk file FileOutputStream fos = new FileOutputStream ("Object.out");
		ObjectOutputStream oos = new ObjectOutputStream (FOS);
		Oos.writeobject (SC1);
		Oos.close ();
		
		Fos.close (); 2. Read the object on the hard drive file ObjectInputStream ois = new ObjectInputStream (New FileInputStream("Object.out")); If the object defines the Readresolve () method, ReadObject () invokes the Readresolve () method.
		This resolves the SingletonDemo6 sc5 = (SINGLETONDEMO6) ois.readobject () of the deserialized vulnerability. The deserialized object, and the original object, is not the same object.
		This problem can be resolved if the object defines the Readresolve () method. 
		System.out.println (SC5);
	Ois.close ();
 }

}

second, static internal class-style single case mode (resolution of reflection and deserialization vulnerability)

Package Com.iter.devbox.singleton;
Import java.io.ObjectStreamException;

Import java.io.Serializable; /** * Static inner class implementation (also a lazy loading method) * This way: thread-safe, efficient invocation, and implementation of deferred loading * Resolution of reflection and deserialization vulnerability * @author Shearer */public class Singletonde Mo7 implements serializable{private static class Singletonclassinstance {private static final SingletonDemo7 Instan
	CE = new SingletonDemo7 ();
	}//method is not synchronized, the call efficiency high public static SingletonDemo7 getinstance () {return singletonclassinstance.instance; //Prevent reflection from getting multiple objects Private SingletonDemo7 () {if (null!= singletonclassinstance.instance) throw new Runtimeexcep
	tion (); //Prevent deserialization of a vulnerability to get multiple objects Private object Readresolve () throws Objectstreamexception {return singletonclassinstance.ins
	tance;

}} package Com.iter.devbox.singleton;
Import Java.io.FileInputStream;
Import Java.io.FileOutputStream;
Import Java.io.ObjectInputStream;
Import Java.io.ObjectOutputStream;

Import Java.lang.reflect.Constructor; public class Client3 {public static void Main (string[] args) throws Exception {SingletonDemo7 SC1 = singletondemo7.getinstance ();
		SingletonDemo7 SC2 = Singletondemo7.getinstance (); System.out.println (SC1);
		
		SC1,SC2 is the same object System.out.println (SC2); Call a private constructor directly by reflection (by throwing an exception in the constructor to resolve the vulnerability) class<singletondemo7> Clazz = (class<singletondemo7>)
		Class.forName ("Com.iter.devbox.singleton.SingletonDemo7");
		constructor<singletondemo7> c = clazz.getdeclaredconstructor (null); C.setaccessible (TRUE);
		Skip permission Check SingletonDemo7 sc3 = C.newinstance ();
		SingletonDemo7 SC4 = C.newinstance ();  System.out.println ("Object acquired by means of reflection SC3:" + sc3);
		
		SC3,SC4 is not the same object System.out.println ("the object obtained by means of reflection SC4:" + sc4); Construct multiple objects by deserialization (class needs to implement Serializable interface)//1.
		Write the object SC1 to the hard disk file FileOutputStream fos = new FileOutputStream ("Object.out");
		ObjectOutputStream oos = new ObjectOutputStream (FOS);
		Oos.writeobject (SC1);
		Oos.close ();
		
		Fos.close (); 2. Read the object on the hard drive file ObjectInputStream ois = new ObjectInputStream (New FileInputStream ("Object.out")); If the object defines the Readresolve () method, ReadObject () invokes the Readresolve () method.
		This resolves the SingletonDemo7 sc5 = (SingletonDemo7) ois.readobject () of the deserialized vulnerability. The deserialized object, and the original object, is not the same object.
		This problem can be resolved if the object defines the Readresolve () method. 
		The SYSTEM.OUT.PRINTLN ("object defines the Readresolve () method, by deserializing the object:" + sc5);
	Ois.close ();
 }

}

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More