java编码规则（Java encoding rules）.docVIP

java编码规则（Java encoding rules） Java If you want to use Java to develop security programs, frankly, the first step (Java in learning after reading the two) is to Java security related materials, namely Gong [1999] and McGraw [1999] (after a special look at Section 7.1). You should also look through the release of Sun security code guide /security/seccodeguide.html. One group describes the security model of Java slides can get free from /javasec. Here are some key points of [1999], [1999] and McGraw guide Gong based on Sun: Dont use public domain or variable; declare them as private and provides access function to limit access to them. Unless there are very good reasons, the methods are set to private (if it does not do so, say the reason). These non proprietary methods must protect themselves, because they may receive contaminated data (unless otherwise they were protected). Avoid the use of static variables. This variable is attached to the class (not an instance of a class), and other class can be located. The result is that the static domain variables can be found in other classes, so it is difficult to ensure their safety. Never put the variable object back to the potentially malicious code (because the code may change it). Note that the array is variable (even if the contents of the array is not variable), so dont return a containing sensitive data array references. The variable object never saved directly given by the user (including an array of objects). Otherwise, the user can put the object to the security code, let the security code check, and try to change the security code in data using data. Copy them in the internal storage array should be careful before, and (for example, alert the user written copy routines). Dont rely on initialization. There are several methods to allocate memory uninitialized object. Unless there are very good reasons, should make everything is ok. If a class or method is not identified, the attacker can not predict method in some d