Saturday, July 9, 2011

Secure Your Java Code Against the finalizer Vulnerability

Finalizers can cause a vulnerability in Java code when used to create objects. The exploit is a variation of the well-known technique of using a finalizer for resurrecting an object. When an object with a finalize() method becomes unreachable, it is put on a queue to be processed at some later time. This article explains how the exploit works and shows how you can protect your code from it.

Following is the best part of article:

Until the third edition of the Java Language Specification (JLS) was implemented in Java SE 6, the only ways to avoid the attack — using an initialized flag, prohibiting subclassing, or creating a final finalizer — were unsatisfactory solutions.

The new way to prevent this kind of attack without introducing an extra code or restrictions, the Java designers modified the JLS to state that if an exception is thrown in a constructor before java.lang.Object is constructed, the finalize() method of that method will not be executed.

Read the article to see "how can an exception be thrown before java.lang.Object is constructed?"

Monday, July 4, 2011

Highly Scalable Java

Here is a collection of Concurrent and Highly Scalable Utilities. These are intended as direct replacements for the java.util.* or java.util.concurrent.* collections but with better performance when many CPUs are using the collection concurrently.

Dr. Heinz M. Kabutz measure the memory requirements of various types of hash maps available in Java in his post. There are some interesting statistics about the memory usages of Cliff Click's Highly Scalable Libraries.

How to compile a java source file from another Java source at runtime?

One of the cool features available in Java 6.0 (Mustang) is the ‘Java Compiler API’ which can be used compile a Java source file from another java file at run time.

Suppose we have the following class kept at C: drive of your disk:

public class FileToCompile {
public void sampleMethod() {
System.out.println("Method Called from FileToCompile");
}
}


Following code shows how can we compile this class at runtime:

import javax.tools.JavaCompiler;
import javax.tools.ToolProvider;

public class RuntimeCompilation {

public static void main(String[] args) {
String lsFileToCompile = "C:/FileToCompile.java";
// ToolProvider provides methods for locating javac, javah etc.
JavaCompiler loCompiler = ToolProvider.getSystemJavaCompiler();
int liResult = loCompiler.run(null, null, null, lsFileToCompile);
if (liResult == 0) {
System.out.println("Compilation Successful");
} else {
System.out.println("Compilation Failed");
}
}
}


Read the javadoc for JavaCompiler class for more information.