Injection methods / variables: public or not?

Question

Injection methods / variables: public or not?

Many Java frameworks allow class members used for injection to be declared non-public. For example, input variables in Spring and EJB 3 may be private. JPA allows you to protect the properties of a constant class or close packages.

We know that it is better to declare methods non-public if you can. At the same time, if I'm not mistaken, allowing these structures access to non-public members, it works only with the default Java security manager. Does this not mean that user code can also access a non-public member through reflection by calling setAccessible () , which could compromise security ?

What question the question asks: What is the best practice when setting the access level for injection methods?

+3

java spring security jpa

Tom tucker Nov 08 '10 at 23:45

source share

2 answers

JVM, , , , . , , .

+1

Mike Baranczak 09 . '10 4:24

Tom Hawtin - tackline · Accepted Answer · 2010-11-09T10:59:35+0000

Typically, a class should abandon the persistence mechanism. For example, Java serialisatoin requires a class to implement java.io.Serializable. Responsibility for classes that implement Serializableprovides security. If the library allows you to forge privates through an external configuration file, then this should not be trusted - the reflection is really dangerous, and its use is usually confused.

Of course, if you find a vulnerability, report it to the appropriate group.

Injection methods / variables: public or not?

More articles: