A solution to the final classes problem
philip.race at oracle.com
Sat Sep 1 19:58:22 PDT 2012
On 9/1/12 11:20 AM, Randahl Fink Isaksen wrote:
> Richard, I think we could all benefit from an improved design of the final classes, which would both allow critical parts to be final (like you prefer), while allowing non-critical parts to be overridden (like many on this list prefer).
> Take FileChooser for instance. I would like to subclass it to add some of my own framework features, but I can't because it is final. After reading the security article you linked to, I can see why there could be sound reasons for declaring it final if, say, the class contains security checks in some methods.
> I think the main problem is, that both the UI stuff (which I want to override and improve) and the security related stuff (which I do not wish to harm in any way) is rolled into one big class. I believe an improved design would be to implement the FileChooser as a pure UI component that delegates security-sensitive work to a separate class, along the lines of
> nonfinal FileChooser ----> final SecureFileManager
Really? Implicitly suggesting there's a "non-secure" FileChooser - and
you want to use it ? I'd not buy your app ;-) OK yes, you can promise to
secure and what's more you're trustworthy etc, etc. But also we'd really
not be able to
ship the platform like that. How many developers would search for "F"
and never spot the one they are supposed to use under "S". Yes, OK
some clever way you could the right one more obvoius.
However at the end of the day we can't accommodate everyone's wishes.
A wants X. B want Y. X and Y are incompatible. Please make A and B happy
if possible, but if you can't do the best you can .. and above all be
> That way, I can extend the FileChooser in our framework and create OurFileChooser which automatically does a lot of useful work for the application developer, such as providing automatic internationalization support, that sets the title in accordance with the user's preferred language.
> The result would be
> OurFileChooser --extends--> FileChooser --knows--> final SecureFileManager
> If you guys keep your classes final, we third party developers end up with a much less desirable design
> OurFileChooser --knows--> FileChooser
> This design requires us to implement every single method of FileChooser in OurFileChooser for the sole purpose of delegating to your class, which is a lot harder to maintain, and a lot more error prone.
> On Aug 31, 2012, at 18:15 , Richard Bair <Richard.Bair at oracle.com> wrote:
>>> Richard, I agree that obvious cases like java.lang.String have to be final to avoid security related issues. But how can that be a defence for the final classes found in JavaFX, like Text and WebView?
>>> Currently, I can extend PasswordField if I want to create a security breach which sends the user's password off to a remote server in Thailand, but I cannot extend Text to create a banner component which automatically makes the Text fill color flash, or extended WebView to add more innovative features. Where is the sense in that?
>> That is actually not the security problem (because unless the attacker already has elevated privileges, they can't communicate to a different server anyway). No, the security problem with non-final classes has to do with attacks related to hacking finalizers, equals, hash code, and serialization from a sub class.
>> Really, security is like threading. It isn't impossible, but there are things you can do with respect to your API that make it harder, or easier, to be secure (just as there are things you can do which make it harder, or easier to design APIs that are thread safe).
>>> Whenever you make a non-value class final you prevent third party framework developers from adding more innovative features. You take the "open" out of open source. It is just wrong.
>> I can see you are passionate about that :-). In some cases I would agree, in others I would disagree. Designing APIs for mass consumption and that are intended to be supported for many, many years is a different ballgame.
More information about the openjfx-dev