I don’t claim to be an advocate for TDD. Currently, I do not practice it (yet), but I do recognize and appreciate its importance. TDD really “forces” you to have clear understanding about the business requirements to be implemented. You cant implement what you do not understand, right? Because you have to write the test first, your code becomes more solid, less bug prune and you have better test coverage.

Sure, writing the test first its an interesting concept: You start writing a test, and you discoverer that you need a class, and possibly a function. You create the class, function and keep writing the test. Basically, you write few lines of test, and few lines of code, few more lines of test and few more lines of code etc. etc.

Ok, I think I diverted a bit, back to the topic The discussion took an interesting turn, and I still keep thinking about it. My question to them was – what do you think about TDD? The responses I received totally surprised me.

One of the claims supported by them, was that TDD does not serve much purpose, and a developer will end up re-factoring the unit tests eventually anyway as a result of re-factoring the concrete classes as the development goes on. So if latter is the case, my colleagues argued that there is no point writing unit tests first. Its better to finish writing concrete class, before attempting to write any unit tests.

Also, one of the developers claimed that many books and articles written on TDD discuss examples that are quite simple to implement, and in reality it is quite difficult to use TDD for complex business scenarios.

Another claim was that TDD should be used to teach junior developers the importance of unit testing, the experienced developers don’t really need to use it. The developers should follow KISS principles instead.

I respected their opinions about it, but it seemed fundamentally wrong to me that such experienced developers claim that TDD is basically overrated. The feeling that I got from them was that a lot of developers and software engineers in IT industry really got it wrong.

It got me wondering how, after more than ten years of experience in the industry, one does not appreciate one of the best software engineering practices around …

Offcourse, having said all that, I must point out that TDD is not suitable for every case. TDD can be effective only when it is clear what need to be implemented and there is a deep understanding of requirements.

[java]
<bean id="someClass" class="asia.javabeans.SomeClass<asia.javabeans.Blah>" />
[/java]

Sometimes, this restriction can create a problem if you have a parameterized class that has to be loaded by Spring. As a workaround, create an empty child class that extends your parameterized class, and then use that class’s canonical name as your bean definition. Consider the following parameterized parent and the extending child classes:

[java]
public class SomeParent<Blah> {

}

public class Child extends SomeParent<Blah> {
// Just an empty class
}
[/java]

and your Spring definition can now look like this:

[java]
<bean id="childClass" class="asia.javabeans.Child" />
[/java]

The down side here is that you get stuck with an empty class, but at least you can have your bean definition in your application context xml file.

The generic data type used by the extending child in the implementation of the abstract method. This example is going to discuss the benefit of this approach.

Consider the following parent class:

[java]
public abstract class Parent<T> {
protected abstract void process(T data);
}
[/java]

Consider the following two child classes that extend the parent:

[java]
public class Child extends Parent<SomeClass> {
@Override
public void process(SomeClass data) {
// Do stuff
}
}
[/java]

[java]
public class AnotherChild extends Parent<OtherClass> {
@Override
public void process(OtherClass data) {
// Do stuff
}
}
[/java]

You can clearly see how this approach creates flexibility when multiple child classes require different data type parameters when implementing the abstract method. Because of the generic type setting in the abstract method, any data type can be passed to the child. This approach can be particularly useful when implementing a strategy design pattern.

[java]
public class Parent {
public Parent() {
getValue();
}
public void getValue() {

}
}

public class Child extends Parent {
private final Integer integer;
public Child() {
integer = new Integer(888);
}

@Override
public void getValue() {
System.out.println(integer);
}
}
[/java]

Question: What would the following program print, why?

[java]
public class Test {
public static void main(String[] args) {
Child child = new Child();
child.getValue();
}
}
[/java]

Lets assume that getValue() implementation in Child class was changed to:

[java]
@Override
public void getValue() {
System.out.println(integer.toString());
}
[/java]

Question: What would the output of the Test class be now, why?

[java]
public class ExtendingHashSet<E> extends HashSet<E> {
private int counter = 0;

public ExtendingHashSet() {

}

@Override
public boolean add(E e) {
counter++;
return super.add(e);
}

@Override
public boolean addAll(Collection&lt;? extends E&gt; c) {
counter += c.size();
return super.addAll(c);
}

public int getCounter() {
return counter;
}
}
[/java]

Created instance:

[java]
ExtendingHashSet<String> s = new ExtendingHashSet<String>();
s.addAll(Arrays.asList("one", "two", "three"));
[/java]

Question: What value would s.getCounter() method return at this point and why?

Looking forward for your answers dear readers

[java]
if (top.location.href != self.location.href) {
top.location.href = self.location.href;
}
[/java]

If the current page is not the parent window – become the parent window.

I needed to implement something on my end, that would block or prevent the above script or similar to it from executing. I’ve spent several hours browsing the Net, talking to people on IRC and simply playing trial and error.

After some time, I understood that I wont be able to find a solution to my problem, simply because there is none unfortunately. But, having said that, I have some findings to share:

1. There is iframe security attribute which only works on IE. Setting this attribute to security=”restricted”, will prevent iframe to break out. Its always “nice” to see that MS have few tricks up their sleeve . Also, on one of the forums, someone mentioned that the same attribute will work under Opera as well as under IE. I personally haven’t tested it my self under Opera, I can just say that it works for IE and not FF.
2. To make use of window.onbeforeunload event and prompt user with a dialog that requires user’s input if he agrees to navigate away from the current page. If user disagrees (clicks “cancel”), he will remain on the current page. So here in a sense iframe breakaway was canceled. By the way, there is no way to suppress the dialog prompt and make event from clicking “cancel” default.
3. To grab the content of third party page using PHP Curl lib and to create your own placeholder page for that content. Then the placeholder page can be put inside iframe. The page or the grabbed content will not attempt to breakout, but any request submitted to the placeholder page (hyper link or button click on the grabbed content) will cause page to unload.

Also, while researching, I came across this post that talks about preventing iframe breakaway and click jacking with the help of 204 header response code.

After all that, my conclusion is:
If the page inside iframe is not yours, in other words it is a page hosted under another domain, its not possible actually to stop a page from unloading. Having something like that, would allow malicious sites to “trap” a user indefinitely.

I would love to hear any other suggestions regarding iframe breakout you may have dear readers.

Cheers

This is the writer’s opinion:

…Todays projects are over bloated from the use of frameworks that dont really produce a real benefit. Developers spend around 75% of their time just on set up and configuration…

The question I would like to ask you dear readers:
Do todays application developers really exaggerate the use of frameworks?

I think it would be a difficult question to answer. First some clarification is needed – what is exaggeration really? The number of frameworks used or the reduced performance as a result of use of these framework? Or the amount of time developer spends on installation and configuration?

I think first as a developer, one must understand the pros and cons of the framework, and how will it affect the performance of the application to be designed. The developer must have clear idea about what is he trying to achieve by using a particular framework in his application, and whether the framework is going to give him the desired result.

As a developer, when designing an application, one may ask questions which framework should be used depending on application’s requirements. Often the will not be just one framework choice, but several frameworks.

Of course not every developer may face the same situation mentioned above. Proprietary developers rely on leading market software vendors to provide the necessary solutions in one big product bundle.

One has to take several things into account such as future enhancements and possible requirements changes by the client. Using several frameworks to support an application may be look exaggerated at start, but on the long run it may turn out as a better decision. The time spent at the start on initial framework configuration will be paid off during further implementation and maintenance.

In conclusion, I think the ability to know which framework to put for use and when, can come only with experience.

[java]
import java.util.*;

public class Example {

public static void main(String[] args) {
System.out.println(&amp;quot;Result: &amp;quot; +
naturalOrder.compare(new Integer(90),
new Integer(90)));
}

private static Comparator&amp;lt;Integer&amp;gt; naturalOrder =
new Comparator&amp;lt;Integer&amp;gt;() {
public int compare(Integer first, Integer second) {
return first &amp;lt; second ? -1 : (first == second ? 0 :1);
}
};
}

[/java]

Please note:
In this case, comparator for natural order on Integer is written for example only, and in practice there is no need to write it.

Looking forward for your answers dear readers

Resources:
Effective Java

Consider a POJO class:

[java]
public final class VictimClass {

private String password = "default_password";
private static final int USER_ID = 3452678;
private String privateFiled = "default_value";

/**
* Private constructor that should
* not be invoked
*/
private VictimClass() {
System.out.println("Oops… " +
"This private constructor was not " +
" suppose to be invoked");
}

/**
* Private accessor
*/
private String getPassword() {
return password;
}

/**
* Private mutator
*/
private void setPassword(String password) {
this.password = password;
}

/**
* Private static method
*/
private static int getUsersId() {
return USER_ID;
}
}

[/java]

The POJO contains private constructor and several private methods and fields, which I will attempt to invoke and modify using reflection attack.

Now, I cannot say that reflection attacks are possible due to a Java bug. No, its simply how Java classes were designed. The core reflection facility was originally designed for component based application builder tools.

In java.lang.reflect, Constructor, Method and Field extend from parent AccessibleObject class. These objects provide access to the class’s methods and fields. By calling inherited parent method setAccessible(), private variables and methods including private constructors become accessible.

My tester class:

[java]
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.lang.ClassNotFoundException;
import java.lang.InstantiationException;
import java.lang.IllegalAccessException;
import java.lang.reflect.InvocationTargetException;
import java.lang.NoSuchMethodException;

public class Tester {

private static String CLASS_NAME = "VictimClass";
private static Class victimClass = null;
private static Object victimClassObj = null;

public static void main(String[] args) {
victimClass = loadClass(victimClass, CLASS_NAME);
printClassStructure();
attack();
}

private static Class loadClass(Class clazzor, String className) {
Thread thread = Thread.currentThread();
ClassLoader classLoader =
thread.getContextClassLoader();

try {
clazzor = Class.forName(className, true, classLoader);
}
catch (ClassNotFoundException e) {
System.err.println("Error: could not find class: "
+ CLASS_NAME);
}

return clazzor;
}

private static void printClassStructure() {

Constructor[] constructors =
victimClass.getDeclaredConstructors();
for (Constructor c : constructors) {
int modifier = c.getModifiers();
System.out.println("Declared constructor name: " +
c.getName() + "ntis accessible: " +
c.isAccessible() + "ntis private: " +
Modifier.isPrivate(modifier) + "n");
}

Method[] methods = victimClass.getDeclaredMethods();
for (Method m : methods) {
int modifier = m.getModifiers();
System.out.println("Declared method name: " + m.getName() +
"ntis accessible: " +
m.isAccessible() +
"ntis private: " +
Modifier.isPrivate(modifier) +
"ntis static: " +
Modifier.isStatic(modifier) + "n");
}

Field[] fields = victimClass.getDeclaredFields();
for (Field f : fields) {
int modifier = f.getModifiers();
System.out.println("Declared field name: " + f.getName() +
"ntis accessible: " +
f.isAccessible() +
"ntis private: " +
Modifier.isPrivate(modifier) +
"ntis static: " +
Modifier.isStatic(modifier) +
"ntis final: " +
Modifier.isFinal(modifier) + "n");
}
}

private static void attack() {

Field[] fields = victimClass.getDeclaredFields();
Method[] methods = victimClass.getDeclaredMethods();
Constructor[] constructors =
victimClass.getDeclaredConstructors();
//make constructor accessible
constructors[0].setAccessible(true);

System.err.println("Initiating reflection attack:");
try {
//create new object by invoking private constructor
victimClassObj = constructors[0].newInstance(new Object[] {});

//make static method accessible and get its value
//please note: when invoking static method,
//object represented by this Method is null
methods[2].setAccessible(true);
Object o = methods[2].invoke(null, new Object[] {});
System.out.println("Got user ID from private static accessor: "
+ o.toString());

//make method accessible and get its value
methods[0].setAccessible(true);
o = methods[0].invoke(victimClassObj, new Object[] {});
System.out.println("Got original password from private accessor: "
+ o.toString());

//make method accessible and set to it new value
methods[1].setAccessible(true);
System.out.println("Injecting new password using private mutator");
methods[1].invoke(victimClassObj, new Object[] {"injected_password"});

//get method’s its new value
o = methods[0].invoke(victimClassObj, new Object[] {});
System.out.println("Got injected password from private accessor: "
+ o.toString());

//make field accessible and get its value
fields[2].setAccessible(true);
o = fields[2].get(victimClassObj);
System.out.println("Got private field: " + o);

//make field accessible and set to it new value
System.out.println("Injecting value to a private field:");
fields[2].set(victimClassObj, "new_default_value");

//get field’s its new value
o = fields[2].get(victimClassObj);
System.out.println("Got updated private field: " + o);

//make field accessible and get its value
fields[1].setAccessible(true);
o = fields[1].get(victimClassObj);
System.out.println("Got private static field: " + o);

//make field accessible and set to it new value
System.out.println("Injecting value to a private static final field:");
fields[1].set(null, new Integer(2));

//get field’s its new value
o = fields[1].get(victimClassObj);
System.out.println("Got updated private static final field: " + o);

}
catch (InstantiationException e) {
System.err.println("Error: could not instantiate: " + e);
}

catch (IllegalAccessException e) {
System.err.println("Error: could not access: " + e);
}

catch (InvocationTargetException e) {
System.err.println("Error: could not invoke the target: " + e);
}
}
}

[/java]

The call to setAccessible() can be restricted if SecurityManager is set, then any attempt to call the method above will result in exception. If required, it is possible to grant permission java.reflect.ReflectPermission “suppressAccessChecks” using external java.policy file or by applying security policy programmatically. This permission will allow invocation of setAccessible(). My other post How to set SecurityManager and Java security policy programmatically explains how this can be achieved. Please note: by doing so, you can allow malicious access to your classes.

This is what happens when program executes:
I am using reflection, to get a print out of declared constructors, methods and fields. Following that, I am invoking private static and non-static method and attempting to change the value of private declared fields.

The program produces the following output:

[java]
Declared constructor name: VictimClass
is accessible: false
is private: true

Declared method name: setPassword
is accessible: false
is private: true
is static: false

Declared method name: getUsersId
is accessible: false
is private: true
is static: true

Declared method name: getPassword
is accessible: false
is private: true
is static: false

Declared field name: password
is accessible: false
is private: true
is static: false
is final: false

Declared field name: USER_ID
is accessible: false
is private: true
is static: true
is final: true

Declared field name: privateFiled
is accessible: false
is private: true
is static: false
is final: false

Initiating reflection attack:
Oops… This private constructor was not suppose to be invoked
Got user ID from private static accessor: 3452678
Got original password from private accessor: default_password
Injecting new password using private mutator
Got injected password from private accessor: injected_password
Got private field: default_value
Injecting value to a private field:
Got updated private field: new_default_value
Got private static field: 3452678
Injecting value to a private static final field:
Error: could not access: java.lang.IllegalAccessException: Field is final
[/java]

As output shows above, it is not possible to set a value to the filed that is final. Therefore, it would be good idea to make fields final whenever possible. As it was shown before, it prevents reflection attack (when trying to set a new value), plus to that its good for performance optimization (memory allocation).

So what we got so far? When we have a POJO, it is possible to invoke private constructor, private static and non-static methods and change the value of private fields.

Enumerators on other hand do not allow invocation of their private constructors. An attempt to do so will result in IllegalArgumentException exception: “Cannot reflectively create enum objects”. Enums are safe against invocation of private constructors through reflection attacks.

Since enum object instances cannot be created through reflection, private non-static methods cannot be invoked. Having said that, it is still possible to invoke private static methods on enum using reflection, like on any other Java class.

Update: private non-static methods can be invoked on enum class, please refer to comments.

In conclusion, number of steps can be taken, in case someone really wants to prevent reflection attack on non-enum Java classes:

1. Make fields final whenever possible
2. Private constructor can throw an exception if there will be an attempt to invoke it.
3. Applying security policy without ReflectPermission and setting security manager

I hope that I was descriptive enough here, I will appreciate your comments here.

The source code for this post was tested in my Eclipse and is attached.

Cheers

Consider a POJO:

[java]
public final class VictimClass {
/**
* Private constructor that should
* not be invoked
*/
private VictimClass() {
System.out.println("Instance created");
System.out.println(
"Constructor was made accessible");
}
}
[/java]

I want to prevent invocation of private constructor, by setting security manager. After first invocation attempt, I do want to invoke private constructor by granting required permission by refreshing current security policy.

This is my tester class:

[java]
import java.lang.reflect.Constructor;
import java.lang.ClassNotFoundException;
import java.lang.InstantiationException;
import java.lang.IllegalAccessException;
import java.lang.reflect.InvocationTargetException;
import java.lang.NoSuchMethodException;
import java.security.AccessControlException;
import java.lang.reflect.ReflectPermission;
import java.security.SecurityPermission;

public class Tester {

private static String CLASS_NAME = "VictimClass";
private static Class victimClass = null;

public static void main(String[] args) {

loadClass(victimClass, CLASS_NAME);

//apply default policy with one permission
System.setProperty("java.security.policy","default.policy");

try {
//Setting security manager
SecurityManager sm = new SecurityManager();
System.setSecurityManager(sm);
} catch (SecurityException e) {
System.err.println("Error: could not set security manager: " + e);
}

//first attempt to make constructor accessible
try {
makeConstructorAccessible();
}
catch (AccessControlException e) {
System.err.println(
"Could not made constructor accessible: " + e.getMessage());
}

System.out.println("Applying ReflectPermission programmatically…");
SecurityPolicy.getPolicy().addPermission(
new ReflectPermission("suppressAccessChecks"));
SecurityPolicy.getPolicy().addPermission(
new SecurityPermission("setPolicy"));
SecurityPolicy.getPolicy().refresh();
makeConstructorAccessible();
}

private static void loadClass(Class clazzor, String className) {
Thread thread = Thread.currentThread();
ClassLoader classLoader =
thread.getContextClassLoader();

try {
victimClass = Class.forName(className, true, classLoader);
}
catch (ClassNotFoundException e) {
System.err.println("Error: could not find class: "
+ CLASS_NAME);
}
}

private static void makeConstructorAccessible() {
Constructor[] constructors =
victimClass.getDeclaredConstructors();
//make constructor accessible
constructors[0].setAccessible(true);

try {
System.out.println(
"Creating new instance by invoking private constructor");
constructors[0].newInstance(new Object[] {});
}
catch (InstantiationException e) {
System.err.println("Error: could not instantiate: " + e);
}
catch (IllegalAccessException e) {
System.err.println("Error: could not access: " + e);
}
catch (InvocationTargetException e) {
System.err.println("Error: could not invoke the target: " + e);
}
}
}
[/java]

This is what happens when program executes:

Before setting SecurityManager, I am applying default security policy from external file with security permission “setPolicy”, that will allow me to reset new security policy in the future.

My default security policy:

[java]
grant {
permission java.security.SecurityPermission "setPolicy";
};
[/java]

When SecurityManager is set, it restricts everything except whats permitted by security policy that was set previously. You can view list of Java permissions that can be set here.

By default, the private constructors,methods and fields are inaccessible. So if you want to use reflection, and invoke private constructor of this POJO, it will result in
IllegalAccessException since the constructor above has private modifier.

This restriction can be bypassed by calling parent method setAccessible(). To remind: java.lang.reflect.Constructor, java.lang.reflect.Method and java.lang.reflect.Field extend from parent java.lang.reflect.AccessibleObject class.

By calling inherited parent method setAccessible(), private variables and methods including private constructors become accessible.

With SecurityManager set, an attempt to invoke setAccessible() will result in AccessControlException. Following that, I am granting required ReflectPermission suppressAccessChecks by applying my own security policy. This will allow me to invoke private constructor in my POJO.

Now, having said that, I have to say that granting ReflectPermission with action suppressAccessChecks can be extremely dangerous as it allows private constructors to become accessible, as the example above shows. Not only constructors, but inaccessible fields and methods can become accessible, which can allow room for reflection attacks. In my other post Hack any Java class using reflection attack I explain how this can be achieved.

When I am applying my own security policy, please note that I am granting again security permission “setPolicy”. Because I am reseting default policy set previously, I have to grant “setPolicy” permission again if I want to keep applying new security policies in the future at run time of this program.

Below is my own implementation of java.security.Policy class, I tried to put enough comments to make things straight forward to you readers:

[java]
import java.security.Policy;
import java.security.CodeSource;
import java.lang.reflect.ReflectPermission;
import java.security.SecurityPermission;
import java.security.*;
import java.lang.RuntimePermission;
import java.util.*;

public class SecurityPolicy extends Policy {

private PermissionCollection perms = null;

//lazy initialization class holder
private static class SecurityPolicyHolder {
private static final SecurityPolicy policy = new SecurityPolicy();
}

private SecurityPolicy() {
perms = new Permissions();
}

public static SecurityPolicy getPolicy() {
return SecurityPolicyHolder.policy;
}

public PermissionCollection getPermissions(CodeSource codesource) {
return perms;
}

//invoked when new Permission is added to the current security Policy
public boolean implies(ProtectionDomain domain, Permission permission) {

//get permission collection from the domain
PermissionCollection domainPermissions = domain.getPermissions();

//get enumeration of permission elements
Enumeration<Permission> permissions = domainPermissions.elements();

//convert to array list (dont have to, i just dont like enumerations)
ArrayList<Permission> list = Collections.list(permissions);

//Checks to see if the specified permission is
//implied (subset of) by the collection of
//Permission objects held in this PermissionCollection
if (!domainPermissions.implies(permission)) {

//permission collection in the domain is read-only,
//Exception will be thrown if Permission object
//is added to read-only collection
if (domainPermissions.isReadOnly()) {

//Because collection is read-only,
//add Permission objects to the local
//permission collection instead
for (Permission p :list) {
if (!perms.implies(p)) {
perms.add(p);
}
}

//assign local permission collection as a
//domain permission collection
domainPermissions = perms;
}
else {
//if domain permission collection is not read only,
//just add new permission to it
domainPermissions.add(permission);
}

//check if now domain has the new Permission
return domainPermissions.implies(permission);
}

return false;
}

public void addPermission(Permission permission) {
perms.add(permission);
}
//you can write your own implementation
//of refresh method
@Override
public void refresh() {
Policy.setPolicy(this);
}
}
[/java]

The following shows program output. Please not that first attempt to make private constructor accessible resulted in exception. After required permission was granted, new object instance was succesfully created through reflection:

[java]
Could not made constructor accessible:
access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
Applying ReflectPermission programmatically…
Creating new instance by invoking private constructor
Constructor was made accessible
Instance created
[/java]

Please note:
I did test this code. But I am not sure whether my SecuriyPolicy class implemented efficiently. The source code for this post is attached.

set java security policy sourcecode