Basically I got told that I shouldn't have public methods returning Arrays for "future" security purposes. Instead they should be private, and if I wanna return an Array it would have to be some kind of copy in another method.
This is how it looks now..
public Object[] ownedObject() {
return objectArr;
}
If I make this private the class that needs it doesn't recognize the method above.
Thing is I need to use the contents in that Array in said, other class, and the total project, as I have it right now with 5 different classes, works (with the returning Array-methods set to Public and not private).
As you are concerned with security aspect of this problem you might want to distinguish between shallow copy and deep copy of the array. If your array contains mutable objects you probably need a deep copy of every single element in the array to ensure that state is not leaking from your object.
Assuming that you array is of type MyType with a copy constructor:
public MyType[] ownedObject() {
MyType[] copyArr = new MyType[objectArr.lenght];
for (int i = 0; i < objectArr.lenght; i++) {
copyArr[i] = new MyType(objectArr[i]);
}
return copyArr;
}
There are also other ways to deep copy an object.
I am a beginner in Java. When developing a program, I created an object with a constructor with variables as arguments. But when I change the value of the variable after creating the object, my object has the second value instead of the first one. I don't want my object to change the value. What do I do?
public class Person {
public Person(int[] arrayTest) {
this.arrayTest = arrayTest;
}
public int[] getArray() {
return this.arrayTest;
}
public boolean canHaveAsArray(int[] arrayTest) {
return true;
}
private int[] arrayTest = new int[2];
public static void main(String[] args) {
int[] array = new int[] {5, 10};
Person obj1 = new Person(array);
array[0] = 20;
System.out.println(Arrays.toString(obj1.getArray()));
}
}
My output should be [5, 10], but instead, I am getting [20,10]. I need to get [5,10] even when I change an element of the array as shown above. What should I do?
If you pass the original array to the constructor of Person, you are passing the reference to the original array. So any change in arrayTest inside Person instance will reflect in original array(int[] array) and vice-versa.
If you don't want to change the value of elements of original array in Person instance then you have two options:
You can modify the code in Person constructor to create a copy of original array using java.util.Arrays.copyOf method and then use that copy:
public Person(int[] arrayTest) {
this.arrayTest = java.util.Arrays.copyOf(arrayTest, arrayTest.length);
}
Don't pass the original array to constructor, instead just send a copy of original array:
Person obj1 = new Person(java.util.Arrays.copyOf(array, array.length));
However, I would prefer first approach.
If you would like to prevent the value of variable which is of primitive type, you can do so using final keyword. Eg:
private final int test = 1;
To prevent changing the value inside an object you can mark the fields as final. A final keyword in declaration of object instance means the variable can't be reassigned and doesn't guarantee that the object state won't change if the reference to that object is shared. To prevent changing the state of a particular object, you should mark it's field as final.
There is no such thing as immutable (unchangeable) array in Java. The Java language does not support this. As JLS 4.12.4 states:
If a final variable holds a reference to an object, then the state of the object may be changed by operations on the object, but the variable will always refer to the same object. This applies also to arrays, because arrays are objects; if a final variable holds a reference to an array, then the components of the array may be changed by operations on the array, but the variable will always refer to the same array.
The JVM spec doesn't support an immutable array type either. You can't solve this at the language level. The only way to avoid changes to an array is to not share the reference to the array with other code that might change it.
In your example, you have what is known as a leaky abstraction. You are passing an array to your Person class, and the caller is keeping a reference to that array so that it can change it. To solve this, you can:
copy the array, and pass a reference to the copy, or
have the constructor (or a setter for the array attribute) make the copy.
(See answer https://stackoverflow.com/a/55428214/139985 for example code.)
The second alternative is preferable from an OO perspective. The Person class should be responsible for preserving its own internal state from interference ... if that is your design requirement. It should not rely on the caller to do this. (Even if the caller is technically part of the same class as is the case here.)
There is no unmodifiable array, but you can make an unmodifiable list:
List<Integer> list = List.of(5, 10);
You will have to change your code to use lists instead of arrays, but this is generally preferable anyway.
If you already have an array of a non-primitive type, you can wrap it in an unmodifiable list, like so:
List<Integer> list = Collections.unmodifiableList(Arrays.asList(array));
However, while you can't change the list directly, changing the array will change the list. Moreover, this won't work on int[], but only on subclasses of Object[].
In Java, objects/arrays are manipulated through reference variables#
When a function is invoked with arrays as their arguments, only a reference to the array is passed. Therefore, when you mutate array array, the arrayTest field also get mutated as they are referring to the same address
To override this behavior, you can create a copy of the array in your constructor using Object.clone() method like:
public Person(int[] arrayTest) {
this.arrayTest = arrayTest.clone();
}
# Source: Wikipedia
Instead of passing a copy of the array to the object, as others have suggested, I would recommend that the Person object's constructor should create a copy. Which means instead of,
this.arrayTest = arrayTest;
It should be
this.arrayTest = Arrays.copyOf(arrayTest, arrayTest.length);
This would allow the object to be defensive against malicious code trying to modify arrays after construction and validation by constructor. In fact most IDEs have analysis tools which will give you a warning against saving array reference.
As others have already pointed out: The array is passed as a reference to the Person. So changes that are later done to the array will be visible to the Person object. But that's only one half of the problem: You are not only passing a reference to the array to the constructor of the Person, you are also returning a reference from the getArray method.
Generally speaking, and as StephenC already pointed out in his answer: One important aspect of Object-Oriented design is to properly manage the state space of objects. It should not be possible for users of a class to bring an object into any form of "inconsistent state".
And this is difficult with plain primitive arrays. Consider the following pseudocode, referring to the class that you posted:
int originalArray[] = new int[2];
originalArray[0] = 12;
originalArray[1] = 34;
Person person = new Person(originalArray);
int arrayFromPerson[] = person.getArray();
originalArray[0] = -666; // Modify the original array
System.out.println(arrayFromPerson[0]) // Prints -666 - this is unexpected!
arrayFromPerson[1] = 12345678; // Modify the array from the person
System.out.println(originalArray[1]) // Prints 12345678 - this is unexpected!
Nobody knows who has a reference to the array, and nobody can verify or track that the contents of the array is not changed in any way. How critical this is becomes more obvious when you anticipate that the Person object will be used at different places, possibly even by multiple threads.
Plain primitive arrays in Java do have their justification. But when they appear in the interface of a class (that is, in its public methods), they should be view with scrutiny.
In order to be absolutely sure that nobody can interfere with the array that is stored in the Person object, you'd have to create defensive copies everywhere:
public Person(int[] arrayTest) {
this.arrayTest = arrayTest.clone(); // Store a clone of the array
}
public int[] getArray() {
return this.arrayTest.clone(); // Return a clone of the array
}
But this may be cumbersome. A more object-oriented solution could be to expose a "read-only view" on the state that is represented with the array. For example:
public Person(int[] arrayTest) {
this.arrayTest = arrayTest.clone(); // Store a clone of the array
}
public int getArrayLength() {
return this.arrayTest.length;
}
public int getArrayElement(int index) {
return this.arrayTest[index];
}
(Of course, in practice, you'd name the methods accordingly, depending on what the array actually represents. For example, if it's the ages of the children of the person, you'd call the methods getNumChildren() and getAgeOfChild(int i) or so...)
Another option how this can be solved is to expose an (unmodifiable) List view on the array. This can, for example, be done with the asUnmodifiableList method that is shown in this answer.
as you are beginner in java you write following code in constructor but it is better to use clone method as marco13 and rv 7 already explained
and as sourabh bhat explained we can also use Arrays class copyof
the idea behind all of above logic is simple don't pass referance of current object but create clone of object and pass that clone or just copy each content of the object
public Person(int[] arrayTest) {
for (int i = 0; i <this.arrayTest.length; i++) {
this.arrayTest[i]=arrayTest[i];
}
}
Here is what happens in memory:
Program: Stack memory: Heap memory:
int[] array = new int[] {5, 10}; array -> 0x77a89 0x77a89 {5, 10}
Person obj1 = new Person(array); obj1.arrayTest -> 0x77a89 No change
array[0] = 20; 0x77a89 {20, 10}
As you can see stack memory holds only the address of the object which gets created in the heap memory. So when you change the arrays value it automatically changes in the Person obj1 object as well.
To fix this you need to create a new Object in memory so that the actual Objects value is copied. To do this we can:
[1] Use the clone property of array.
public Person(int[] arrayTest) {
this.arrayTest = arrayTest.clone();
}
[2] Or we can create our own clone.
public Person(int[] arrayTest){
if (arrayTest == null){
this.arrayTest = null;
} else {
int[] copyArray = new int[arrayTest.length];
for(int i=0; i<arrayTest.length; i++) {
copyArray[i] = arrayTest[i]
}
this.arrayTest = copyArray;
}
}
Either way a new Object is created in memory and this prevents the object from being shared.
Edit 5/5/19: Source code added
As most answers point out, there is no immutable array of primitives in Java. So you have to do some tricks.
Pure Java: Make defensive copies. Most answers show how to store a copy of the array that is received as a parameter in the constructor. But only one answer mentions that you also have to return a copy of the internal array with getArray().
public class Person {
final private int[] arrayTest;
public Person(int[] arrayTest) {
this.arrayTest = java.util.Arrays.copyOf(arrayTest, arrayTest.length);
}
public int[] getArray() {
return java.util.Arrays.copyOf(arrayTest, arrayTest.length);;
}
}
Other internal representation: Store the array as a (mutable) ArrayList, which is based on an array and should have best performance. You have to convert from array to List in the constructor and from List to array in getArray(). There is no need to use Collections.unmodifiableList() (or Guavas ImmutableList<>) as long as you write no method that could modify the List because no one will have access to the List.
public class Person {
final private List<Integer> arrayTest;
public Person(int[] arrayTest) {
this.arrayTest = new ArrayList<>(Arrays.asList(arrayTest));
}
public int[] getArray() {
return this.arrayTest.stream().mapToInt(Integer::valueOf).toArray;
}
}
Let other people do the job. Google AutoValue auto-generates immutable classes. And provides equals(), hashCode() and toString(). Easy to use. My favorite solution.
import com.google.auto.value.AutoValue;
#AutoValue
public abstract class Person {
public static create(int[] arrayTest) {
return new AutoValue_Person(int[] arrayTest);
}
public abstract int[] getArray() {}
}
I am trying to implement a copy constructor in java. I am facing a problem with non primitive type fields of the class. While creating a new copy, it is sharing the members. For Example
public class Bad implements Cloneable {
private ArrayList<Integer> a;
private Object c;
public static void main(String[] args) {
Bad b1 = new Bad();
b1.a.add(10);
System.out.println(b1.a);
Bad b2 = b1.clone();
b2.a.add(12);
System.out.println(b1.a);
}
Bad() {
a = new ArrayList<>();
c = null;
}
Bad(Bad b) {
a = b.a;
c = b.c;
}
public Bad clone() {
return new Bad(this);
}
}
And the result is :
[10]
[10, 12]
I don't want this to happen. Take this as an example. My original problem consists of even more fields that are user defined.
Or are there any libraries which do the work for me? Thanks in advance.
Simple rules for a copy constructor:
primitive values may be copied as-is; they are just values without a separate identity
references to immutable types (eg. String, Integer, any enum class constant) may also be copied as-is; although the original and the copied objects will share the same reference, the referred object is immutable and will never change
references to mutable types (eg. Date, ArrayList, any array) must be copied to a new instance of the type; otherwise the original and the copied object will share a reference to the same mutable field object (which is not what you want)
Making a copy of an object that contains only fields with primitive and immutable values is easy mode.
Copying an object whose fields contain mutable objects can make the process arduous and expensive depending on how complex the mutable object is (imagine an ArrayList that contains a Map whose values are also Maps). Making a new copy of the mutable field is, however, essential if you wish to have a safe copy.
Integer is immutable but you need to create a totally new ArrayList, and I mean here :
Bad(Bad b) {
a = b.a;
c = b.c;
}
do instead
Bad(Bad b) {
a = new ArrayList<>(b.a);
c = // this here must be copy constructed too
}
and then you will get
[10]
[10]
The correct way would be creating a new instance of the list instead of passing a reference to the original list.
Bad(Bad b) {
a = new ArrayList<>(b.a);
c = b.c; // this should call clone or something similar as well
}
Also note that if you would have some non-primitive type within the list of b.a, then you would have to copy/clone all the sub-elements as well (it is not needed now as you have Integer in it which is not mutable).
In my program, I am declaring a static int 2D array and setting it equal to some values. In a different method, I create a local variable and assign it to the 2D array I created. I make some changes to the local variable, however I don't want my initial values in my 2D array to change.
The reason I am using static is because I am using a static main method and I figured all other methods and variables had to be static as well.
Here's a simple layout of what I am doing
public static int[][] myArray = {{1,2},{3,4}};
public static void main(String args[]){
doSomething();
}
public static void doSomething(){
int[][] newArray = myArray;
//do Something to newArray
}
I do not want the values of myArray to change is there a way to handle this? Do I have to get rid of a static variable within a static method?
You will have to create deep copy of your array. You can do it manually or use System.arraycopy() to suit your needs.
Arrays are mutable and so you need to use System.arraycopy to make defensive copies. Make the array private and call a public method which hands a copy is the way to prevent mistakes of bugs by sharing a reference when you must not.
Deep copy the original one and keep one of these two arrays (only making change to one of them
Try:
int[][] newArray = Arrays.copyOf(myArray, myArray.length)
In Efficient Java Joshua Bloch writes:
Note that a nonzero-length array is always mutable, so it is wrong for
a class to have a public static final array field, or an accessor that
returns such a field. If a class has such a field or accessor, clients
will be able to modify the contents of the array. This is a frequent
source of security holes:
// Potential security hole!
public static final Thing[] VALUES = { ... };
Beware of the fact that many IDEs generate accessors that return
references to private array fields, resulting in exactly this problem.
There are two ways to fix the problem. You can make the public array
private and add a public immutable list:
private static final Thing[] PRIVATE_VALUES = { ... };
public static final List<Thing> VALUES =
Collections.unmodifiableList(Arrays.asList(PRIVATE_VALUES));
Alternatively, you can make the array private and add a public method
that returns a copy of a private array:
private static final Thing[] PRIVATE_VALUES = { ... };
public static final Thing[] values() {
return PRIVATE_VALUES.clone();
}
And my question is:
Why bother with returning a final variable - if it's just a copy ?
After all, in cases where the user wants to modify it (for her/his own use) we're actually forcing her/him to create another non-final copy, which doesn't make sense.
Arrays.asList wraps the original array. It doesn't copy the data. Collections.unmodifiableList also wraps the original list rather than copying the data.
That's why you're returning an unmodifiableList wrapper, because otherwise, changes made to the list returned by Arrays.asList would write through to the original private array.
This isn't returning a final object -- it's just declaring the method as non-overridable. There's no such thing as a final object -- only a final variable (reference or primitive), a final method, and a final class.