Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how to understand the attack and defense of Java single-case mode". In daily operation, I believe many people have doubts about how to understand the attack and defense of Java single-case mode. Xiaobian consulted all kinds of materials and sorted out simple and easy operation methods. I hope to help you answer the doubts of "how to understand the attack and defense of Java single-case mode"! Next, please follow the small series to learn together!

When it comes to the topic of "singleton pattern attack," the easiest thing to think of is to attack singleton pattern through serialization/deserialization, because after an object instance is serialized and deserialized, the new object obtained is the same as the original field, but the object address has changed compared with the original object address, so they are two different objects.

The above conclusion is absolutely correct, however, in addition to serialization/deserialization, singleton patterns can also be attacked in another way, namely reflection attacks.

Consider a specific example:

public class JerrySingleton { private String name; private JerrySingleton(){ name = "Jerry";}private static class SingletonHolder{ private static final JerrySingleton INSTANCE = new JerrySingleton();}public static JerrySingleton getInstance() { return SingletonHolder.INSTANCE; }}

The above is an example of a hungry man.

However, I only need to set the constructor of this singleton class JerrySingleton to accessible via reflection, and then I can call the constructor via reflection to generate a new object instance. This breaks the singleton pattern.

Class classType = JerrySingleton.class;Constructor c = classType.getDeclaredConstructor(null);c.setAccessible(true);JerrySingleton e1 = (JerrySingleton)c.newInstance();JerrySingleton e2 = JerrySingleton.getInstance();System.out.println(e1 == e2);

Line 6 prints false.

A possible defense against this attack is to define a Boolean variable initialized to false within the constructor of the singleton class. This variable is set to true when the constructor is executed. If the constructor is executed again, an artificial exception is thrown to avoid repeated execution of the constructor.

public class JerrySingletonImproved { private static boolean flag = false; private JerrySingletonImproved(){ synchronized(JerrySingletonImproved.class) { if(flag == false) { flag = ! flag; } else { throw new RuntimeException("Singleton violated"); } }}}

This defense does not fundamentally prevent Singleton from being attacked, because an attacker can still bypass this check by modifying the value of the Boolean variable flag via reflection.

The most ideal implementation of the invulnerable singleton pattern is through the Java enumeration class:

The consumption code for this implementation type of singleton pattern:

System.out.println("Name:" + JerrySingletonAnotherApproach.INSTANCE.getName());

If an attacker attacks a singleton of this implementation via the reflection code described earlier, JDK throws a NoSuchMethodException exception:

Exception in thread "main" java.lang.NoSuchMethodException: singleton.JerrySingletonAnotherApproach. ()at java.lang.Class.getConstructor0(Class.java:3082)at java.lang.Class.getDeclaredConstructor(Class.java:2178)at singleton.SingletonAttack.test3(SingletonAttack.java:31)at singleton.SingletonAttack.main(SingletonAttack.java:43)

The reason for this is that we are now implementing singletons via Java enumerations, and enumeration classes do not have constructors in the traditional sense, so they are immune to this reflection attack.

At this point, the study of "how to understand the attack and defense of Java singleton pattern" is over, hoping to solve everyone's doubts. Theory and practice can better match to help everyone learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.