{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 劳资没心,怎么记你 的问题《Are private members really more “secure” in Java?》','https://www.manongdao.com/q-552789.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Learning Java I was sometimes taught to use the private access modifier so as not to expose "sensitive information" to other classes, as if this could open a legitimate security hole. But I've never encountered a situation in which restricting member visibility was more than a convenience for modelling a program in an object-oriented fashion.
Are private fields and functions in Java classes actually more "secure" than otherwise?
EDIT -- Compilation of best answers.
Why private does not mean "secure":
- decompilers allow static look at bytecode
- reflection library allows runtime access to private members
What private is good for:
- maintainability of code due to forcing method-level access
- modularity of code by hiding implementation details
I think the meaning of "security" by your instructor was not about keeping hackers out, but rather keeping bugs out. By making everything as private as possible, you limit the ways that one class can mess with another class without it knowing. This is an example of Modular Programming.
Btw: reflection in Java actually allows you to override access modifiers of fields of objects. See javadoc and an example.
I've never heard of it -- in any serious sense -- as a security issue. I mean, decompilers work. You can use them to figure out what's going on inside the bytecode.
Having
privatemembers is a maintainability issue. If I only give you method-level access to my internals, then my only responsibility is to ensure that my API methods continue to work. I'm not locked into using aDoubleversus aBigDecimalon the insides, so long as my methods continue to returnDoubles (for instance).Obviously the principles of making everything private where possible only apply if you adhere to the open-closed principle otherwise if people get used to the idea of editing the internals of existing classes instead of extending them they may well change the encapsulation of private member variables be it through making them accessible through mutators and accessors or changing the access modifier.
privateisn't really for security, since reflection can bypass it (modulo classloader/secure classloader stuff). It serves as an indication of intent, and as barrier to one type of programming error.But consider a third-party API--API users don't even see the
privateproperties or methods. It's not just about your own code, it's about what code is exposed to others. (Again looking at it from a "I'm not trying to break in to the code" standpoint.)As far as security goes, the answer is "not really": determined hackers could get to your private fields and call your private functions with a little bit of reflection; all they need is a JAR with your code in it.
Although hiding "sensitive" information does not make your class more secure, it makes it (along with systems built from it) a lot more maintainable. So this answer is not an excuse for making all members of your classes public.