Inheritance and access control - "private protected"

I'm reopening an old topic, seems to have been last discussed here 2-3 years ago.
It concerns the concept of restricting access to class members to itself, and its subclasses. This is what "protected" does in C++ and "private protected" did in early versions of the Java language. This feature was removed from Java with a motivation along the lines of not being "simple", and "linear" (in line with the other access modes, each being a true subset of the next). Unfortunately, the article which explained Sun's position on this keyword combination seems to have been removed from the site, so I haven't been able to read its original text.
But regardless of simplicity of implementation or explaining Java's access modifiers to newbies, I believe it is a fundamental part of OO programming for such an access mode to exist. The arguments for having the standard "private" mode in fact also apply for having a C++-style "protected" mode. (Arguing that classes within a package are related and it therefore doesn't hurt to also give them access to Java's "protected" members, is equally arguing that "private" is unneccessary, which noone of course believes.)
The whole concept of inheritance and polymorphism and encapsulation builds on the access modes private, protected, and public (in the C++ senses). In Java the "package" concept was added - a nice feature! But I see no justification for it to negate the proper encapsulation of a class and its specializations.

What effect upon inheritance other than hiding members
from subclasses is there?
None. And I cant think of another declaration that prevents members from being inherited but private.
Of course the onus comes on the programmer with Java's
definition of "protected" - but
1) there is rarely a single programmer working within
a package
The point was the package is a unit which does not hide from itself. Just like all methods within a class can see each other, all classes within a package can, and all packages within a program can.
2) it muddies the encapsulation in the design - when
you see a "protected" method someone else, or yourself
some time ago - wrote, how do you know if the design
intention is to have it accessed solely by the class
and its subclasses, or if it is indeed intended to be
shared with the whole package? The only way to do
this today is to always explicitly specify this in the
comments, which may be lacking, inconsistent, and
abused (since it isn't enforced).Encapsulation would be implementation hiding. Not method hiding. The only thing you should probably allow out of your package is an interface and a factory anyway.
I understand where you are coming from, but I really have not had occasion to take issue with it. I can't think of a real codeing situation where this is required. OTOH, I can't think of a coding situation where I need to access a protected method from another class either.

Similar Messages

  • User management and Access Control in HCM Cloud

    Hello,
    Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
    - How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
    The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
    Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
    - Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
    I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
    I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
    Best regards,

    OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
    At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet).

  • Inside Identity and Access Control products

    Hello,
    For the past few months I was working on a blog which can help understanding under the hood of identity and access control products. Please have a look into it and let me know how to improve the contents.
    http://identitycontrol.blogspot.com

    Latest Topics
    1) Video of Federated Access Control
    2) RSA Conference 2007

  • Inside identity and access control products : blog

    Frinends,
    Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
    Latest topic i added is "SAML in action"
    Please post your comments also so I can improve the contents.
    Thanks

    Thanks a lot idmguru!!
    your efforts are simply awesome..
    -Yash Bansal

  • Inside of idm and access control products

    Hello Friends,
    For the past few months I was working on a blog where I shared my past experiences with the IAM products, New technologies and problems faced in the products at a conceptual level. I thought of sharing that with experienced team of technocrats like you. Please have a look into this and let me how how can I improve this.
    blog URL --> http://identitycontrol.blogspot.com/
    Thanks
    idmguru

    Frinends,
    Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
    Latest topic i added is "SAML in action"
    Please post your comments also so I can improve the contents.
    Thanks

  • War file and access control with WebLogic

    I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
    This is how my weblogic.properties file looks like:
    weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
    weblogic.password.koko=kokokoko
    weblogic.password.arnebelinda=arne1234
    weblogic.security.group.ppuseradmins=arnebelinda
    and my weblogicURL.policy:
    deny Principal weblogic.security.acl.GroupImpl "everyone" {
    Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
    and finally, my web.xml-file:
    <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
    <web-app>
         <session-config>
              <session-timeout>30</session-timeout>
         </session-config>
         <welcome-file-list>
              <welcome-file>index.jsp</welcome-file>
         </welcome-file-list>
         <security-constraint>
              <web-resource-collection>
                   <web-resource-name>admin</web-resource-name>
                   <url-pattern>index.jsp</url-pattern>          </web-resource-collection>
              <auth-constraint>
                   <role-name>ppuseradmins</role-name>
              </auth-constraint>
         </security-constraint>
         <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>WebLogic Server</realm-name>
         </login-config>
         <security-role>
              <role-name>ppuseradmins</role-name>
         </security-role>
    </web-app>
    it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
    Does anybody have a clue? I would really appreciate it!
    I am using WebLogic 5.1 sp 9
    best regards,
    PJ

    In you pocily file entry, you have specified "/admin/-"
    However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
    Could that be the problem ?

  • War file and access control

              I am trying to put some access control on different files in my war-file, but just
              can't get it to work... It seems like all roles defined in weblogic.properties
              gives the user access to all files in the war. I just don't understand the connections
              between the security realm, the weblogicURL.policy file and the web.xml file...
              If I do not specify a weblogic.security.URLAclFile, no access control is done
              at all.
              This is how my weblogic.properties file looks like:
              weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
              weblogic.password.koko=kokokoko
              weblogic.password.arnebelinda=arne1234
              weblogic.security.group.ppuseradmins=arnebelinda
              and my weblogicURL.policy:
              deny Principal weblogic.security.acl.GroupImpl "everyone" {
              Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
              and finally, my web.xml-file:
              <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
              "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
              <web-app>
              <session-config>
              <session-timeout>30</session-timeout>
              </session-config>
              <welcome-file-list>
              <welcome-file>index.jsp</welcome-file>
              </welcome-file-list>
              <security-constraint>
              <web-resource-collection>
              <web-resource-name>admin</web-resource-name>
              <url-pattern>index.jsp</url-pattern> </web-resource-collection>
              <auth-constraint>
              <role-name>ppuseradmins</role-name>
              </auth-constraint>
              </security-constraint>
              <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>WebLogic Server</realm-name>
              </login-config>
              <security-role>
              <role-name>ppuseradmins</role-name>
              </security-role>
              </web-app>
              it does not matter which user is part of the ppuseradmins group. The user koko
              is not a member, but is given access to my whole .war anyway (after submitting
              correct username/password). Omitting the <realm-name> does not seem to work either;
              the default realm is not used, instead null is used.
              Does anybody have a clue? I would really appreciate it!
              I am using WebLogic 5.1 sp 9
              best regards,
              PJ
              

    In you pocily file entry, you have specified "/admin/-"
    However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
    Could that be the problem ?

  • Computer Lists and Access Control

    Hi
    I've got OS/X Server 10.4.6 setup to a be an OD master and have several linux boxes authenticating to it using kerberos.
    Currently, all OD users can login to all the linux boxes, but I'm trying to restrict access to some boxes to a group of users.
    I've tried creating a computer list and putting a linux server in this list, then adding entries to the 'access tab' but this doesn't seem to work.
    All users can still login to these 'access controlled' servers, in effect the list is ignored.
    Has anyone got this working or can shed some light on what I'm doing wrong ?
    Thanks,
      Mac OS X (10.4.6)  

    Hi, Tropic
    You must to load the class into an jar file
    Then you must to sign out the jar file by means of th jarsigner utility provided bye java SDK
    Hear a sample script to do it.
    javac SomeApplet.java
    jar cvf SomeJarFile.jar SomeApplet.class
    keytool -genkey -keystore SomeStoreFile -keyalg rsa -dname "CN=May BeYour Name, OU=IT Dept., O=Company Name, L=Your Location, ST=Your State, C=Your Country" -alias YourAlias -validity 365 -keypass YourPassowrd -storepass storePasswd
    jarsigner -keystore SomeStoreFile -storepass storePasswd -keypass YourPassowrd -verbose SomeJarFile.jar YourAlias
    Regards,

  • Nintex Workflow and Access Control

    Hello, can anybody help with getting owner permissions on Nintex workflows in Sharepoint 2010 with Powershell.
    I also want to ask your opinion about Access control in Sharepoint 2010. Should all Access Control like AD, Sharepoint, Titus be in the hands of Administrator or some of it like Titus be in the hand of the Developers.
    Best Regards Olafur_s
    Icelandic DBA admin

    Hello
    Hemendra,<o:p></o:p>
    Thank you
    for your answer. I have developers that create sites and lists and they are all Site Collection admin. The problem is that they can go everywhere they want and look into all kinds of sensitive information and do all that they want to do. So basically they
    are running the system. <o:p></o:p>
    I am new to
    Sharepoint as an admin but I have experience in other system like AD, Exchange, SQL. The evolution of this Sharepoint system here brought it to the point that the developers have too much admin rights and the system is not working well. I am trying to
    find the fine line between the Administration part, my work, and the developers part and not steeping on the developers toe's.
    Best regards Olafur_s<o:p></o:p>
    Icelandic DBA admin

  • EJB and access controll???

    Hi all,
    I have a question about access control via EJB,
    For example I have a client app�ication and on start I will prompt user for user name and password, and now what to do with this information how to pas it to the ejb server, or??? Or may be some of you have any link to tutorial as an answer? My EJB will access database and I want to use the access control from database.
    Thank you in advance.

    Hi Eshwa,
    thank you for your reply, I found a nice developer guide on the link that you give me, but I steal have a problem with undestanding of practical way to pas user information from client application to ejb server, may be you can give mi a pice of code or an small example, where is geted 2 String (user name and password) and sent to the ejb server to be autentificated, and then to have acces to the resources that is accessable for this user (discribed in the deployment description user - role).
    Anyway thank you again.
    Best regards Alexander Hincu .

  • 2-way SSL and access control using the client certificate

    Hi,
    I'd like to configure WLS 8.1 so that the server will use the client identity extracted from the client certificate to determine whether permissions should be granted. I am having some problems.
    Details: The client can be either a Web service or a web application. The steps for authentication and authorization should be:
    - The client sends a request to an Apache server (DMZ) which will then be forwarded to WLS.
    - The client's identity, common name from the X.509 certificate, is mapped to the "username" (using WLS default identity assertion provider).
    - Validate whether the client should be trusted (via the list in the trusted credentials)
    - Check whether the resource should be granted based on the "username".
    The on-line manual says
    "If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires that the Web browser or Java client have an identity."
    "The user corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate must be defined in the server's security realm; otherwise the client will not be allowed to access a protected WebLogic resource. For information on configuring users on the server, see Creating Users in Managing WebLogic Security."
    So the questions I have are:
    - If the client identity is certificate based, why should we configure users with the "user name" and "password"? How can we get around it?
    - Once I defined the security condition for my app to use "user name of the caller," a default username and password prompt automatically popped up.
    Apparently, the SSL mutual authentication configuration and the default authentication provider to use the X.509 type didn't take any effect.
    - Without defining the security policy for the application, the debugging messages show that
    getRoles(): input arguments: subject:0
    Entitlement - <Role:Annonymous with expr:Grp(everyone)>
    Any suggestions? Thanks.

    Hi,
    I am trying to use 2 way ssl using webservices client , here is my code :
    AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
    SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
    WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
    // clientCredentialFile stores in PEM format the public key and
    // all the CAs associated with it + then the private key. All this in // a concatenated manner
    FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
    // private key password
    String pwd = "password";
    adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
    adapter.setVerbose(true);
    adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
    adapter.setStrictCheckingDefault(false);
    factory.setDefaultAdapter(adapter);
    factory.setUseDefaultAdapter(true);
    boolean idAvailability = false;
    UNSLocator locator = new UNSLocator();
    URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
    UNSPort unsprt = locator.getUNSPort(portAddress);
    idAvailability = unsprt.isIDAvailable("Yulin125", "C");
    System.out.println("Got from method :"+idAvailability);
    After runing this code i am getting the following exception :
    AxisFault
    faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
    faultSubcode:
    faultString: java.net.SocketException: Software caused connection abort: socket write error
    faultActor:
    faultNode:
    faultDetail:
    I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
    I am stuck with for quite sometime.
    Some insight needed from the guru's

  • Why no warnning as INVISIBLE  in  package and access control ?

    Hi all.
    I have made sample source:
    ---------- Stock.java----------
    package stock;
    public class Stock {
    private int x=1;
    int y=2;
    protected int z=3;
    ---------- PrintStock.java ----------
    package printstock;
    public class PrintStock extends stock.Stock{
    public static void main(String[] args) {
    PrintStock ps = new PrintStock();
    ps.pl();
    public void pl(){
    // System.out.println(x);
    // System.out.println(y);
    System.out.println(z);
    -----------------SampleC.java----------------------
    package stock;
    public class SampleC {
    public static void main(String[] args) {
    printstock.PrintStock ps = new printstock.PrintStock();
    Stock s = (Stock) ps;
    System.out.println(s.y); // *1
    System.out.println(ps.y); // *2
    When I use the eclips, *2 gets warning INVISIBLE.
    But when I use the JDeveloper 11.1.2.1.0,
    *2 gets no warning.
    And when I run the sources on JDeveloer 11.1.2.1.0,
    I get Error INVISIBLE.
    This is a bug of JDeveloper 11.1.2.1.0 ???
    Or is there an option parameter for warning INVISIBLE ?
    Regards,
    Moto

    Hi Frank!
    Please check the behave on Eclips.
    You might get the warning before run.
    But you have no warning the behave on JDeveloper.
    You might get the Error in running.
    Thanks
    Mototaker

  • Strange behavior of auto-create destionations and access control

    I'm noticing some strange behavior that looks like a bug in IMQ 3.5 SP1 (and earlier). I can't find any mention of this in the Sun Bug parade so I thought I'd ask here.
    Background:
    1) Admin-created queue named 'foo' exists. Verified with imqcmd.
    2) User 'bob' wants to access 'foo' as a consumer.
    3) accesscontrol.properties, relevant sections:
    queue.foo.consume.allow.user=bob
    queue.create.deny.user=*
    4) When config.properties has:
    imq.autocreate.queue=false
    then the connection works fine.
    5) However when config.properties has:
    imq.autocreate.queue=true
    the following error is provided when connecting:
    com.sun.messaging.jms.JMSSecurityException: [C4077]: Client is not authorized to create destination : foo
    My reading of the manual says that user 'bob' should be able to connect to destination 'foo' even though he doesn't have the queue creation privilege because 'foo' is an administratively created queue that already exists.
    A short term workaround is to allow all users to have the create privilege. This is not a good thing from a security design standpoint. I want only one user to have this privilege and all others should not have it. Unfortunately, without this privilege, all other users can no longer connect.
    Thanks in advance for any help you can provide on this issue.

    I've reproduced this and it sure looks like a bug. I've submitted bug:
    5024685 ACLs: queue.create.deny.user=* and imq.autocreate.queue=true interact poorly
    I think the best workaround is to set imq.autocreate.queue=false
    and administratively create all destinations.

  • IPrint secure, DLU and access control

    Hi all.
    Environment: iPrint 4.20, Novell client 4.91SP1 with pathces, Zen 65SP2
    Netware 6.5 SP5 two node cluster.
    I just switched to using "high" security for iPrint printers and
    immediately stumbled into strange problem.
    When I log in as a student (zen 6.5SP2 volatile DLU user) first login
    goes fine and novell client passes credentials to iPrint client just
    fine. BUT each successive logins with that same account causes printer
    login to fail with message "Printer login failed. Do you want to retry".
    login also takes very long time to complete. Novell client login goes
    thru without problems.
    IOW if I do logout-login with same student account printer login fails.
    If I login as staff member (no zen DLU) all logins go thru just fine.
    I can't see what is wrong in student credentials. If I look at iPrint
    settings "passwords"-tab those settings are right.
    How to debug what is going on in those failing logins?
    Timo Pietil

    Jouko Oksanen wrote:
    > Timo Pietil wrote:
    >> Hi all.
    >>
    >> Environment: iPrint 4.20, Novell client 4.91SP1 with pathces, Zen
    >> 65SP2 Netware 6.5 SP5 two node cluster.
    >>
    >> I just switched to using "high" security for iPrint printers and
    >> immediately stumbled into strange problem.
    >>
    >> When I log in as a student (zen 6.5SP2 volatile DLU user) first login
    >> goes fine and novell client passes credentials to iPrint client just
    >> fine. BUT each successive logins with that same account causes printer
    >> login to fail with message "Printer login failed. Do you want to
    >> retry". login also takes very long time to complete. Novell client
    >> login goes thru without problems.
    >>
    >> IOW if I do logout-login with same student account printer login fails.
    >>
    >> If I login as staff member (no zen DLU) all logins go thru just fine.
    >>
    >> I can't see what is wrong in student credentials. If I look at iPrint
    >> settings "passwords"-tab those settings are right.
    >>
    >> How to debug what is going on in those failing logins?
    >
    > Moi Timo,
    >
    > Do you mean that the first time when you login as "totally" new (first
    > time ever in the pc) DLU user to this workstation everything is ok but
    > after second login things start to go wrong?
    Yes and no. If I reboot, then login works again just as it should.
    > If yes, is there something
    > still left behind from volatile user??
    hmm... I need to look at that. There shouldn't be of course.
    Timo Pietil

  • Compass Server and Access Control

    Hello,
    i would like to know the following: Is it possible to make an entry in db-schema for the authentication for reading an article. E. g. i make an entry with number 1 for an article. Only users, who have an entry in LDAP with number 1, can gain access for this article. I hope you know what i mean! :-)

    I am using WL9.2 MP2. I am starting my servers in production mode. Below is the log configuration<log>      <file-name>logs/myservera_%yyyy%-%MM%-%dd%-%HH%-%mm%.log</file-name>
          <rotation-type>bySize</rotation-type>
          <number-of-files-limited>true</number-of-files-limited>
          <file-count>10</file-count>
          <file-min-size>20</file-min-size>
          <rotate-log-on-startup>true</rotate-log-on-startup>
          <log-file-rotation-dir>/archive/myserver/</log-file-rotation-dir>
          <log-file-severity>Debug</log-file-severity>      <redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
        </log>My domain does not reside in the default BEA_HOME.. user_domain directory. I created it in /work/mydomain. I noticed if i were to rotate it to any directory under /work, the rotation works. But if i rotated it out , in this case /archive directory, it does not work. I have checked the files permissions of /archive directory, i could use my weblogic user touch a file in the /archive directory

Maybe you are looking for

  • Correlation.findInstanceBy...

    Hi All, I'm quite new with Correlations, and facing some problems... I have two process, A and B. Process B, define a correlation named Bcorrelation. If I run Correlation.findInstanceBy(name : "Bcorrelation", values : <the_values>) from a Global Acti

  • Using barcodes with Oracle / no 3rd party

    Is anyone aware of or doing barcodes with Oracle... be it sql/plus, reports, etc. without using 3rd party packages? I have been asked to research how we can produce documents that contain barcodes in pdf format. I have found 3rd party packages that d

  • Phone Jack is Not Working

    Hi. I have Verizon Fios in my home and I just plugged a new phone in my bedroom jack and it is not working. This jack has worked in the past and all of the sudden has stopped. (I'm guessing it's when my Fios was put in) Does anyone know what the prob

  • Help with BW Statistics

    Hi, I'm considering to install the BI Web Cockpit and was curious if I should set the collection settings to all? Set Statistics Detail Level: 0 u2013 Aggregated Data 1 u2013 Only Front End/Calculation Layer Data 2 u2013 All (Front-end & WHM) 9 u2013

  • Activation problems with iPhone 5

    Has anyone had activation problems with iPhone 5 today?? is there any kind of trouble with itunes and wireless activation??