jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Müller <thomas.muel...@day.com>
Subject Re: [jr3] Security through obscurity
Date Wed, 26 May 2010 13:12:42 GMT
> Not exposing implementation details through public API
> is a basic OO design principle.
> i think with a proper design and packaging, this will not be a problem.

I don't think you talk about the same thing here.

Proper OO is using interfaces, and not casting to implementation classes.

For example, constructors. Those need to be public if you want to
construct a new object in a different package. How do you create a
org.apache.jackrabbit.j3.nodetype.NodeTypeManagerImpl from a different
package, say, org.apache.jackrabbit.j3.SessionImpl, without public
constructor or public method? Maybe there is a way to do that. For you
it may even be a "proper design", "modular" or whatever. Like what
Jukka just made (adding an indirection class). For me, that's plain
confusing, overly complex, and bad (it's security through obscurity).
The direct way (having a public constructor) is the best solution.
That was just an example. There are many other cases, for example
org.apache.jackrabbit.j3.NodeImpl.doAddLock(..).

Regards,
Thomas

Mime
View raw message