Regarding singleton poor design

Question

I have one class that is the below one..

public class DataBaseDAO { 
    private DataBaseDAO() { }
        public static synchronized DataBaseDAO getInstance() {
            if (dao == null) {
                dao = new DataBaseDAO();
                }
            return dao;
            }
        }
    }

Now this getinstance() method can be hacked: In other words this singleton can be hacked and more objects could be created.

How can I make this secure?
This can be broken through reflection, classloaders and deserilizaton.
Should I go for synchronized block instead of putting synchronization on whole method?
Will it make impact on the performance?

Thanks folks ,actually I don't want to introduce the new enum since in existing structure then many changes will take place , I was looking how can I IMPROVE THE EXISTING SINGLETON WITH THE CURRENT APPROACH OF WITHIN CLASS ITSELF..!!

Take a look at [What is the best approach for using an Enum as a singleton in Java?](http://stackoverflow.com/questions/427902/what-is-the-best-approach-for-using-an-enum-as-a-singleton-in-java) — maba, Aug 08 '12 at 15:12
[Enum is the best way to implement singleton in Java.][1] NOTE: Singletons are generally considered a bad practice. [1]: http://stackoverflow.com/questions/70689/what-is-an-efficient-way-to-implement-a-singleton-pattern-in-java — Aravind Yarram, Aug 08 '12 at 15:12
And dont put your getInstance method in the constructor, because this way it doesn't compile — Balázs Édes, Aug 08 '12 at 15:13

Peter Lawrey · Accepted Answer · 2012-08-08T17:05:18.287

2

You can do much the same more securely with

public enum DataBaseDAO { 
    INSTANCE
}

e.g. You can use reflection to use a private constructor with setAccessible(true) but not create a new enum instance.

Instead of

DataBaseDAO.getInstance().whateverMethod()

you can use

DataBaseDAO.INSTANCE.whateverMethod()

edited Aug 08 '12 at 17:05

answered Aug 08 '12 at 15:20

Peter Lawrey

525,659
79
751
1,130

1

Could you please explain it as in my design the singleton is returning dao..!1 – user1582269 Aug 08 '12 at 16:13
1

Added an example. Sometimes its so simple you can miss it. ;) – Peter Lawrey Aug 08 '12 at 17:05

score 1 · Answer 2 · answered Aug 08 '12 at 15:25

Actually you should not worry about getting your singleton hacked. Generally singletons are considered a bad (outdated) design practice (they tend to get in the way sonner or later, cause scalability issues and make testing needlessly complicated).

You have defined a clear access method, its not your responsibility (as designer or programmer) to prevent the clever hacker going out of his way to abuse your singleton. There are project guidelines to prevent this.

score 0 · Answer 3 · answered Aug 08 '12 at 15:13

0

You need to use with Double-checked locking, Singleton pattern check this links :

http://www.ibm.com/developerworks/java/library/j-dcl/index.html

http://onjavahell.blogspot.co.il/2009/04/uses-of-singleton-design-pattern-in.html

answered Aug 08 '12 at 15:13

prilia

996
5
18
41

2

Why does he *need* to use **Double-checked locking, Singleton pattern**? – maba Aug 08 '12 at 15:15
That pattern is only a performance improvement when you don't want to have the whole method synchronized. It doesn't secure the class any more than it is already secured. – tibtof Aug 08 '12 at 15:17
You are right, it is not connected to reflection, classloaders and deserilizaton... the question related to PARANOID ENGINEERING ... I send an answer to other question ... (how to create working Singleton in multithreaded env.) – prilia Aug 08 '12 at 15:18
It's 2012, not 2002 we have enums and static holder idiom! – Boris Treukhov Aug 08 '12 at 15:31
can you send some links for example, pls. – prilia Aug 08 '12 at 15:32
http://stackoverflow.com/questions/70689/what-is-an-efficient-way-to-implement-a-singleton-pattern-in-java – Boris Treukhov Aug 08 '12 at 15:33

score 0 · Answer 4 · answered Aug 08 '12 at 15:18

The following 3 approaches are all safe, the first two through the class loading mechanism, the last one through synchronization.

Also you cannot protect yourself from Reflection unless you use SecurityManagers and I think that is pretty complicated.

Another Note: Don't use Singletons ;-P

class YourClass
{
    public static final YourClass instance = new YourClass();
}

// or

class YourClass2
{
    private static final YourClass2 instance = new YourClass2();

    public static synchronized YourClass2 getInstance()
    {
        return instance;
    }
}

// or

class YourClass3
{
    private static YourClass3 instance;

    public static synchronized YourClass3 getInstance()
    {
        if (instance == null)
            instance = new YourClass3();
        return instance;
    }
}

Regarding singleton poor design

4 Answers4