March 25, 2014

Why String is immutable or Final in Java?

Why String is made immutable in Java? Well this is one of the most popular interview questions in Java. Isn't it?

The interviewer might starts with, What is String? How a Java String is different than String in C and C++? And then shift the focus on String Immutablity.

The interviewer will ask you about the benefits of immutable object. He might ask you, why do you use it and in which scenarios.

The interviewer can ask the same question in different way like, Why STRING is FINAL in Java?

In short, Security and String pooling are primary reason of making String immutable. Here are the detailed reasons why Strings are made immutable or final in Java:

1) String pool requires string to be immutable otherwise shared reference can be changed from anywhere.

Let's imagine Strings are mutable, now imagine a String pool facility. Now think, is this a valid scenario? Well its not, because in case of string pool one string object or a literal let's say "ABC" has referenced by many reference variables, that means if any one of them change the value others will be automatically gets affected.

For e.g:

String x = "ABC";
String y = "ABC";

Now String y called "ABC".toLowerCase(), this will change the same object into "abc". So the object x will also have "abc", which is not desirable.

2) From opening a network connection, or passing a host-name or port number, or database URL as string for opening database connection, or to open any file in Java by passing name of file as argument to File I/O classes, STRINGS are widely used as parameter in Java applications.

This would lead serious security threat if String are made not immutable. Someone can access any file for which he has authorization, he/she then can change the file name either deliberately or accidentally and gain access of those file.

e.g:
You need to open a secure file which requires the users to authenticate themselves. Let's say there are 2 users 'Ram' and 'Shyam' and they have their own password files, 'RamPass' and 'ShyamPass', respectively. 'Ram', should not have access to 'ShyamPass' and vice-versa.

As filenames in Java are specified by using Strings, so while creating a FILE object you pass the name of the file as a STRING only.

'Ram' should have logged into using his credentials and then could have managed to change the name of his password file from 'RamPass' to 'ShyamPass', before JVM actually places the native OS system call to open the file. Thus 'Ram' can access the password file of 'Shyam', this will result into a big security flaw. As the Strings are immutable, JVM can be sure that the filename instance member of corresponding FILE object would keep pointing to the same unchanged 'filename' STRING object. The 'filename' instance member being a FINAL in the FILE class, hence cannot be modified to point to any other STRING object, specifying any other file than the intended one.

3) STRINGS can be safely shared between many threads as since STRINGS is immutable. This is very important for multithreaded programming and to avoid any synchronization issues in Java, Immutability also makes STRING instance thread-safe. Which means you don't need to synchronize STRING operation externally.

Another important point to note about STRING is memory leak caused by 'SubString', which is not a thread related issues but something to be aware of.

4) Being immutable a String in Java caches its hash-code, and do not calculate every time we call hash-code method of String, this makes it very fast as hashmap key to be used in hashmap in Java. Hence no one can change its contents once created which guarantees hashCode of String to be same on multiple invocation.

-K Himaanshu Shukla..



Copyright © 2014 - ScrutinyByKHimaanshu

No comments:

Post a Comment

RSSChomp Blog Directory