DonŐt Depend on Initialization
To set up class invariants in Java it is common practice to do so in the constructor. Every variable that is needed for the program to run properly should be initialized in this process. Code written throughout the other public methods often relies upon the conditions initialized in the constructor. It is often assumed that these methods will never be called before the constructor is fully executed. In doing so it is then possible to run methods without the constructor setting up the crucial invariants. It opens up a possible means of attack for someone trying to access your code. As a result it is necessary to make sure that the object has been properly initialized before any method in the class is executed. This may seem like a moot point, but in Java there are a few ways to allocate objects without calling a constructor of that object.
All of these methods will be covered in more detail in subsequent sections of this paper. It is possible to generate a byte array that can be deserialized into a java object.[7] By calling an objects clone method you can possibly create a new object without calling a constructor. With XML it is possible to ŇdemarashallÓ a XML file in order to create a new instance of an object.[7] All of these methods bypass the constructor and subsequently bypass any security measures or class invariants that are set up by the constructor. The class invariants are not set up properly and the value of any field in the object is at the discretion of the person creating the serialized byte array, or the XML file.