Book: Writing secure code

April 3, 2009

Have there been any inventions in human history which are as insecure as the softwares we use today? Just pull up the news in the last couple of weeks:

1. Google shares Docs without your permission: March 7, 2009 and again on March 26, 2009

2. Facebook reveals private photos on wall posts: March 20, 2009

3. Safari browser cracked in 2 seconds: March 18th, 2009

4. Cached data exposes 20,000 Credit cards: March 20, 2009

If you actually go through SANS list, you will be scared. And that is the world we live in today.

writing_secure_code1

Writing Secure Code

An enormous number of softwares have been written, deployed, and exposed over the Internet in the last 10 years without enough thought on Security, and thus Security is going to be a huge huge thing for the next 10 years. After all, you have to clean up your own shit, right (unless you are a dog) ?

I started this book about a month ago, and I just finished it today. Written by Michael Howard and David LeBlanc from Microsoft, the book mostly talks in reference to C/C++, and the Dot Net framework. But unlike all other books that talked about Cryptography, secure protocols and algorithms, this book actually talks about writing secure code on a daily basis, and develops some principles for building secure software. In that sense, although a little old and a little too big, this book is an awesome read for someone wanting to write secure code. While Absolute Security is a Myth, at least you can make it difficult for attackers to exploit the vulnerabilities.

Every good developer is a hacker himself. So the book goes into details of Buffer overflows, Integer overflows, Cross-site Scripting, Sql Injections, Code Access Security, Using proper Access Control Lists, Cryptographic Techniques and its proper use, Encoding and Internationalization, Canonicalization etc.

The book argues that Security should be part of the design rather than an add-on at the end of coding. You should define your trusted and untrusted boundaries, analyze all the threats involved, and evaluate risks associated with the threats, and define your security goals based on the risk factor. All this should be a fairly short, simple and high level process, but it will tell the developer what you need to pay extra attention to and tell the QA what you need to watch out for. Through code review only, you can reduce your bugs by 80%, and most of the bugs found in code review will hardly ever be found through QA testing.

The most interesting side of the book is how it relates all the security problems to some breach of fundamental security principles. Just for my own reference, there are a quite a few security principles stated in the book that should be built into every developer’s subconsciousness:

1. Minimize the attack surface. (Think of hidden fields in forms)

2. All input is evil, unless proven otherwise. Also, assume all external systems you talk to are insecure. (Think whatever you want.)

3. Use principle of least privilege. Use elevated privilege only when you have to, and use it for the shortest amount of time possible.

4. Use defense in depth. Use OS level ACLs as the last line of defense.

5. Avoid security through obscurity. (Microsoft ?)

6. Security features != Secure features. Also don’t ever write your own encryption algorithms (unless ?).

7. Client-side security is an Oxymoron. Don’t try it (at work or otherwise).

All in all, this book has completely changed the way I used to look at my own code and systems, and has definitely made me a better developer and a thinker.

Now I see loopholes everywhere in my own code. Am I guaranteed to be safe from SQL Injection attacks just because I used parameterized query? Am I safe from Cross-site Scripting attacks just because I encoded the output? What if the attacker doesn’t use a browser? Did I canonicalize the filenames after the input? Although the language I use isn’t vulnerable to buffer overflows, am I safe from Integer overflows? What user is my application running as? What if somebody has already hacked into my system? While its not possible to chase after every theoretical bug within the code, we can at least prevent the ones that are obvious or extremely malicious.

But its businesses that build softwares, right? So here comes the million dollar question:

Is it possible to write highly secure softwares without costing extra money and substantial time for the company?

Answer: In general, at least most of the time, YES! Writing secure software is a habit more than anything else. However secure code is only a small piece of the puzzle, and cannot alone make the system secure if other basics are violated.

WordPress @ Slicehost

March 26, 2009

So I finally moved this blog from a shared-hosting with Godaddy to Slicehost 256MB VPS slice running Ubuntu Hardy . The whole process of setting up DNS and installing Apache, MySql, Postfix and WordPress (including my favourite theme and plugins) was very easy, and I didnt run into any problems. I did back up my database with Godaddy before migration, but the ‘Export/Import as XML’ seemed to work just fine. All in all, I was able to get it up and running in about an hour with all the content migrated. When there are documents like Mensk.com and Slicehost Articles, you really don’t have anything left to think.

With that saying, I really wanted to get rid of WordPress this time, or any other WordPress wannabes. WordPress is an awesome piece of software, but it’s just not what I ideally would like to have.

1. WordPress isn’t really suited for posting long snippets of code. If you want to get it working, you end up spending some time trying to fix those endcoding, line wraps and syntax highlighting issues.

2. WordPress is just too big for me. I don’t need those fancy features.

3. I don’t need databases to store some handful rants of mine. Ideally, I would like to write a blog in a text file (using some basic markup), and then just FTP it to my sever to a specific directory, and it would just work. The day I don’t want to have a blog anymore, I would just grab that directory from my server and take it with me.

4. Everytime I see a cool plugin or a theme I wanna try, I don’t want to be looking into every single line of code to see if there is anything malicious in there.

5. Every time I hear about any new vulnerability found in WordPress, I don’t want to be worried about doing an upgrade.

I did briefly go through the major blogging and some wiki softwares but they are all built around the same philosophy and more or less suffer from the same problems. At one point, I almost went with Webby (static site-generator based on Ruby), but then I would have to go through a separate plugin for comments like Disqus, which I didn’t want.

So eventually I had to decide between writing my own basic blogging software or using WordPress. I chose the latter, coz I think there are things way more important to do in the world than writing your own blogging software in 2009. Well, thats might be just another way saying that I am a loser.

Invoking Private Methods

March 3, 2009

A private modifier in Java means that the member(variable or method) can only be accessed in its own class.

By rule, you should always make a class member private unless you have a reason not to. If you want a method to be visible outside of the class, you should make it public or protected. But let’s say you encounter a case when you need to invoke the private method of another class (You might need it while writing JUnit tests, or while writing debugger tools where you need to access all public and private members.). Can you access a private method of Class B from Class A? Is it possible?

Well, yeah. Use Reflection API in Java. This will allow you to supress default Java language access control checks when using reflected members.

The AccessibleObject class within java.lang.reflect package contains a method setAccessible(boolean flag). A false flag will enforce Java Language access checks, where a true flag will supress the access checks. So by setting flag to true, you will be able to invoke a private method of another class.

Lets say we have a Calculator class which has a private method called add.

package access;

public class Calculator {
	private int add(Integer a, Integer b) {
		return a + b;
	}
}

Now, by using Reflecton, you can get a java.lang.reflect.Method object that represents the specified method. The Method object inherits from the java.lang.reflect.AccessibleObject object which provides the setAccessible(boolean flag) method that you can use to supress the access checks.

package access;

import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;

public class MainApp {

	public static void main(String[] args) {

		Calculator ac = new Calculator();

		try {

			Class<?> c = ac.getClass();
			Class[] params = new Class[] { Integer.class, Integer.class };
			Method m = c.getDeclaredMethod("add", params);

			m.setAccessible(true);
			Object o = m.invoke(ac, 1, 2);

			System.out.println("The sum of the numbers is: "
					+ ((Integer) o).intValue());

		} catch (NoSuchMethodException x) {
			x.printStackTrace();
		} catch (InvocationTargetException x) {
			x.printStackTrace();
		} catch (IllegalAccessException x) {
			x.printStackTrace();
		}

	}

}

Once you set the Accessible flag to true, you can then invoke the method by passing any arguments that it requires. Running the class will print a sum of 3, which is calculated and returned by the private method ‘add’.

If you dont set the flag to true, you will get an IllegalAccessException saying:

Class access.MainApp can not access a member of class access.Calculator with modifiers “private”.

Note: If there is a Security Manager, the context in which the code is run must have the suppressAccessChecks permission.

Frozen

February 18, 2009

Imagine what would happen to the earth, if the sun was suddenly shut down for like 10 minutes (by some cosmic force). I guess the earth would be wrapped up in ice within instants, and most forms of life would be extinct within minutes. (Now some intellectually and morally bankrupt Hollywood filmmaker will steal this original imagination of mine from my blog and make a science fiction movie out of it, without any due to me. But thats not what I am worried about right now.)

We normally take the sun for granted.

I did a little research. If we are able to trap all the solar energy falling onto the surface of earth for 3 minutes, it will solve all energy needs of the world for the next 25 years.

If the above is true, then how do you justify the $600 billion and 4000 American lives (Iraqis don’t have a life. So lets not count theirs) lost during the Oil-War in Iraq? I wonder how many barrels of oil on average is a soldier that dies equivalent to. And I wonder how many years of solar energy (or any other alternative energy for that matter) is that $600 billion equivalent to.

Transaction & Batch-processing in Grails

February 1, 2009

Transaction handling is one of the more complex areas of web development. Anytime a user takes any action in the interface which demands a couple of database actions in the backend, then usually you end up having do it as transaction. For a user, everything is either a success or failure. Partial success may be either harmful to the system or doesn’t mean anything to the user. Grails, since it is built on top of Spring and Hibernate, uses their underlying mechanism to deal with transactions. While it may seem confusing in the beginning, Grails actually makes it even more easier.

Lets see it in code.

Suppose we are designing an Offers System, like the one that your bank sends notifying you of some offers and promotions on services. A simplified object structure may be like the following:

class Offer {
     String title
     String content
     Date expirationDate
     Date createdDate = new Date()

     static hasMany = [recipients: Recipient]
}
class Recipient {
     String email

     static belongsTo = [offer: Offer]
}

The relationship is fairly simple. Each Offer can have many Recipients, each Recipient belongs to an Offer.

belongsTo just means the offer Recipient will be deleted whenever the Offer is deleted, which makes sense coz we don’t want to keep the junk if the Offer itself is deleted.

hasMany lets you access to the Recipients from the Offer object. In other words, if you have the Offer object, you can do offer.recipients and get the list of all the recipients for the Offer. Cool.

Now, here is how it will work. We want to add an Offer and some Recipients. Everything should either succeed or fail. Even if only one Recipient out of thousands fail, everything should fail.

There are two ways to do transactions in Grails:

1. Method-level Transaction: By default, each Service class in grails has a transactional property set to true. So if any public method in a Service class throws a RuntimeException or any Error, the transaction will be rolled back. If you do not need this default transaction property, you can explicitly set transactional to false.

In the code below, the OfferService throws a Runtime Exception anytime it isn’t able to add the Fffer or the Recipient, and the transaction will be rolled back.
You wouldn’t get the same transactional behavior if the method throws any Checked Exception or if the transactional property is set to false.

class OfferService {

     boolean transactional = true

     def save(offer, recipients) {
         if(!offer.validate()) {
             throw new RuntimeException("Invalid offer.")
         } else {
             def result = offer.save()
             recipients.each {
            	if(!it.validate()) {
            		throw new RuntimeException("Invalid recipient")
                } else {
                  	offer.addToRecipients(it)
                }
             }
         }
     }
}

You can then catch the exception in the Controller and render a more user-friendly error message.

class OfferController {
     def save = {
    	 def offer = getOffer(params)
    	 def recipients = getRecipientList(params)
   	 try {
   		offerService.save(offer, recipients)
		flash.message = "Successfully added the offer."
   	 } catch (Exception e) {
   		log.error "Exception: " + e
 		flash.message = "An error occured, and the offer was not saved."
   	 }
     }

}

So all you need to do is make sure your Service is transactional, and that it throws a RuntimeException and not a Java CheckedException.

2. Block-level Transaction: The first approach treats everything inside the method as a single transaction. But sometimes your need more control than that. You might want to perform some actions within a transaction and do other operations regardless, or within another block of transaction within a single method.

Each domain class in grails has a static withTransaction method that takes a closure as an argument. Lets see the same thing in code using withTransaction:

class OfferService {

    boolean transactional = false

    def save(offer, recipients) {

    	Offer.withTransaction { status ->
             if(!offer.validate()) {
                  status.setRollbackOnly()
             } else {
         	  def result = offer.save()
                  recipients.each {
           	       if(!it.validate()) {
          	          status.setRollbackOnly()
                       } else {
                  	  offer.addToRecipients(it)
                       }
                  }
              }
         }

    }
}

The status object that we are calling the setRollbackOnly on is actually an instance of org.springframework.transaction.TransactionStatus class. The funny thing is it doesn’t really matter which Domain object you call the withTransaction method on. It just to mark the start and end of a transaction.

As you can guess, with this approach, you don’t need to be in a Service class to use a transaction. You can use it from inside a controller too.

In both of the process above, grails isn’t actually doing a database rollback. It is just saving the changes into the Hibernate session until the transaction is successful, at which point it commits the change to the database. So it is holding onto a lot of objects in session cache.

I have been fighting a situation where I have to batch insert a thousand of objects within a transaction. My common sense tells me I need something like nested transaction, where I could divide a large parent transaction into smaller chunks of transactions, and if one of them fails, it would trigger the parent to fail. But looking at the way Hibernate session works, I was worried that I might have to stick to plain JDBC to do it. But not anymore, coz I found this awesome doc on Hibernate Batch-processing.

Batch Processing: Each action in a Grails Controller is executed within a Hibernate Session. The session is started right before the action starts and is closed once it returns. That explains the reason for the memory issues because all the objects are being cached to the Hibernate session. Hibernate saves it to the database when the session is flushed, thus freeing the memory. The same code as above with the session cleared more frequently:

class OfferService {

    boolean transactional = false
    def sessionFactory

    def save(offer, recipients) {

    	Offer.withTransaction { status ->;
             if(!offer.validate()) {
                  status.setRollbackOnly()
             } else {
         	  def result = offer.save()
                  int i = 0
                  recipients.each {
           	       if(!it.validate()) {
          	          status.setRollbackOnly()
                       } else {
                          i++
                  	  offer.addToRecipients(it)
                          if(i % 100 == 0) {
                               sessionFactory.getCurrentSession().clear();
                          }
                       }
                  }
              }
         }

    }
}

Note: You can get the sessionFactory in a Controller similarly.
This way the Hibernate session, which is the first-level cache, is being cleared every once in a while.
This worked like a charm for me, solving all the memory issues I was having, and also speeding things up significantly.

Download Youtube video

January 11, 2009

How to download Youtube videos has been done by a number of bloggers in a number of languages. I just wanted to try it out myself in Erlang, but I had no idea where to start.

Now that I’ve decided to start, let me grab an Eddie Vedder song from Youtube:

http://www.youtube.com/watch?v=gct6BB6ijcw

And lets sniff the HTTP traffic using Wireshark to see what actually happens when we watch a Youtube video. The browser made a conection to Youtube and before it started streaming the video, the input URL got redirected to a different Youtube URL (Depending on whether Youtube is caching the video or not, it could in turn probably be redirected to a different Cache server or a different IP):

No.     Time        Source                Destination           Protocol Info
     96 3.295105    xx.xx.xx.xx        208.65.153.253        HTTP     GET /get_video?video_id=gct6BB6ijcw&t=OEgsToPDskJ6n06uQXzbbyp7xAnxK6pN&el=detailpage&ps= HTTP/1.1

No.     Time        Source                Destination           Protocol Info
    115 3.879454    xx.xx.xx.xx        209.85.239.30         HTTP     GET /get_video?origin=lax-v113.lax.youtube.com&video_id=gct6BB6ijcw&ip=xx.xx.xx.xx&region=0&signature=587F68CED7B14F380192AAB1D58942F0EAB9AE7B.6379C474E29D2B2348E1A69954D7FACFC461F964&sver=2&expire=1231731436&key=yt4&ipbits=0 HTTP/1.1

Upon playing with the new URL in the browser, I realized that the URL that Youtube gets the video from is

http://youtube.com/get_video?video_id=gct6BB6ijcw&t=OEgsToPDskJ-EKxTpxj79WK0fWWs_YjO

The param “video_id” is the same as the param “v” in the original URL. So we only need to find the value for the param “t”.
Lets look at the HTML source for

http://www.youtube.com/watch?v=gct6BB6ijcw

and see if it contains the value for the parameter “t”. Luckily, grepping for “&t=”, I found this in the source:

&t=OEgsToPDskKrsk1Xwku653CJbAXXrdJb

The value of “t” in the HTML source and the value of “t” in the redirect URL is different, but I found that both values of “t” seemed to work when appended to the URL. Oh well, I tried it again just to make sure and realized that the value of the parameter “t” changes for every request, but all values seem to work(Probably it is timestamp dependent!).

So we have a plan now:
1. Get a Youtube video URL and make a HTTP request to it.
2. Get the body of the reponse and find the value of “t” using regex pattern matching.
3. Generate the proper redirect URL using the two parameters “video_id” and “t”.
4. Make a http request to the new URL and stream the bytes and write to a file with “.flv” extension.

Here is the full source code in Erlang: 

-module(video_downloader).
-export([download/1]).

download(URL) ->
    {ok, {_Status, _Header, Body}} = http:request(URL),
    Video_URL = get_video_download_url(URL, Body),
    stream_video(Video_URL).

stream_video(Video_URL) ->
    io:format("Downloading video from ~p~n", [Video_URL]),
    {ok, {_Status, _Header, Body}} = http:request(Video_URL),
    file:write_file("myvideo.flv", Body),
    io:format("Download complete!").

get_video_download_url(URL, Body) ->
    Matcher = "&t=[A-Za-z0-9-_]*",
    {match, Start, Length} = regexp:first_match(Body, Matcher),
    T = string:substr(Body, Start, Length),
    {ok, New, _No} = regexp:sub(URL, "watch\?v=", "get_video?video_id="),
    New ++ T.

Lets run it from the Erlang shell:

1> c(video_downloader.erl).
{ok,video_downloader}
2> inets:start().
ok
3> video_downloader:download("http://www.youtube.com/watch?v=gct6BB6ijcw").
Downloading video from "http://www.youtube.com/get_video?video_id=gct6BB6ijcw&t
=OEgsToPDskLUZgy2pfyoRf-AtXCdHhYG"
Download complete!ok

Go to your current directory and use any Flv Viewer to see if the downloaded file is a working video or convert it to format of your choice and watch it offline.

I would love to give an Erlang twist to it by spawning a few concurrent processes to download videos, but this is not quite a good example to do it from by localbox – too much of Disk IO, Network IO and slow Internet connection.

Erlang – overhyped or underestimated?

November 14, 2008

Erlang is like an exotic beautiful woman with no dressing sense.

I came across Erlang about a year ago. It is a language of a kind – precise, crafted and powerful. Its been there for about two decades now, and people have been using it for serious real-time applications. But the hype Erlang is getting in the last couple of years is mostly for wrong reasons.

Having said that, its a language every programmer should look into at least once – its refreshing. And it might just be the perfect language that fits your needs.

What doesn’t Erlang have? It has its own Virtual Machine that it runs on. It is ridiculously simple to write distributed applications, with its message-passing style concurrency. It has its own database. It supports hot code swapping without even restarting the servers, and its already been proven in some telecom applications that need very high uptime. Hot code swapping is still a nightmare even in a supposedly mature language like Java which is targeted at building web applications – that have high availability and scalability.

However there are certain things that either suck or are not as convincing about Erlang.

1. Today’s mainstream developers who are used to C or Java like syntax wont find its Prolog-like syntax too friendly. Unless you started programming since the 80′s & 90′s and are used to languages of similar syntax, it will take quite some time before you get comfortable with Erlang’s weird syntax. I never felt too comfortable with the syntax.

2. While the core language itself is small and easy to learn, the libraries within the language are inconsistent, incomplete and poorly documented. I posted a couple of questions in the forums regarding how to use a library, and usually the answers would be “Don’t use that library, use the other one”. (Oh yeah, kind of like the Java JDK Logging. Please use Commons Logging.)

3. Only a few people have written production level codes and you rarely get to hear from them. All you hear from is Erlang enthusiasts, who are hyping it as the next big thing, but haven’t done more than a few labs from Armstrong book.

4. I can’t imagine how you can organize large code-bases in Erlang or even work as team, and this doesn’t feel right to any OO programmer.

5. Most of the performance matrices are one-sided, and are performed by people who have an interest in Erlang. I would love to see some independent analysis.

6. Its support for web-development is very primitive. With web frameworks like rails and grails, there is a lot of serious work for Erlang if it ever intends to go to that market.

7. Did I talk about Strings in Erlang? IO speed?

I know weaknesses aren’t as important as the strengths of a language. Erlang has it own expertise, its syntax structure, and its own audience. But the flaws of Erlang might just turn away a new programmer, even before he gets to its beauty.

If you are writing a web crawler, Erlang may very well be your choice. If you want to write a client-server, where the client makes a large no of requests, and you want to spawn concurrent processes to process the requests, Erlang could be your choice. If you want to write a Distributed Hash Table, Erlang could be your choice. Or if you are writing a video streaming server or doing system integration or writing any system utility. But a regular developer (building a CRUD application on top of a database, right? ) doesn’t have much to do with Erlang as yet. Secondly, even if you are working on those highly scalable, reliable and concrurrent systems, people have a hard time accepting Erlang along with its flaws.

The industry has a definite space for Erlang, currently and more so in future as we deal with more and more users, more data, and more forms of distribution. If not for Erlang exactly, then for an improved version of Erlang. It isn’t here to be the next Java, but to solve out the problems that Java couldn’t do smoothly in over a decade (despite having such a great community).

Erlang is going from an underestimated to an overhyped language. I wish it can convert the hype and raw interest in Erlang into something meaningful. How about a modern variation of Erlang on the Erlang’s virtual machine. Is it too late?

MD5 in Erlang

September 10, 2008

An MD5 hash for any given message is 16 bytes (128 bits) in size and is represented by a unique 32 digit Hexadecimal number.

Erlang has a built-in-function to calculate the MD5, which returns the hash in the form of a binary data-structure.

$ erlang:md5("hello").
<93,65,64,42,188,75,42,118,185,113,157,145,16,23,197,146>

But what we usually need is a string representation of the Hexadecimal value. Hence, we need to convert the Erlang Binary to a Hex-string, for which I didn’t find any BIF.

So first of all, lets convert the Binary to a list (of integers)- so that we can process it easily. Erlang has a function for converting binary to list:

$ binary_to_list(<93,65,64,42,188,75,42,118,185,113,157,145,16,23,197,146>).
[93,65,64,42,188,75,42,118,185,113,157,145,16,23,197,146]

Now, we have to convert each of the integers in the list into its hex equivalent. How do you convert an integer in Decimal system to a Hexadecimal system?

Eg. Take an integer 230. Divide it by 16.
230 div 16 = 14 In Hex, 14 is E
230 rem 16 = 6 In Hex, 6 is 6
So 230 in Hex is E6.

Now we will have to do the same for every integer in the list. I did it using the lists:map function and the applying the int_to_hex conversion to every integer:

$ lists:map(fun(X) ->
int_to_hex(X) end, L).

This will actually return a list of integers representing the (hex) string, which is how a string is represented in Erlang – a list of Integers.

The complete code is below:

-module(md5).
-export([md5_hex/1]).

md5_hex(S) ->
       Md5_bin =  erlang:md5(S),
       Md5_list = binary_to_list(Md5_bin),
       lists:flatten(list_to_hex(Md5_list)).

list_to_hex(L) ->
       lists:map(fun(X) -> int_to_hex(X) end, L).

int_to_hex(N) when N < 256 ->
       [hex(N div 16), hex(N rem 16)].

hex(N) when N < 10 ->
       $0+N;
hex(N) when N >= 10, N < 16 ->
       $a + (N-10).

Output:

$ md5:md5_hex("hello").
"5d41402abc4b2a76b9719d911017c592"

Erlang mode on Emacs

August 12, 2008

Although there are a few other editors for Erlang, I prefer to use Emacs for Erlang and its the only major reason I use Emacs for. Erlang now has an eclipse plugin too, called Erlide.

Erlang comes with the emacs mode as part of its standard distribution, so you only need to customize your emacs settings to use the erlang mode. Once you have Emacs installed (I have Carbon Emacs on my Mac OSX), create a .emacs file in your home directory (or use the one that you already have).

$ vi ~/.emacs

Then insert the following lines of Lisp code into your .emacs file.

;Erlang Mode
(setq load-path (cons  "/usr/local/lib/erlang/lib/tools-2.6.1/emacs" load-path))
(setq erlang-root-dir "/usr/local/lib/erlang")
(setq exec-path (cons "/usr/local/lib/erlang/bin" exec-path))
(require 'erlang-start)

/usr/local/lib is where my Erlang is installed, and /usr/local/lib/erlang/lib/tools-2.6.1/emacs is the location where erlang.el and erlang-start.el files are, which actually define and initialize the Emacs Erlang-mode.

Update the path and version of the tools in the above code as per your installation, and enjoy the amazing features – including the Erlang shell right from Emacs.

Java Generics and Collections

July 3, 2008

I hate these situations in coding where common sense fails you. You are supposed to know anything and everything of the language.

Suppose we have an interface Bounceable, and Baloon and GolfBall are two classes that implement the bounce() method of the interface.

public interface Bounceable {
     void bounce();
}
public class Baloon  implements Bounceable {
     public void bounce() {
          System.out.println("I am a Baloon");
     }
}
public class GolfBall implements Bounceable {
     public void bounce() {
          System.out.println("I am a GolfBall");
     }
}

We have a class Person, which takes a list of Bounceable objects and plays them.

public class Person {
     public void playAll(List<Bounceable> bList) {
          for(Bounceable b : bList) {
               System.out.println("Bounceable object: " + b);
          }
     }
}

Now, from a main method, lets try to test something. First, lets create a list of Bounceable objects and pass it to the playAll() method of the Person object.

List<Bounceable> bList = new ArrayList<Bounceable>();
bList.add(new Baloon());
bList.add(new SoccerBall());
bList.add(new GolfBall());
Person person = new Person();
person.playAll(bList);

This works great. The playAll() method is expecting

List<Bounceable>

and we just passed bList to it. Perfect!

Since Bounceable is an interface, now we would also hope that it would accept List of any subclasses of Bounceable. At least, thats what I have known of polymorphism in Java. And it works that way with Arrays. However, thats not the case with Generics and Collections.

Baloon implements Bounceable. So lets try to create a

List<Baloon>

and pass it to the

playAll()

method. But this simply doesn’t work.

List<Baloon> baloonList = new ArrayList<Baloon>();
baloonList.add(new Baloon());
baloonList.add(new Baloon());
baloonList.add(new Baloon());
person.playAll(baloonList);

This is because once we are in the

playAll(List<Bounceable> bList)

method, the list is treated as

List<Bounceable>

and we should be able to add any objects of type Bounceable.

// See, we just corrupted the baloon list with a golf ball.
baloonList.add(new GolfBall()); 

Put simply, if a method foo() takes an argument

List<x>

, you cannot pass a

List<y extends X>

, because the compiler is scared that you will take the

List<x>

and put stuffs into it that aren’t of type Y, thus corrupting the entire list type.

But there is a way that you are allowed to pass

List<Baloon>

it to the method, but you cannot modify the list. For that we have to change our method signature to:

playAll(List<? extends Bounceable> bList)

? extends X means any unspecified type of X. So we can pass

List<Baloon>

to the method with signature

List<? extends Bounceable>

and retrieve our Baloon objects back in the playAll() method, because the compiler knows that we aren’t allowed to add anything to the Baloon List.

Sigh!!!!! Interesting, isn’t it? While Generics is great feature for type safety, the way this feature is inconsistent with other features within java makes it very difficult for beginners and students to learn and feel confident about the language. With Generics, Java just turned into big and too confusing of a language.