If a finalize method is defined, it can be used to operate against an object which failed construction. Although finalize is deprecated, a malicious subclass could still define it and resurrect an uninitialized object. The simplest thing is to detect if a class (not an interface) has implemented finalize, and if so, replace it with an implementation which throws a SecurityException.
If a finalize method is defined, it can be used to operate against an object which failed construction. Although finalize is deprecated, a malicious subclass could still define it and resurrect an uninitialized object. The simplest thing is to detect if a class (not an interface) has implemented finalize, and if so, replace it with an implementation which throws a SecurityException.