[cap-talk] Java coding rules for capability discipline

[David Hopwood]

David Hopwood wrote:
> Stiegler, Marc D wrote:
>>> How do you then guaruntee that there is only one
>>> user of a single-access resource?  For example, a
>>> manager of something like a database resource would
>>> often use a static variable to enforce its one-ness.
> 
> There is no such thing as a single-access resource. "Global"
> or "static" variables in most languages are actually per-process
> variables. What makes this incompatible with capability discipline
> is that these per-process variables are accessed implicitly, rather
> than via capabilities or references.
> 
> There are resources that are single-access within a given context.
> That context should be modelled as an object. For example, database
> resources should normally be obtained from a database instance
> or a database connection. This often improves the flexibility of
> APIs independent of any security considerations (see
> <http://c2.com/cgi/wiki?SingletonGlobalProblems>).
> 
> Cap-secure languages usually support nested lexical scoping. In that
> case, it is as easy to limit the scope of any given variable to just
> what is needed, as it is to use a global/static variable or singleton.

I'd like to expand on this a bit. Suppose, for the sake of argument,
you took a typical Java application and moved all of the static/global
state into an "Application" class, then changed all references to static
variables to access an instance of this class.

This would satisfy the letter of the requirement to avoid implicit
access to mutable state, but the resulting Application class would
probably be a big mess of mostly unrelated code and fields, violating
both POLA and other OO design principles. In particular, it would be a
good candidate for several iterations of <http://c2.com/cgi/wiki?ExtractClass>
refactoring.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>