Java is an object oriented language with a syntax that is very similar to that of C++. The important features of the language from a security standpoint are the use of access control for variables and methods within classes, the safety of the type system, the lack of pointers as a language data type, and the use of packages with distinct namespaces.
Java, like C++, has facilities for controlling the access to the variables and methods of objects. These access controls allow objects to be used by non-trusted code with the guarantee that they will not be used improperly. For example, the Java library contains a definition for a File object. The File object has a public method (callable by anyone) for reading and a low level private method (only callable by the objects methods) for reading. The public read call first performs security checks and then calls the private read. The Java language ensures that non-trusted code can safely manipulate a File object, providing only access to the public methods. Thus, the access control facilities allows programmers to write libraries which are guaranteed by the language to be safe by correctly specifying the library's access controls.
A second facility for providing access control is the ability to
declare classes or methods as final. This provides the ability
to prevent a malicious programmer from subclassing a critical library
class or overriding the methods of a class. Thus, the language
guarantees that the actual method that is invoked on an object is the
finalized method that was written for the object's compile time
type.
This
provides a guarantee that certain parts of an object's behavior have
not been modified.
The Java language is also designed to be a type-safe language. This means that the compile time type and the runtime type of variables are guaranteed to be compatible. This ensures that casts (operations that coerce a runtime type to a given compile time type) are checked at either compile time or runtime to make sure that they are valid. This prevents the forging of access to objects to get around access control. Using our File example from before, this prevents the malicious code from casting a File object to the malicious code's MyFile type which has the same layout as the File type, but with all methods public.
Another safety feature is the elimination of pointers as a data type. This means that pointers cannot be directly manipulated by user code (no pointer arithmetic). This prevents both malicious and accidental misuse of pointers (running off the end of an array for example). Again using our File example, this prevents the malicious code from simply accessing the private method directly by using pointer arithmetic starting with the File object's pointer. Clearly this type-safety is a necessary part of the access control facilities of objects, preventing forging (note that this safety is clearly lacking in C++).
Finally, the Java language uses packages (similar to modules in Modula-3, or packages in Common Lisp) to provide namespace encapsulation. From a safety standpoint, packages are useful because they allow downloaded code to be easily distinguished from local code. In particular, this prevents downloaded code from shadowing system library code with malicious code. The Java language guarantees that when a class is referenced the system first looks in the local namespace, and then in the namespace of the referencing class. This also guarantees that a local class cannot accidently reference a downloaded class.