The security of your code is crucial when using Apex. Apex security is the implementation of security settings and enforcement of current user sharing rules into the code of a running process. Apex code generally runs in the system context mode by default i.e, In the system context, Apex code has access to both objects and fields – object permissions, field-level security (FLS), and sharing rules are not enforced for the active user.

We should avoid exposing sensitive data to the user that is hidden through security or sharing settings. Therefore, Apex security and enforcing the sharing rule are of prime importance.

In Apex there are keywords that can be used to control the security settings of Apex classes. i.e, With Sharing, Without Sharing, and Inherited sharing.

Let’s take a deep dive into these keywords.

With Sharing keyword:

When you define an apex class using the with sharing keyword, the Apex code enforces the Sharing settings of the current user into the apex code. The data level sharing settings are only enforced and the Profile permissions are not taken into consideration.

Syntax:

public with sharing class withsharingController {
// Code here
}

Example:

Let’s take an example of a custom object having 25 records and the OWD setting for the object is set to private. The current user has access to only 15 records and the rest of the records are inaccessible as per the sharing settings of the current user. If The class is querying the custom object records then it will only fetch 15 records that are accessible to the current user. 

public without sharing class WithSharingController{
// sharing rules enforced when code in this class execute
// Query To fetch all 25 records but this will return only 15 records
List<Custom_Object__c> CustomList = [SELECT id, Name FROM Custom_Object__c LIMIT 25];
Public static void getResult(){
system.debug(‘CustomList :::’+ CustomList.size());
}

Without Sharing keyword:

When you define an apex class using the without sharing keyword, the Apex code doesn’t enforce the Sharing settings of the current user into the apex code. To make sure that your class does not enforce the sharing rules for your current user, use the without sharing keyword when declaring a class. You can explicitly disable the sharing rule enforcement in classes when a class is called from another class that has with sharing declarations.

Syntax:

public without sharing class withoutSharingController {
// sharing rules is not enforced when code in this class execute
}

Example:

In the below class the query fetches all the records even if the records are not accessible to the current user.

public without sharing class WithoutSharingController{
// Query To fetch all 25 records but this will return all 25 records
List<Custom_Object__c> CustomList = [SELECT id, Name FROM Custom_Object__c LIMIT 25];
Public static void getResult(){
system.debug(‘CustomList :::’+ CustomList.size());
}

Inherited Sharing keyword:

When declaring a class, use the inherited sharing keyword to enforce the sharing rules of the class calling it (parent class). This advanced technique uses inherited sharing to determine the sharing mode at runtime and design Apex classes that can run in either with or without sharing mode.

By using inherited sharing, along with other security checks, you can pass AppExchange’s security review and ensure that your Apex code will not be used in unexpected or insecure ways. Apex classes with inherited sharing run as with sharing if they are used as an Aura component controller, Visualforce controller, Apex REST service, Any other Apex transaction entry point.

Syntax:

public inherited sharing class InheritedSharingController {
// Code here
}

Example

public inherited sharing class InheritedSharingController {
public List<Contact> getRecordList() {
return [SELECT Name FROM Contact];
}
}

Virtual Keyword: If a class is defined with the virtual keyword it can be extended and overridden. If method overriding is required the class must be declared with the virtual keyword. 

public virtual class myVirtualClass {
public virtual void read() {
System.debug(‘Read some text.');
}
}

Abstract Keyword:If a class is defined with the abstract keyword it must contain at least one method with keyword abstract and that method should only have a signature. 

public abstract class AbstractClass {
abstract string myAbstractMethod();
}