Use requireNonNull in the constructor in conjunction with the strategy to avoid the security vulnerabilityģ. So I’m wondering what I should do?ġ.ĝon’t ever use requireNonNull to validate for non-null in the constructorĢ. To implement this strategy for every constructor where I want to use requireNonNull I think would be a serious overkill. The article above mentions a strategy for getting around this security flaw (ensuring the Exception is thrown before the constructor of Object is finished executing). So we have arrived in the situation where there is a known security vulnerability. Yes, constructors are allowed to throw an exception in Java. Be aware that it is impossible to catch sneakily thrown checked types directly, as javac will not let you write a catch block for an exception type that no. If the argument to the constructor is null then a NullPointerException is thrown from the constructor. Recently I have started to using (T,%) in methods and constructors to validate for null i.e. When throwing an Exception from a constructor of a class in Java you are leaving yourself open to a security vulnerability.