Java Developer Tools

Audit - Rules - EJB

Description
This group contains audit rules that check for problems defining EJB Session Beans, Entity Beans and Message Beans.

Rules:

Details

'ANYONE' Method Permission

Summary
Method permission that grants access to the 'ANYONE' role should not be used.

Description
Method permission that grants access to the 'ANYONE' role usually indicates a loose system access design that was not thought through thoroughly enough.

Security Implications
Such a weak design can produce security holes that can be used by an attacker to access secured data.

Example
The following declaration would be flagged as a violation because it sets the 'ANYONE' role to a method access permission:

    <ejb-jar>
        <assembly-descriptor>
            <method-permission>
                <role-name>ANYONE</role-name>
                <method>
                    <ejb-name>Account</ejb-name>
                    <method-name>getBalance</method-name>
                </method>
            </method-permission>
        </assembly-descriptor>
    </ejb-jar>

Avoid Class Loaders in EJB

Summary
The enterprise bean must not attempt to create a class loader, obtain the current class loader, or set the context class loader.

Description
According to the EJB specification, the enterprise bean must not attempt to create a class loader, obtain the current class loader, or set the context class loader. These functions are reserved for the EJB container.

Security Implications
Allowing the enterprise bean to use these functions could compromise security and decrease the Container's ability to properly manage the runtime environment.

Example
The following code will be marked as a violation because it accesses a class loader in an EJB EntityBean:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            ClassLoader classLoader = MyBean.class.getClassLoader();
        }
        ...
    }

Avoid File IO in EJB

Summary
An enterprise bean must not use the java.io package to attempt to access files and directories in the file system.

Description
According to the EJB specification, an enterprise bean must not use the java.io package to attempt to access files and directories in the file system. The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data.

Example
The following code will be marked as a violation because it accesses a file loader in an EJB context:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            try {
                FileInputStream fis = new FileInputStream("test.txt");
                ...
        }
        ...
    }

Avoid GUI in EJB

Summary
An enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard.

Description
According to the EJB specification, an enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard. Most servers do not allow direct interaction between an application program and a keyboard/display attached to the server system.

Example
The following code will be marked as a violation because it uses AWT GUI in an EJB context:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            Frame f = new Frame();
        }
        ...
    }

Avoid Loading Native Libraries

Summary
Try to avoid using native code in EJB context if possible.

Description
This audit rule looks for places where native libraries are loaded in EJB context.

Security Implications
Native code is vulnurable to a lot of native-level attacks like buffer overflow. Its usage in security-sensitive contexts should be avoided if possible.

Example
The following code will be marked as a violation because native libraries loaded in this case:

    public class ClassOne implements EntityBean {
        public void loadNative(){
            System.loadLibrary("Library Name");
        }
        ....
    }

Avoid Managing Threads

Summary
Managing threads manually can cause errors and unpredictable behavior of a container.

Description
Thread management in a J2EE environment is a responsibility of an application server. This rule looks for the direct usage and management of threads in J2EE SessionBeans and EntityBeans.

Security Implications
Managing threads manually can cause errors and unpredictable behavior of a container.

Example
The following code will be marked as a violation because it starts a new Thread in an EJB context:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            new Thread().start();
        }
        ...
    }

Avoid Passing this Reference as Argument

Summary
You should not pass a reference to this as an argument or as a return value in EJB context.

Description
This audit rule looks for a places in the code where a reference to this is returned or passed as an argument.

Security Implications
Direct passing of a reference to an EJB bean is an incorrect usage of EJB which could lead to security issues. Use `getEJBObject()' available in SessionContext or EntityContext instead. See "Programming restrictions on EJB" (http://www.javaworld.com/javaworld/jw-08-2000/jw-0825-ejbrestrict.html) for details.

Example
The following code will be marked as a violation because it attempts to return a this reference:

    public class ClassOne implements EntityBean {
        public EntityBean getBean(){
            return this;
        }
        ....
    }

Avoid Sockets in EJB

Summary
An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast.

Description
According to the EJB specification, an enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast. The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be a network server. Allowing the instance to become a network server would conflict with the basic function of the enterprise bean - to serve the EJB clients.

Example
The following code will be marked as a violation because it attempts to accept a socket connection in an EJB context:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            try {
                ServerSocket ss = new ServerSocket(8080);
                ss.accept();
                ...
        }
        ...
    }

Avoid Synchronization in EJB

Summary
An enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances.

Description
According to the EJB specification, an enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances. Synchronization would not work if the EJB container distributed the enterprise bean's instances across multiple JVMs.

Example
The following code will be marked as a violation because it uses synchronize mechanism in an EJB context:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            synchronize (this) {
                ...
            }
        }
        ...
    }

Bean Members Should Be Serializable

Summary
Members of beans should be marked as transient, static or should have accessors.

Description
This audit rule looks for bean members that are neither static, transient nor have acessors.

Security Implications
If a class is a bean, or is referenced by a bean directly or indirectly it needs to be serializable. Member variables need to be marked as transient, static, or have accessor methods in the class.

Example
The following declaraion of badFoo field will be marked as a violation because it is not static or transient and it does not have accessors:

    ....
    private transient int someFoo;
    private static int otherFoo;
    private int moreFoo;
    private int badFoo;
    ....
    private void setMoreFoo(int moreFoo) {
            this.moreFoo = moreFoo;
    }
    private int getMoreFoo() {
            return this.moreFoo;
    }

Do not Access/Modify Security Configuration Objects

Summary
Security policy should not be accessed or modified from EJB beans.

Description
This audit rule looks for code that accesses or modifies security objects in an EJB context.

Security Implications
The security of an application on the JVM execution level is implemented on a web application container level. Trying to manipulate it from inside the EJB code indicates a potentially dangerous approach to security of an application. An application should be reworked so that such access to security data is not required.

Example
The following code would be flagged as a violation because it modifies a security object:

    public class ClassOne implements EntityBean {
        public void access (){
            Policy.setPolicy(new MyPolicy());
        }
        ....
    }

Don't Instantiate Beans

Summary
The method instantiate() should not be used to instantiate beans.

Description
This audit rule looks for places where one of the instantiate() methods is being used to instantiate a bean.

Example
The following use of the instantiate() method would be flagged:

    newBean = Beans.instantiate(classLoader, className);

Entity Bean's Remote Interface

Summary
An Entity Bean exposed through a remote interface is a performance issue that should be avoided.

Description
In most cases, the definition of a remote entity bean is the result of an error in the container configuration and should be avoided.

Security Implications
An Entity bean exposed through a remote interface becomes accessible for an attacker that can use the performance issues that are caused by a remote entity bean to perform an attack on the server.

Example
The following code would be flagged as a violation because it declares a remote interface for an entity bean:

    <ejb-jar>
        <enterprise-beans>
            <entity>
                <ejb-name>AccountEntry</ejb-name>
                <home>com.somecorp.beans.account.AccountEntryHome</home>
                <remote>com.somecorp.beans.account.AccountEntry</remote>
                ...
            </entity>
            ...
        </enterprise-beans>
    </ejb-jar>

Entity Beans

Summary
Entity Beans should be properly defined.

Description
This audit rule finds problems with Entity Beans:
    - Entity bean should be declared public
    - Entity bean name should end with 'Bean'
    - Entity bean not implement a finalize() method
    - ejbCreate() method should be declared public
    - ejbCreate() method should not be declared as static or final
    - ejbCreate() method should be declared void
    - Entity bean should implement at least one ejbCreate() method
    - Entity bean should implement a no-argument constructor
    - One ejbPostCreate() method for each ejbCreate() method
    - ejbPostCreate() method should be declared public
    - ejbPostCreate() method should not be declared as static or final
    - ejbPostCreate() method should be declared void
    - ejbPostCreate() parameters should match ejbCreate() method
    - ejbPostCreate() name should match ejbCreate() name
    - ejbFind() method should be declared public
    - ejbFind() method should not be declared as static or final
    - ejbSelect() method should be declared public
    - ejbSelect() method should be declared abstract
    - ejbSelect() method should throw the javax.ejb.FinderException exception
    - ejbHome() method should be declared public
    - ejbHome() method should not be declared static
    - ejbHome() method should not throw the javax.ejb.RemoteException exception

JNDI Naming Standard

Summary
JNDI names should follow the specified standard.

Description
This rule finds JNDI names (within .xmi files) that do not conform to the specified standard.

Example
If the rule were configured to require JNDI names to start with a prefix of "ejb/com/myCompany" and have at least one segment representing a functional area, with "accounting" and "manufacturing" on the list, the name "SystemFacade" in the following JNDI name would be flagged as a violation:

    <ejbBindings jndiName="ejb/com/myCompany/SystemFacade" ...>

Message Beans

Summary
Message Beans should be properly defined.

Description
This audit rule finds problems with Message Beans:
    - Message bean should be declared public
    - Message bean should not be declared as abstract or final
    - Message bean name should end with 'Bean'
    - Message bean not implement a finalize() method
    - ejbCreate() method should be declared public
    - ejbCreate() method should not be declared as static or final
    - ejbCreate() method should be declared void
    - ejbCreate() method should not have any arguments
    - ejbCreate() method should not throw any exceptions
    - Message bean should implement an ejbCreate() method
    - Message bean should implement a no-argument constructor
    - ejbRemove() method should be declared public
    - ejbRemove() method should not be declared as static or final
    - ejbRemove() method should be declared void
    - ejbRemove() method should not have any arguments
    - ejbRemove() method should not throw any exceptions
    - Message bean should implement an ejbRemove() method
    - onMessage() method should be declared public
    - onMessage() method should not be declared as static or final
    - onMessage() method should be declared void
    - onMessage() method should have a single javax.jms.Message parameter
    - onMessage() method should not throw any exceptions
    - Message bean should implement an onMessage() method

Missing Error Page

Summary
Error page should handle any exception in a web application.

Description
This audit rule violates the web-app configuration file that does not declare a default error page, i.e. error page that catches all exceptions.

Security Implications
Exceptions thrown from a servlet usually end with a stack trace printed to the end user. This stack trace may contain details of your system's architecture that provide valuable information for the attacker. To prevent this, add a default error that handles any Throwable.

Example
The following web application declaration would be flagged as a violation because it does not handle any Throwable, including errors:

    <web-app>
        <error-page>
            <exception-type>java.io.IOException</exception-type>
            <location>/error.jsp</location>
        </error-page>
    </web-app>

No Explicit This Use in EJB's

Summary
Don't use the keyword "this" in EJB classes.

Description
This audit rule checks for EJB classes (subclasses of EnterpriseBean) that explicitly reference the bean using the keyword "this".

Example
The following return statement would be flagged as a violation:

    return this;

Realm Debug Enabled

Summary
In Tomcat 4.x and earlier versions JAAS Realm debug level of 3+ logs users' credentials.

Description
Tomcat realms log some information, its amount depending on the debug level regulated by the debug attribute. This audit rule violates declarations of debug attribute of values of 3 and higher for the JAAS <Realm> declarations in Tomcat server configurations.

Security Implications
For most realms, debug level of 2 and higher logs the username, but JAASRealm does also log the password when debug level is 3 or higher. Having the password logged in plain text is a security risk that should be avoided, attacker could access the log file and retrieve passwords.

Example
The following code declares a JAASRealm with a debug level of 3 and will be marked as a violation:

    <Realm className="org.apache.catalina.realm.JAASRealm" appName="MyFooRealm" userClassNames="org.foobar.realm.FooUser" roleClassNames="org.foobar.realm.FooRole" debug="99">

Session Beans

Summary
Session Beans should be properly defined.

Description
This audit rule finds problems with Session Beans:
    - Session bean should be declared public
    - Session bean should not be declared as abstract or final
    - Session bean name should end with 'Bean'
    - Session bean not implement a finalize() method
    - ejbCreate() method should be declared public
    - ejbCreate() method should not be declared as static or final
    - ejbCreate() method should be declared void
    - Session bean should implement at least one ejbCreate() method
    - Session bean should implement a no-argument constructor

Weblogic Session ID Length

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.