Java Developer Tools

Audit - Rules - EJB

Description
This group contains audit rules that check for problems defining EJB Session Beans, Entity Beans and Message Beans.

Rules:

Details

'ANYONE' Method Permission

Summary
Method permission that grants access to the 'ANYONE' role should not be used.

Description
Method permission that grants access to the 'ANYONE' role usually indicates a loose system access design that was not thought through thoroughly enough.

Security Implications
Such a weak design can produce security holes that can be used by an attacker to access secured data.

Example
The following declaration would be flagged as a violation because it sets the 'ANYONE' role to a method access permission:

    <ejb-jar>
        <assembly-descriptor>
            <method-permission>
                <role-name>ANYONE</role-name>
                <method>
                    <ejb-name>Account</ejb-name>
                    <method-name>getBalance</method-name>
                </method>
            </method-permission>
        </assembly-descriptor>
    </ejb-jar>

Avoid Class Loaders in EJB

Summary
The enterprise bean must not attempt to create a class loader, obtain the current class loader, or set the context class loader.

Description
According to the EJB specification, the enterprise bean must not attempt to create a class loader, obtain the current class loader, or set the context class loader. These functions are reserved for the EJB container.

Security Implications
Allowing the enterprise bean to use these functions could compromise security and decrease the Container's ability to properly manage the runtime environment.

Example
The following code will be marked as a violation because it accesses a class loader in an EJB EntityBean:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            ClassLoader classLoader = MyBean.class.getClassLoader();
        }
        ...
    }

Avoid File IO in EJB

Summary
An enterprise bean must not use the java.io package to attempt to access files and directories in the file system.

Description
According to the EJB specification, an enterprise bean must not use the java.io package to attempt to access files and directories in the file system. The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data.

Example
The following code will be marked as a violation because it accesses a file loader in an EJB context:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            try {
                FileInputStream fis = new FileInputStream("test.txt");
                ...
        }
        ...
    }

Avoid GUI in EJB

Summary
An enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard.

Description
According to the EJB specification, an enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard. Most servers do not allow direct interaction between an application program and a keyboard/display attached to the server system.

Example
The following code will be marked as a violation because it uses AWT GUI in an EJB context:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            Frame f = new Frame();
        }
        ...
    }

Avoid Loading Native Libraries

Summary
Try to avoid using native code in EJB context if possible.

Description
This audit rule looks for places where native libraries are loaded in EJB context.

Security Implications
Native code is vulnurable to a lot of native-level attacks like buffer overflow. Its usage in security-sensitive contexts should be avoided if possible.

Example
The following code will be marked as a violation because native libraries loaded in this case:

    public class ClassOne implements EntityBean {
        public void loadNative(){
            System.loadLibrary("Library Name");
        }
        ....
    }

Avoid Managing Threads

Summary
Managing threads manually can cause errors and unpredictable behavior of a container.

Description
Thread management in a J2EE environment is a responsibility of an application server. This rule looks for the direct usage and management of threads in J2EE SessionBeans and EntityBeans.

Security Implications
Managing threads manually can cause errors and unpredictable behavior of a container.

Example
The following code will be marked as a violation because it starts a new Thread in an EJB context:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            new Thread().start();
        }
        ...
    }

Avoid Passing this Reference as Argument

Summary
You should not pass a reference to this as an argument or as a return value in EJB context.

Description
This audit rule looks for a places in the code where a reference to this is returned or passed as an argument.

Security Implications
Direct passing of a reference to an EJB bean is an incorrect usage of EJB which could lead to security issues. Use `getEJBObject()' available in SessionContext or EntityContext instead. See "Programming restrictions on EJB" (http://www.javaworld.com/javaworld/jw-08-2000/jw-0825-ejbrestrict.html) for details.

Example
The following code will be marked as a violation because it attempts to return a this reference:

    public class ClassOne implements EntityBean {
        public EntityBean getBean(){
            return this;
        }
        ....
    }

Avoid Sockets in EJB

Summary
An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast.

Description
According to the EJB specification, an enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast. The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be a network server. Allowing the instance to become a network server would conflict with the basic function of the enterprise bean - to serve the EJB clients.

Example
The following code will be marked as a violation because it attempts to accept a socket connection in an EJB context:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            try {
                ServerSocket ss = new ServerSocket(8080);
                ss.accept();
                ...
        }
        ...
    }

Avoid Synchronization in EJB

Summary
An enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances.

Description
According to the EJB specification, an enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances. Synchronization would not work if the EJB container distributed the enterprise bean's instances across multiple JVMs.

Example
The following code will be marked as a violation because it uses synchronize mechanism in an EJB context:

    public class MyBean implements EntityBean {
        public void ejbActivate() throws EJBException, RemoteException {
            synchronize (this) {
                ...
            }
        }
        ...
    }

Bean Members Should Be Serializable

Summary
Members of beans should be marked as transient, static or should have accessors.

Description
This audit rule looks for bean members that are neither static, transient nor have acessors.

Security Implications
If a class is a bean, or is referenced by a bean directly or indirectly it needs to be serializable. Member variables need to be marked as transient, static, or have accessor methods in the class.

Example
The following declaraion of badFoo field will be marked as a violation because it is not static or transient and it does not have accessors:

    ....
    private transient int someFoo;
    private static int otherFoo;
    private int moreFoo;
    private int badFoo;
    ....
    private void setMoreFoo(int moreFoo) {
            this.moreFoo = moreFoo;
    }
    private int getMoreFoo() {
            return this.moreFoo;
    }

Do not Access/Modify Security Configuration Objects

Summary
Security policy should not be accessed or modified from EJB beans.

Description
This audit rule looks for code that accesses or modifies security objects in an EJB context.

Security Implications
The security of an application on the JVM execution level is implemented on a web application container level. Trying to manipulate it from inside the EJB code indicates a potentially dangerous approach to security of an application. An application should be reworked so that such access to security data is not required.

Example
The following code would be flagged as a violation because it modifies a security object:

    public class ClassOne implements EntityBean {
        public void access (){
            Policy.setPolicy(new MyPolicy());
        }
        ....
    }

Entity Bean's Remote Interface

Summary
An Entity Bean exposed through a remote interface is a performance issue that should be avoided.

Description
In most cases, the definition of a remote entity bean is the result of an error in the container configuration and should be avoided.

Security Implications
An Entity bean exposed through a remote interface becomes accessible for an attacker that can use the performance issues that are caused by a remote entity bean to perform an attack on the server.

Example
The following code would be flagged as a violation because it declares a remote interface for an entity bean:

    <ejb-jar>
        <enterprise-beans>
            <entity>
                <ejb-name>AccountEntry</ejb-name>
                <home>com.somecorp.beans.account.AccountEntryHome</home>
                <remote>com.somecorp.beans.account.AccountEntry</remote>
                ...
            </entity>
            ...
        </enterprise-beans>
    </ejb-jar>

Missing Error Page

Summary
Error page should handle any exception in a web application.

Description
This audit rule violates the web-app configuration file that does not declare a default error page, i.e. error page that catches all exceptions.

Security Implications
Exceptions thrown from a servlet usually end with a stack trace printed to the end user. This stack trace may contain details of your system's architecture that provide valuable information for the attacker. To prevent this, add a default error that handles any Throwable.

Example
The following web application declaration would be flagged as a violation because it does not handle any Throwable, including errors:

    <web-app>
        <error-page>
            <exception-type>java.io.IOException</exception-type>
            <location>/error.jsp</location>
        </error-page>
    </web-app>

Realm Debug Enabled

Summary
In Tomcat 4.x and earlier versions JAAS Realm debug level of 3+ logs users' credentials.

Description
Tomcat realms log some information, its amount depending on the debug level regulated by the debug attribute. This audit rule violates declarations of debug attribute of values of 3 and higher for the JAAS <Realm> declarations in Tomcat server configurations.

Security Implications
For most realms, debug level of 2 and higher logs the username, but JAASRealm does also log the password when debug level is 3 or higher. Having the password logged in plain text is a security risk that should be avoided, attacker could access the log file and retrieve passwords.

Example
The following code declares a JAASRealm with a debug level of 3 and will be marked as a violation:

    <Realm className="org.apache.catalina.realm.JAASRealm" appName="MyFooRealm" userClassNames="org.foobar.realm.FooUser" roleClassNames="org.foobar.realm.FooRole" debug="99">

Weblogic Session ID Length

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.