CWE-575: EJB Bad Practices: Use of AWT Swing
Presentation Filter:
 DescriptionDescription Summary The program violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.
Extended Description The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard." The specification justifies this requirement in the following way: "Most servers do not allow direct interaction between an application program and a keyboard/display attached to the server system." Time of Introduction
Applicable PlatformsLanguages Java Common Consequences
Demonstrative ExamplesExample 1 The following Java example is a simple converter class for converting US dollars to Yen. This converter class demonstrates the improper practice of using a stateless session Enterprise JavaBean that implements an AWT Component and AWT keyboard event listener to retrieve keyboard input from the user for the amount of the US dollars to convert to Yen. (Bad Code) Example
Language: Java @Stateless public class ConverterSessionBean extends Component implements
KeyListener, ConverterSessionRemote { /* member variables for receiving keyboard input using AWT
API */
...
private StringBuffer enteredText = new StringBuffer();
/* conversion rate on US dollars to Yen */
private BigDecimal yenRate = new
BigDecimal("115.3100");
public ConverterSessionBean() {
super();
/* method calls for setting up AWT Component for
receiving keyboard input */
...
addKeyListener(this);
}
public BigDecimal dollarToYen(BigDecimal dollars) {
BigDecimal result = dollars.multiply(yenRate);
return result.setScale(2, BigDecimal.ROUND_DOWN);
}
/* member functions for implementing AWT KeyListener
interface */
public void keyTyped(KeyEvent event) {
...
}
public void keyPressed(KeyEvent e) {
}
public void keyReleased(KeyEvent e) {
}
/* member functions for receiving keyboard input and
displaying output */
public void paint(Graphics g) {...}
...
} This use of the AWT and Swing APIs within any kind of Enterprise JavaBean not only violates the restriction of the EJB specification against using AWT or Swing within an EJB but also violates the intended use of Enterprise JavaBeans to separate business logic from presentation logic. The Stateless Session Enterprise JavaBean should contain only business logic. Presentation logic should be provided by some other mechanism such as Servlets or Java Server Pages (JSP) as in the following Java/JSP example. (Good Code) Example
Language: Java @Stateless public class ConverterSessionBean implements
ConverterSessionRemoteInterface { /* conversion rate on US dollars to Yen */
private BigDecimal yenRate = new
BigDecimal("115.3100");
public ConverterSessionBean() {
}
/* remote method to convert US dollars to Yen */
public BigDecimal dollarToYen(BigDecimal dollars) {
BigDecimal result = dollars.multiply(yenRate);
return result.setScale(2, BigDecimal.ROUND_DOWN);
}
} (Good Code) Example
Language: JSP <%@ page import="converter.ejb.Converter, java.math.*,
javax.naming.*"%> <%! private Converter converter = null;
public void jspInit() {
try {
InitialContext ic = new InitialContext();
converter = (Converter)
ic.lookup(Converter.class.getName());
} catch (Exception ex) {
System.out.println("Couldn't create converter bean."+
ex.getMessage());
}
}
public void jspDestroy() {
converter = null;
}
%> <html> <head><title>Converter</title></head>
<body bgcolor="white">
<h1>Converter</h1>
<hr>
<p>Enter an amount to
convert:</p>
<form method="get">
<input type="text" name="amount"
size="25"><br>
<p>
<input type="submit"
value="Submit">
<input type="reset"
value="Reset">
</form>
<%
String amount = request.getParameter("amount");
if ( amount != null && amount.length()
> 0 ) {
BigDecimal d = new BigDecimal(amount);
BigDecimal yenAmount =
converter.dollarToYen(d);
%>
<p>
<%= amount %> dollars are <%=
yenAmount %> Yen.
<p>
<%
}
%>
</body>
</html> Potential Mitigations
Relationships
Taxonomy Mappings
Content History
More information is available — Please select a different filter. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Page Last Updated:
May 05, 2017
|
|
Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more information, please email cwe@mitre.org. CWE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2006-2017, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. |
|
|
