EJB Bad Practices: Use of AWT Swing

The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.

  • Source

    CWE Catalog - 4.14

  • Identifier

    CWE-575

  • Status

    Draft

Contents

Description

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard." The specification justifies this requirement in the following way: "Most servers do not allow direct interaction between an application program and a keyboard/display attached to the server system."

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

The following Java example is a simple converter class for converting US dollars to Yen. This converter class demonstrates the improper practice of using a stateless session Enterprise JavaBean that implements an AWT Component and AWT keyboard event listener to retrieve keyboard input from the user for the amount of the US dollars to convert to Yen.

@Stateless
public class ConverterSessionBean extends Component implements KeyListener, ConverterSessionRemote {


  /* member variables for receiving keyboard input using AWT API */

  ...
  private StringBuffer enteredText = new StringBuffer();

  /* conversion rate on US dollars to Yen */

  private BigDecimal yenRate = new BigDecimal("115.3100");

  public ConverterSessionBean() {

    super();
    /* method calls for setting up AWT Component for receiving keyboard input */

    ...
    addKeyListener(this);

  }

  public BigDecimal dollarToYen(BigDecimal dollars) {
    BigDecimal result = dollars.multiply(yenRate);
    return result.setScale(2, BigDecimal.ROUND_DOWN);
  }

  /* member functions for implementing AWT KeyListener interface */

  public void keyTyped(KeyEvent event) {
    ...
  }

  public void keyPressed(KeyEvent e) {
  }

  public void keyReleased(KeyEvent e) {
  }

  /* member functions for receiving keyboard input and displaying output */

  public void paint(Graphics g) {...}

  ...

}

This use of the AWT and Swing APIs within any kind of Enterprise JavaBean not only violates the restriction of the EJB specification against using AWT or Swing within an EJB but also violates the intended use of Enterprise JavaBeans to separate business logic from presentation logic.

The Stateless Session Enterprise JavaBean should contain only business logic. Presentation logic should be provided by some other mechanism such as Servlets or Java Server Pages (JSP) as in the following Java/JSP example.

@Stateless
public class ConverterSessionBean implements ConverterSessionRemoteInterface {


  /* conversion rate on US dollars to Yen */
  private BigDecimal yenRate = new BigDecimal("115.3100");

  public ConverterSessionBean() {
  }

  /* remote method to convert US dollars to Yen */

  public BigDecimal dollarToYen(BigDecimal dollars) {
    BigDecimal result = dollars.multiply(yenRate);
    return result.setScale(2, BigDecimal.ROUND_DOWN);
  }

}
<%@ page import="converter.ejb.Converter, java.math.*, javax.naming.*"%>
<%!

  private Converter converter = null;
  public void jspInit() {
    try {
      InitialContext ic = new InitialContext();
      converter = (Converter) ic.lookup(Converter.class.getName());
    } catch (Exception ex) {
      System.out.println("Couldn't create converter bean."+ ex.getMessage());
    }
  }
  public void jspDestroy() {
    converter = null;
  }


%>
<html>

  <head><title>Converter</title></head>
  <body bgcolor="white">

    <h1>Converter</h1>
    <hr>
    <p>Enter an amount to convert:</p>
    <form method="get">
      <input type="text" name="amount" size="25"><br>
      <p>
      <input type="submit" value="Submit">
      <input type="reset" value="Reset">
    </form>
    <%
      String amount = request.getParameter("amount");
      if ( amount != null && amount.length() > 0 ) {
        BigDecimal d = new BigDecimal(amount);
        BigDecimal yenAmount = converter.dollarToYen(d);


    %>
    <p>
    <%= amount %> dollars are <%= yenAmount %> Yen.
    <p>
    <%
      }

    %>

  </body>

</html>

See Also

Comprehensive Categorization: Poor Coding Practices

Weaknesses in this category are related to poor coding practices.

SFP Secondary Cluster: Use of an Improper API

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Weaknesses in Software Written in Java

This view (slice) covers issues that are found in Java programs that are not common to all languages.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.