EJB Bad Practices: Use of Sockets

The product violates the Enterprise JavaBeans (EJB) specification by using sockets.

  • Source

    CWE Catalog - 4.12

  • Identifier

    CWE-577

  • Status

    Draft

Contents

Description

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast." The specification justifies this requirement in the following way: "The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be a network server. Allowing the instance to become a network server would conflict with the basic function of the enterprise bean-- to serve the EJB clients."

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

The following Java example is a simple stateless Enterprise JavaBean that retrieves stock symbols and stock values. The Enterprise JavaBean creates a socket and listens for and accepts connections from clients on the socket.

@Stateless
public class StockSymbolBean implements StockSymbolRemote {


  ServerSocket serverSocket = null;
  Socket clientSocket = null;

  public StockSymbolBean() {

    try {
      serverSocket = new ServerSocket(Constants.SOCKET_PORT);
    } catch (IOException ex) {...}

    try {
      clientSocket = serverSocket.accept();
    } catch (IOException e) {...}

  }

  public String getStockSymbol(String name) {...}

  public BigDecimal getStockValue(String symbol) {...}

  private void processClientInputFromSocket() {...}

}

And the following Java example is similar to the previous example but demonstrates the use of multicast socket connections within an Enterprise JavaBean.

@Stateless
public class StockSymbolBean extends Thread implements StockSymbolRemote {


  ServerSocket serverSocket = null;
  Socket clientSocket = null;
  boolean listening = false;

  public StockSymbolBean() {

    try {
      serverSocket = new ServerSocket(Constants.SOCKET_PORT);
    } catch (IOException ex) {...}

    listening = true;
    while(listening) {
      start();
    }

  }

  public String getStockSymbol(String name) {...}

  public BigDecimal getStockValue(String symbol) {...}

  public void run() {
    try {
      clientSocket = serverSocket.accept();
    } catch (IOException e) {...}
    ...
  }


}

The previous two examples within any type of Enterprise JavaBean violate the EJB specification by attempting to listen on a socket, accepting connections on a socket, or using a socket for multicast.

See Also

Comprehensive Categorization: Poor Coding Practices

Weaknesses in this category are related to poor coding practices.

SFP Secondary Cluster: Use of an Improper API

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Weaknesses in Software Written in Java

This view (slice) covers issues that are found in Java programs that are not common to all languages.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.