Description
The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.
The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not use the AWT functionality to attempt to output information to a display, or to input information from a keyboard." The specification justifies this requirement in the following way: "Most servers do not allow direct interaction between an application program and a keyboard/display attached to the server system."
Potential Impact
Other
Quality Degradation
Demonstrative Examples
@Statelesspublic class ConverterSessionBean extends Component implements KeyListener, ConverterSessionRemote {
/* member variables for receiving keyboard input using AWT API */
...private StringBuffer enteredText = new StringBuffer();
/* conversion rate on US dollars to Yen */
private BigDecimal yenRate = new BigDecimal("115.3100");
public ConverterSessionBean() {
super();
/* method calls for setting up AWT Component for receiving keyboard input */
...addKeyListener(this);
}
public BigDecimal dollarToYen(BigDecimal dollars) {BigDecimal result = dollars.multiply(yenRate);return result.setScale(2, BigDecimal.ROUND_DOWN);}
/* member functions for implementing AWT KeyListener interface */
public void keyTyped(KeyEvent event) {...}
public void keyPressed(KeyEvent e) {}
public void keyReleased(KeyEvent e) {}
/* member functions for receiving keyboard input and displaying output */
public void paint(Graphics g) {...}
...
}@Statelesspublic class ConverterSessionBean implements ConverterSessionRemoteInterface {
/* conversion rate on US dollars to Yen */
private BigDecimal yenRate = new BigDecimal("115.3100");
public ConverterSessionBean() {}
/* remote method to convert US dollars to Yen */
public BigDecimal dollarToYen(BigDecimal dollars) {BigDecimal result = dollars.multiply(yenRate);return result.setScale(2, BigDecimal.ROUND_DOWN);}
}<%@ page import="converter.ejb.Converter, java.math.*, javax.naming.*"%><%!
private Converter converter = null;public void jspInit() {try {InitialContext ic = new InitialContext();converter = (Converter) ic.lookup(Converter.class.getName());} catch (Exception ex) {System.out.println("Couldn't create converter bean."+ ex.getMessage());}}public void jspDestroy() {converter = null;}
%><html>
<head><title>Converter</title></head><body bgcolor="white">
<h1>Converter</h1><hr><p>Enter an amount to convert:</p><form method="get"><input type="text" name="amount" size="25"><br><p><input type="submit" value="Submit"><input type="reset" value="Reset"></form><%String amount = request.getParameter("amount");if ( amount != null && amount.length() > 0 ) {BigDecimal d = new BigDecimal(amount);BigDecimal yenAmount = converter.dollarToYen(d);
%><p><%= amount %> dollars are <%= yenAmount %> Yen.<p><%}
%>
</body>
</html>Mitigations & Prevention
Do not use AWT/Swing when writing EJBs.
Related Weaknesses
Taxonomy Mappings
- Software Fault Patterns: SFP3 — Use of an improper API
Frequently Asked Questions
What is CWE-575?
CWE-575 (EJB Bad Practices: Use of AWT Swing) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.
How can CWE-575 be exploited?
Attackers can exploit CWE-575 (EJB Bad Practices: Use of AWT Swing) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-575?
Key mitigations include: Do not use AWT/Swing when writing EJBs.
What is the severity of CWE-575?
CWE-575 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.