logo

EJB Bad Practices: Use of Java I/O

Draft Variant
Structure: Simple
Description

The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

Extended Description

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not use the java.io package to attempt to access files and directories in the file system." The specification justifies this requirement in the following way: "The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data."
Common Consequences 1
Scope: Other

Impact: Quality Degradation
Potential Mitigations 1
Phase: Implementation
Do not use Java I/O when writing EJBs.
Demonstrative Examples 1
The following Java example is a simple stateless Enterprise JavaBean that retrieves the interest rate for the number of points for a mortgage. In this example, the interest rates for various points are retrieved from an XML document on the local file system, and the EJB uses the Java I/O API to retrieve the XML document from the local file system.

Code Example:

Bad
Java
java

/* get XML document from the local filesystem / interestRateFile = new File(Constants.INTEREST_RATE_FILE);

java
java
This use of the Java I/O API within any kind of Enterprise JavaBean violates the EJB specification by using the java.io package for accessing files within the local filesystem.
An Enterprise JavaBean should use a resource manager API for storing and accessing data. In the following example, the private member function getInterestRateFromXMLParser uses an XML parser API to retrieve the interest rates.

Code Example:

Good
Java
java

/* member function to retrieve interest rate from XML document using an XML parser API /

java
Applicable Platforms
Languages:
Java : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Use of Low-Level Functionality (CWE-695)
Taxonomy Mapping
  • Software Fault Patterns