Tag Archives: J2EE

IO Chokepoints: J2EE Filters

This is the first post in a series covering tactics for implementing input and output chokepoints in J2EE. My goal is to describe different techniques in separate posts and then summarize the tradeoffs involved in putting them in place in a final post. In this first post, I’ll show you how to setup a J2EE servlet filter to perform HTML escaping on multiple servlet-related input sources.

Consistency is important

With so many APIs and frameworks out there, there are many different ways to accomplish the same task. The problem is that each way (or method) usually exhibits different behavior when given malicious input. The challenge for us is to (1) find bad behavior in the APIs/frameworks we use, (2) apply fixes consistently, and (3) remember all of the ways things can go wrong. (1) is difficult but doable, (2) is more challenging, and (3) is arguably impossible for a person to do alone. The fact that APIs change frequently, even if changed for the better, exacerbates the problem because it’s costly to go back and consistently make changes across existing applications.

Mixing GET and POST request data

Are designs that mix GET and POST requests inherently flawed?

It’s common for J2EE developers to create designs that pass both GET and POST requests through a centralized processing pipe, as in the controller method below: [...]