logo

J2EE Bad Practices: Direct Use of Threads

Draft Variant
Structure: Simple
Description

Creating or managing threads directly within a J2EE application is a risky practice that violates the platform's standards and often leads to unstable applications.

Extended Description

Direct thread management in a J2EE environment is problematic because it bypasses the container's control, which is designed to manage resources and concurrency. This can cause unpredictable conflicts with the application server's own threading, leading to crashes, performance issues, and difficult-to-reproduce errors. Common bugs like deadlocks and race conditions become much harder to diagnose when they originate from custom threads instead of the container-managed ones. These flaws are tricky to find manually, especially in complex deployments. While SAST tools can flag the pattern, Plexicus uses AI to analyze the context and suggest specific, safe refactoring steps—such as replacing custom threads with JMS or the ManagedExecutorService—saving significant development time and preventing runtime instability.
Common Consequences 1
Scope: Other

Impact: Quality Degradation
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: Architecture and Design
For EJB, use framework approaches for parallel execution, instead of using threads.
Demonstrative Examples 1
In the following example, a new Thread object is created and invoked directly from within the body of a doGet() method in a Java servlet.

Code Example:

Bad
Java
java

// Perform servlet tasks.* ...

java
java
References 1
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, and Gary McGraw
NIST Workshop on Software Security Assurance Tools Techniques and MetricsNIST
07-11-2005
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
ID: REF-6
Applicable Platforms
Languages:
Java : Undetermined
Modes of Introduction
Implementation
Affected Resources
  1. System Process
Related Weaknesses
ChildOf: Use of Low-Level Functionality (CWE-695)
Taxonomy Mapping
  • 7 Pernicious Kingdoms
  • Software Fault Patterns