logo

EJB Bad Practices: Use of AWT Swing

Draft Variant
Structure: Simple
Description

This vulnerability occurs when an Enterprise JavaBeans (EJB) component incorrectly uses AWT or Swing UI toolkits, violating the EJB specification's design principles.

Extended Description

The EJB specification explicitly prohibits beans from using AWT or Swing to handle user input or display output. This rule exists because EJB components are designed to run on application servers, which typically operate in headless environments without direct access to a keyboard, monitor, or graphical interface. Attempting to create UI elements in this context will fail or cause unpredictable behavior, breaking the application's portability across different EJB containers. For developers, this means all business logic within your EJB must remain separate from presentation-layer code. Instead of embedding AWT/Swing, user interactions should be handled by a dedicated client-tier application (like a web front-end or desktop client) that communicates with the EJB layer remotely. Adhering to this separation ensures your bean remains portable, scalable, and consistent with the server-side execution model intended for enterprise applications.
Common Consequences 1
Scope: Other

Impact: Quality Degradation
Potential Mitigations 1
Phase: Architecture and Design
Do not use AWT/Swing when writing EJBs.
Demonstrative Examples 1
The following Java example is a simple converter class for converting US dollars to Yen. This converter class demonstrates the improper practice of using a stateless session Enterprise JavaBean that implements an AWT Component and AWT keyboard event listener to retrieve keyboard input from the user for the amount of the US dollars to convert to Yen.

Code Example:

Bad
Java
java

/* member variables for receiving keyboard input using AWT API /

java
java

/* member functions for implementing AWT KeyListener interface /

java
java
This use of the AWT and Swing APIs within any kind of Enterprise JavaBean not only violates the restriction of the EJB specification against using AWT or Swing within an EJB but also violates the intended use of Enterprise JavaBeans to separate business logic from presentation logic.
The Stateless Session Enterprise JavaBean should contain only business logic. Presentation logic should be provided by some other mechanism such as Servlets or Java Server Pages (JSP) as in the following Java/JSP example.

Code Example:

Good
Java
java

/* conversion rate on US dollars to Yen / private BigDecimal yenRate = new BigDecimal("115.3100");

java
Code Example:
Good
JSP
jsp
     
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Java : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Use of Low-Level Functionality (CWE-695) 
 
 
 
 
Taxonomy Mapping 
  • Software Fault Patterns