Several years ago, Sun Microsystems published Core J2EE Patterns: Best Practices and Design Strategies, by Deepak Alur, John Crupi, and Dan Malks. The book featured a collection of the most commonly occurring Java EE patterns, such as Intercepting Filter, Front Controller, and Session Facade. Since the book's publication, Java EE developers around the world have built applications that use the Core J2EE Patterns. Increasingly, developers have adopted open source frameworks that employ some of the Core J2EE Patterns such as Struts 1.x, Struts 2.x, Spring, and many others. Java EE frameworks, whether open source or proprietary, represent a major opportunity for application security. If we can secure these frameworks then we can start to make a major impact on application security in Java EE space. The problem is that securing the frameworks individually is time consuming and most security professionals have a tough time keeping up with the ongoing new Java technology explosion. We wrote the Security Analysis of the Core J2EE Patterns to address this problem. The analysis examines common security shortcomings and possible opportunities for implementing controls within the patterns rather than specific frameworks. For example, the ViewHelper pattern is the perfect place to add output encoding in order to mitigate cross site scripting; developers often forget to sufficiently authorize end users with Command objects in the Front Controller pattern; and developers should add protection against SQL injection in the Data Access Object pattern. The advice comes from years of examining large applications and noticing vulnerabilities occurring in the same patterns regardless of underlying web application framework.
A primary goal of the Security Analysis of Core J2EE Design Patterns project is to help framework developers make informed decisions about security. When the developers of the next Struts (or any other popular framework) begin design, we want them to address all the concerns raised in the paper so that people who use their framework will inherit many secure features by default and be able to add others with minimal configuration changes. It's important to recognize that this project does not overlap with Core Security Patterns. The book provides new patterns on how to develop security functions such as authentication and authorization whereas the Security Analysis of Core J2EE Design Patterns project analyzes existing patterns for security. Ultimately, we hope the pattern analysis spurs similar work on other popular patterns such as Martin Fowler's Patterns of Enterprise Application Architecture. We also hope people begin to analyze patterns in other popular domains such as scaffolding (e.g., Ruby on Rails), rich web client frameworks (e.g., Dojo), and messaging (e.g., Simple Object Access Protocol [SOAP] web services). By recognizing patterns and providing practical, positive security advice we can arm developers with the tools they need to build more secure frameworks from the start.