Matt McLarty wrote: For more info...
Follow me on Twitter
See our website
May. 2, 2012 03:40 PM EDT
| By Dave Jarvis | Article Rating: |
|
| April 17, 2011 04:31 PM EDT | Reads: |
2,529 |
A problem has come to my attention over the last few years and I thought Java.net would be a good place to talk about it.
I have noticed that many reporting integrations use vendor-supplied examples verbatim. This is an issue.
With JasperReports (the Java-based reporting tool), the reports contain SQL code. That SQL code can tell a hacker a lot about the database (type, version, table names, column names, and such). This opens up an attack vector, and many people host their report files in the same directory as the web files.
Worse still, some people write JSPs with the database connection information (login, password, host name, database name) in plain text - inside the JSP files!
This needs to stop; sure, the code gets the job done, but no sane boss (if they understood the implications) would agree to publishing attack vectors on their web site.
Where would be a good place to talk about this issue on the Java.net website? Also, I have implemented an open source solution:
http://www.whitemagicsoftware.com/software/java/rif/
CIO, CTO & Developer Resources
http://www.whitemagicsoftware.com/software/java/rif/api/
And written on the new integration at length. See Chapter 15 (free) of my eBook:
http://www.whitemagicsoftware.com/books/indispensable
You may contact me through my web form:
Published April 17, 2011 Reads 2,529
Copyright © 2011 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Dave Jarvis
Dave Jarvis has been developing software since 1981. He is animated by analytical thinking, inspired by Space Shuttle software, and a Jazz enthusiast. He understands that complex, poorly designed systems impede efficiency, eliminate possibilities, and are unreliable; when building software, he champions simplicity and ease of future enhancements.
- Agile Adoption – Crossing the Chasm
- Write Once Run Anywhere or Cross Platform Mobile Development Tools
- Cloud Expo New York: The Java EE 7 Platform - Developing for the Cloud
- Cross-Platform Mobile Website Development – a Tool Comparison
- Architecture Governance – the TOGAF Way
- It's the Java vs. C++ Shootout Revisited!
- Twelve New Programming Languages: Is Cloud Responsible?
- Scaling Java and JSP Apps with Distributed Caching
- Cloud Expo New York Speaker Profile: Arun Gupta – Oracle
- Agile Development & Enterprise Architecture Practice – Can They Coexist?
- How to Get Started with Java and NetBeans
- Component Development and Assembly Using OSGi Services
- Agile Adoption – Crossing the Chasm
- Graal, a Dynamic Java Compiler in the Works
- Write Once Run Anywhere or Cross Platform Mobile Development Tools
- Cloud Expo New York: The Java EE 7 Platform - Developing for the Cloud
- Cross-Platform Mobile Website Development – a Tool Comparison
- Architecture Governance – the TOGAF Way
- Google Analytics with Monitis Dashboard
- It's the Java vs. C++ Shootout Revisited!
- Twelve New Programming Languages: Is Cloud Responsible?
- Scaling Java and JSP Apps with Distributed Caching
- Cloud Expo New York Speaker Profile: Arun Gupta – Oracle
- Agile Development & Enterprise Architecture Practice – Can They Coexist?
- A Cup of AJAX? Nay, Just Regular Java Please
- Java Developer's Journal Exclusive: 2006 "JDJ Editors' Choice" Awards
- JavaServer Faces (JSF) vs Struts
- The i-Technology Right Stuff
- Rich Internet Applications with Adobe Flex 2 and Java
- Java vs C++ "Shootout" Revisited
- Bean-Managed Persistence Using a Proxy List
- Reporting Made Easy with JasperReports and Hibernate
- Creating a Pet Store Application with JavaServer Faces, Spring, and Hibernate
- Why Do 'Cool Kids' Choose Ruby or PHP to Build Websites Instead of Java?
- What's New in Eclipse?
- i-Technology Predictions for 2007: Where's It All Headed?
- ');
for(i = 0; i < google_ads.length; ++i)
{
document.write('
- ');
document.write('' + google_ads[i].line1 + '
'); document.write('' + google_ads[i].visible_url + '
'); document.write(google_ads[i].line2 + ' ' + google_ads[i].line3); document.write(' ');
}
document.write('
Subscribe to JAVA Developer's Journal Email News Alerts
Subscribe via RSS
