EJB interceptors provide a way to define code that can be executed before and after a method call. They are typically used for logging, testing, auditing or security purposes.
Interceptor methods can be applied or bound at three levels:
If you want to declare these methods in an XML file, you must declare them in a file named ejb-jar.xml. Otherwise, they may not be
applied or used as intended.
If EJB interceptors are not applied or used as intended, inconsistent application behavior in the app business logic or security might happen.
Below are some real-world examples of this issue.
Interceptors declared outside of ejb-jar.xml may not be applied consistently across all EJBs. This can lead to unpredictable
application behavior, making debugging and maintaining the code difficult.
Interceptors often handle sensitive operations such as security checks or transaction management. If an interceptor is not applied due to incorrect
declaration, these operations may not be performed, leading to potential security vulnerabilities.
For example, if an interceptor responsible for
user authentication is not applied, unauthorized users may gain access to sensitive information.
Interceptors can also be used to improve application performance, for instance, by managing database transactions. If these interceptors are not applied, it could lead to performance issues, such as longer response times or increased server load.
This could open the way for efficient Denial of Service attacks.
<!-- ejb-interceptors.xml -->
<assembly-descriptor>
<interceptor-binding>
<ejb-name>*</ejb-name>
<interceptor-class>com.myco.ImportantInterceptor</interceptor-class> <!-- Noncompliant -->
</interceptor-binding>
</assembly-descriptor>
<!-- ejb-jar.xml -->
<assembly-descriptor>
<interceptor-binding>
<ejb-name>*</ejb-name>
<interceptor-class>com.myco.ImportantInterceptor</interceptor-class>
</interceptor-binding>
</assembly-descriptor>