界: Time and State
分散式運算與時間和狀態相關。也就是說,為了使多個元件進行通訊,必須共用狀態,並且這一切都需要時間。
大多數的程式設計師將他們的工作擬人化。他們想採用一種控制執行緒來執行整個程式,就像他們必須自己完成這項工作一樣。但是,現代的電腦可以非常快速地切換工作,並且在多核心多 CPU 或分散式系統中,兩個事件可能恰好同時發生。瑕疵急於填補程式設計師在程式執行模型與實際情況之間的差距。這些瑕疵與執行緒、處理序、時間和資訊之間的意外互動有關。這些互動透過共用狀態發生:信號、變數、檔案系統,以及基本上任何可以儲存資訊的項目。
J2EE Bad Practices: Non-Serializable Object Stored in Session
Abstract
將不可序列化的物件當作
HttpSession 屬性儲存,會破壞應用程式的可靠性。Explanation
為了提高應用程式的可靠性和性能,一個 J2EE 應用程式能利用多個 JVM。為使終端使用者把多個 JVM 看作單個應用程式,J2EE 容器可以在多個 JVM 之間複製
為了使階段作業複製能夠正常運作,應用程式在階段作業中儲存為屬性的值必須執行
範例 1:下面的這個類別會把自己增加至階段作業中,但由於物件是不可序列化的,因此不能複製此階段作業。
HttpSession 物件,所以當一個 JVM 不可用時,另一個 JVM 可以在不中斷應用程式流程的情況下接替它。為了使階段作業複製能夠正常運作,應用程式在階段作業中儲存為屬性的值必須執行
Serializable 介面。 範例 1:下面的這個類別會把自己增加至階段作業中,但由於物件是不可序列化的,因此不能複製此階段作業。
public class DataGlob {
String globName;
String globValue;
public void addToSession(HttpSession session) {
session.setAttribute("glob", this);
}
}
References
[1] The Java Servlet Specification Sun Microsystems
[2] The java.io.Serializable Interface Oracle
[3] MSC08-J. Do not store non-serializable objects as attributes in an HTTP session CERT
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - Common Weakness Enumeration CWE ID 579
[9] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[10] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[14] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.java.j2ee_bad_practices_non_serializable_object_stored_in_session