Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are the security concerns that I need to look out for with Java Persistence API (JPA)

Tags:

java

security

jpa

jakarta-ee

I'm starting to learn JPA, and I have a considerable amount of legacy EJB2.0 code that will need to be refactored to use the new features, as well as any new functionality that I will add to the code base. Are there new attack vectors that I will need to account for in my code, or will defensive programming cover me?

like image 888
bakoyaro Avatar asked Dec 13 '10 16:12

bakoyaro

People also ask

Which of the following is an implementation of the Java Persistence API JPA specifications?

JPA is a specification and several implementations are available. Popular implementations are Hibernate, EclipseLink and Apache OpenJPA. The reference implementation of JPA is EclipseLink.

Which of these methods can be used for persisting an object with JPA API?

You need to attach the entity to a persistence context so that it becomes managed and gets persisted in the database. You can either use JPA's persist or Hibernate's save method to do that.

What is persistence in Java explain in detail the persistence standards available in Java?

Persistence, in computer science, is a noun describing data that outlives the process that created it. Java persistence could be defined as storing anything to any level of persistence using the Java programming language, but obviously this would be too broad a definition to cover in a single book.

What is a powerful API that allow accessing persisting and managing data between Java classes and database tables?

The Java Persistence API (JPA), which is part of the Enterprise JavaBeans (EJB) 3.0 spec and is now the standard API for persistence and object/relational mapping for the Java EE platform, provides several advantages to Java developers for data-binding purposes.

1 Answers

JPA is like JDBC: a backend technology. The same security concerns that apply to JDBC apply to JPA. So most security consideration will be implemented on the application level or are handled by front end API’s. But indeed JPQL injection is an obvious ones you should be aware of.

JPQL injection:

Just like when using SQL or the JDBC API, you should never directly add your parameters to a query String. You should work with the setParameter on the Query object (applies to both adhoc and named queries) or you could use the JPA criteria API (although named queries offer the best performance). 

Query query = em.createQuery("DELETE Order WHERE customer = :customer");
query.setParameter("customer", customer);
query.executeUpdate();

Database rights:

For extra security, you could make multiple persistent units (PU) so the impact of any security breaches is limited. For example you could create multiple PU's with different database access rights: one with update rights and another with read only query access. Just realize that decisions like this will impact your application design.

like image 199
Kdeveloper Avatar answered Sep 28 '22 07:09

Kdeveloper
Sign in to Comment

Related questions

Short url or alias for deployed application in tomcat 6
difference between session expired and invalidated
Maps and strings in Drools rules
Persist java.util.Properties with Hibernate?
How to create a PKI in Java
HttpPost works in Java project, but not on Android
Performance issues when calling java.beans.Introspector.getBeanInfo after inactivity
Android - Multiple appWidgets playing different sounds
Maven Aggregate POM with Goal?
using Float numbers for the map's key
How to persist an object that has an enumeration field
How to programmatically logon to a URL, keep the session, and browse around to different pages
Calling a Servlet from a Java application
SELECT and DELETE
How do I copy part of one image to another?
Making threads work in proper way
Inject dependency into a taglib class?
Recursive function taking ages to run
What is the best pattern for managing multiple versions of the same dependency tree in Guice?
Why are you guaranteed to find your result if it is in the graph with BFS but not with DFS?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!