I'm starting to learn JPA, and I have a considerable amount of legacy EJB2.0 code that will need to be refactored to use the new features, as well as any new functionality that I will add to the code base. Are there new attack vectors that I will need to account for in my code, or will defensive programming cover me?
JPA is a specification and several implementations are available. Popular implementations are Hibernate, EclipseLink and Apache OpenJPA. The reference implementation of JPA is EclipseLink.
You need to attach the entity to a persistence context so that it becomes managed and gets persisted in the database. You can either use JPA's persist or Hibernate's save method to do that.
Persistence, in computer science, is a noun describing data that outlives the process that created it. Java persistence could be defined as storing anything to any level of persistence using the Java programming language, but obviously this would be too broad a definition to cover in a single book.
The Java Persistence API (JPA), which is part of the Enterprise JavaBeans (EJB) 3.0 spec and is now the standard API for persistence and object/relational mapping for the Java EE platform, provides several advantages to Java developers for data-binding purposes.
JPA is like JDBC: a backend technology. The same security concerns that apply to JDBC apply to JPA. So most security consideration will be implemented on the application level or are handled by front end API’s. But indeed JPQL injection is an obvious ones you should be aware of.
JPQL injection:
Just like when using SQL or the JDBC API, you should never directly add your parameters to a query String. You should work with the setParameter on the Query object (applies to both adhoc and named queries) or you could use the JPA criteria API (although named queries offer the best performance).
Query query = em.createQuery("DELETE Order WHERE customer = :customer");
query.setParameter("customer", customer);
query.executeUpdate();
Database rights:
For extra security, you could make multiple persistent units (PU) so the impact of any security breaches is limited. For example you could create multiple PU's with different database access rights: one with update rights and another with read only query access. Just realize that decisions like this will impact your application design.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With