saving the world from bad beans dave clarke, utrecht michael richmond, ibm arc james noble, vuw
TRANSCRIPT
![Page 1: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/1.jpg)
Saving the World from Bad Beans
Dave Clarke, Utrecht
Michael Richmond, IBM ARC
James Noble, VUW
![Page 2: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/2.jpg)
Enterprise Java Beans
• Component architecture for large-scale server-side computing
• Individual third-party components - Beans
• Large, complex environment - Server
• Server integrity depends upon beans being well-behaved, obeying coding guidelines
• What about Bad Beans?
![Page 3: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/3.jpg)
EJB Lifecycle
![Page 4: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/4.jpg)
EJB Structure and Containment
![Page 5: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/5.jpg)
EJB Structure
• EJB Object (EJB)– Provides business functionality
• EJB Interface (EJBObject)– Mediates access to EJB
• Container– Offers server functions to Beans
• Helper — aggregate subsidiary object• Transfer — moves data between EJBs
![Page 6: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/6.jpg)
EJB Interobject References
![Page 7: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/7.jpg)
EJB Interface and Container
• EJB Interface and Container – Collaborate to provide services to beans– Security– Transactions– Persistence
• EJB Architectural Assumption– All access to EJB Object is via EJB Interface– EJB Object contained within EJB Interface– Confinement breach breaks architecture
![Page 8: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/8.jpg)
Bad Bean Breaches Confinement
![Page 9: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/9.jpg)
Bad Bean Breaches Confinement
public class CartBean implements SessionBean {
protected SessionContext context; // Called once by container during Bean
creation public void setSessionContext(SessionContext
_ctx) { this.context = ctx; }
![Page 10: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/10.jpg)
Bad Bean Breaches Confinement
// correct way to return reference to Bean public CartEJBI goodReturn() { return(context.getEJBObject()); } // incorrect way to return reference to Bean public CartEJBI badReturn() { return(this); }
![Page 11: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/11.jpg)
Bad Bean Breaches Confinement
• Naïve class verification is not enough!
class BadBean implements SessionBean { public Object exposeMyself() { return (Object) this; }
Mole OopsIDidItAgain() { return new Mole(this); }
![Page 12: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/12.jpg)
Confinement Checking
Confinement Checkers Prevent Exposure• Unit of confinement: Bean Instance
– Inside: EJB Object, Helpers– Boundary: EJB Interface– Outside: everything else– Transfer objects may cross the boundary
• Subject to restrictions
• Server checks confinement during deployment
![Page 13: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/13.jpg)
Confined Bean Constraints
• CB1 Classes implementing EnterpriseBean, and all Helper classes, are confined. Classes extending boundary interfaces are on the boundary.
• CB2 No confined type can appear in the signature of a boundary method, nor in static fields, nor as an exception.
• CB3 A confined type cannot be cast to a non-confined type.
• CB4 A non-confined type cannot be cast to a confined type.
![Page 14: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/14.jpg)
Confined Bean Constraints
• CB5 Fields, methods, and statics of non-confined classes having confined type are not accessible in confined code. Exceptions cannot be caught at confined types.
• CB6 A confined class may only extend anotherconfined class or java.lang.Object
• Reflects guidelines in EJB specification• Reflection and native methods ignored
![Page 15: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/15.jpg)
Checking Tool
• We built a tool based on SOOT
• Checks Bean class files at deployment time
[dc] Processing class: mar.basicfail.SampleEJBI[dc] Class is on boundary - proceeding with boundary checks[dc] Boundary class has confined in interface (CB2).[dc] Offending Method (in return type): returnAsSessionBean[dc] Boundary class has confined in interface (CB2).[dc] Offending Method (in return type): returnAsSampleEJB
[dc] Return statement violates CB3/4
[dc] Value type = mar.basicfail.SampleEJB
[dc] Return type = java.lang.Object
[dc] Offending statement: return r0
[dc][dc] Deployment failed!!!
![Page 16: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/16.jpg)
Testing Existing Beans
But can you use this on real Beans?• We tested this on a range of sample Beans• Case study: 15 Beans
– All beans passed except one (see the paper)
But is this fast enough for production servers?– 1.3-6.5s per bean– Bean deployment is 10 times as expensive!– Our prototype implement does not share
effort with the server
![Page 17: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/17.jpg)
Evaluation• Simple for developers and EJB architecture
– No change to development environment– No change to EJB architecture– No runtime costs
• Asymmetric — only checks confined code• Parametric Polymorphism (e.g. Collections)
– But need bytecode support (e.g. .Net)• More sophisticated analyses
– Harder for developers to understand– Bean correctness should not depend
upon strength of analysis
![Page 18: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/18.jpg)
Confinement and Ownership
Per
Package
Per
Class
Per
Object
Per Object
Nested
Ad-hocConfined Types
SandwichTypes
ConfinedBeans
?
Types
OGJ Package
Universes,
OGJ Static
(Shallow)
AliasJava
(Deep)
Joe, OGJ
Boyapati et al
![Page 19: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/19.jpg)
Conclusion
• EJBs are susceptible to confinement errors– Direct references bypass the EJBInterface
• Confinement checking prevents these errors– Check server side, at deployment time– Fast and efficient checker
• Empirical testing– Existing well-written EJBs will pass the test– Pragmatic customisation via Transfer objects
![Page 20: Saving the World from Bad Beans Dave Clarke, Utrecht Michael Richmond, IBM ARC James Noble, VUW](https://reader036.vdocument.in/reader036/viewer/2022083009/5697c01d1a28abf838cd0b91/html5/thumbnails/20.jpg)
Credits
• Department of Computer Science, Purdue
• DARPA F33615-01-C-1894
• Royal Society of New Zealand Marsden Fund
• Ward 16 Wellington Hospital