= Report Integration Security =
This article describes potential security holes when integrating reports with any web development framework. Many such integrations based on JSP or JSF technology have two dangerous security flaws:
* Connection Credentials
* SQL Statements
== Connection Credentials ==
Across various websites, forum questions demonstrate JSP and JSF integrations by including code similar to the following:
String url = "jdbc:sqlserver://localhost:1433;DatabaseName=MIDAS10DB";
Connection c = DriverManager.getConnection( url, "username", "password" );
Although reporting software needs a database connection, storing the user name and password in a JSP or JSF page is not a good idea. An inappropriately configured web server, or even a software bug, could accidentally expose the user name and password to any web site visitor.
== SQL Statements ==
JasperReports uses compiled report templates ('''.jasper''' files) to generate the final report, such as a PDF. These templates contain SQL statements. If a malicious hacker were to download the report template directly, it would expose a database attack vector.
SQL statements often leverage database-specific features. By examining the SQL, a sufficiently knowledgeable hacker can make an educated guess on the back-end database and possibly its version. This can indirectly expose other information, such as the web server's operating system. (For example, if the SQL uses Microsoft Access features, then chances are the operating system is Windows-based.)
Most systems store '''.jrxml''' and '''.jasper''' report template files in the same directory as the JSP or JSF files, potentially allowing them to be downloaded. Avoid this situation when deploying report templates.
== Solutions ==
The solution for the second problem is easy: store the report template files outside of the web server's directory.
The solution for the first problem is not simple. I have written a development framework that abstracts how the database connection is established. The implementation uses JNDI, but could equally leverage a different technology without requiring any changes to the web application.
Read Chapter 15 (available for free) of ''Indispensable'' to see how it works: