Welcome!

Java Authors: James Carlini, Dana Gardner, Elizabeth White, Gary Kaiser, Noel Wurst

Related Topics: Java

Java: Article

Indispensable - JasperReports, iReport, and R

A problem has come to my attention over the last few years and I thought Java.net would be a good place to talk about it

A problem has come to my attention over the last few years and I thought Java.net would be a good place to talk about it.

I have noticed that many reporting integrations use vendor-supplied examples verbatim. This is an issue.

With JasperReports (the Java-based reporting tool), the reports contain SQL code. That SQL code can tell a hacker a lot about the database (type, version, table names, column names, and such). This opens up an attack vector, and many people host their report files in the same directory as the web files.

Worse still, some people write JSPs with the database connection information (login, password, host name, database name) in plain text - inside the JSP files!

This needs to stop; sure, the code gets the job done, but no sane boss (if they understood the implications) would agree to publishing attack vectors on their web site.

Where would be a good place to talk about this issue on the Java.net website? Also, I have implemented an open source solution:

http://www.whitemagicsoftware.com/software/java/rif/

http://www.whitemagicsoftware.com/software/java/rif/api/

And written on the new integration at length. See Chapter 15 (free) of my eBook:

http://www.whitemagicsoftware.com/books/indispensable

You may contact me through my web form:

http://www.whitemagicsoftware.com/contact.shtml

More Stories By Dave Jarvis

Dave Jarvis has been developing software since 1981. He is animated by analytical thinking, inspired by Space Shuttle software, and a Jazz enthusiast. He understands that complex, poorly designed systems impede efficiency, eliminate possibilities, and are unreliable; when building software, he champions simplicity and ease of future enhancements.