ABSTRACT

Database connections stored in static fields will be shared between threads.

EXPLANATION

A transactional resource object such as database connection can only be associated with one transaction at a time. For this reason, a connection should not be shared between threads and should not be stored in a static field. See Section 4.2.3 of the J2EE Specification for more details.

Example 1:


public class ConnectionManager {

private static Connection conn = initDbConn();
...
}

REFERENCES

[1] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3630.1 CAT II

[2] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 362, CWE ID 567

[3] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 362

[4] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 362

[5] Java 2 Platform Enterprise Edition Specification, v1.4 Sun Microsystems