Socket-based communication in web applications is prone to error.
The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues, including:
- In-band versus out-of-band signaling
- Compatibility between protocol versions
- Channel security
- Error handling
- Network constraints (firewalls)
- Session management
Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems.
Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers.
[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 246
[2] Java 2 Platform Enterprise Edition Specification, v1.4 Sun Microsystems