Different authors write servlets that are run using the resources of the server computer under the supervision of a web server. So, before installing servlets in the web server, make sure that they come from trusted sources. Certain access constraints should be imposed on the servlets depending on their sources.
The concept of sandbox may be incorporated. A sandbox is a container of servlets where restrictions are imposed. The administrator of the web server decides which servlets are given which permissions, so that they cannot compromise with the system’s security.
In addition to these security issues, the author of the servlet should consider the following points:
- Take sufficient care while writing the file upload code. If not implanted carefully, users may fill the hard disk of the server by uploading large files.
- Review the code that accesses files/database based on the user input. For example, do not allow users to execute arbitrary SQL commands. If allowed, users may fire some harmful SQL commands that can delete database tables.
- Make sure that the request comes from an authorized user. Do not rely on the existence of a session variable.
- Make sure that you have not used the exit() method anywhere in your program. This will terminate the web server.
Do not display sensitive parameter values in the web page.
Source: Uttam Kumar Roy (2015), Advanced Java programming, Oxford University Press.