Best Practices for Quartz Scheduler : Exposing the Scheduler in Applications
Exposing the Scheduler in Applications
Be Careful of Security
Some users expose Quartz's Scheduler functionality through an application user interface. This can be very useful, though it can also be extremely dangerous.
Be sure you do not mistakenly allow users to define jobs of any type they want, with whatever parameters they choose. For example, Quartz ships with a pre-made job org.quartz.jobs.NativeJob, which will execute any arbitrary native (operating system) system command that it is defined to. Malicious users could use this to take control of or destroy your system.
Likewise other jobs such as SendEmailJob, and virtually any others could be used for malicious intent.
Important:  
Be aware that allowing users to define whatever job they want, effectively opens your system to all sorts of vulnerabilities comparable or equivalent to Command Injection Attacks as defined by OWASP and MITRE.
Copyright © 2010-2015 Software AG, Darmstadt, Germany.

Product Logo |   Feedback