There is no reason to have a main
method in a web application. It may have been useful for debugging during application development,
but such a method should never make it into production. Having a main
method in a web application opens a door to the application logic
that an attacker may never be able to reach (but watch out if one does!), but it is a sloppy practice and indicates that other problems may be
present.
This rule raises an issue when a main
method is found in a servlet or an EJB.
public class MyServlet extends HttpServlet { public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { if (userIsAuthorized(req)) { updatePrices(req); } } public static void main(String[] args) { // Noncompliant updatePrices(req); } }