Bugs (found so far):
1. errorpage.jsp does not import java.io (but implicitly uses it).
2. The web.xml for the web-app has an ejb-ref by the name of ejb/inventory which lists inventory as a session while it in fact is an entity.
3. Internal errors are not logged (swallowed by errorpage and not logged from there either). Severe bug for paranoid admins (disables the containers logging, ie alerting the admin etc).
4. Internal errors sometimes lead to a simple "the user id is already taken" without any hint regarding the real error.
5. JSP Tags are used to store state outside of their own scope (ScreenDefinitions.jsp) - This is a programmer error since tags are usually reused once they're out of scope (after doEndTag()) so the state will get corrupted.
6. enteruserdata.jsp:18 com.sun.estore.account.web.AccountWebImpl does not have a no-arg constructor, this isnt needed sinec it's a preexisting bean but then the attribute type shoul be used, not class (invalid "class" type since it is not a valid bean).
7. The real error is not displayed in the errorpage in most cases, add this to the page to fix:
<%if(exception instanceof javax.ejb.EJBException) { %>
<b><em>
<% ((javax.ejb.EJBException)exception).getCausedByException().printStackTrace(new PrintWriter(out)); %>
</em></b>
<% } %>
8. The beans stored in the sessions are not serializable, while this isnt an error it prohibits fault tolerance thru session clustering and persisting sessions across restarts properly.
9. The <shortname> attribute is missing in the TLD XML (mandatory attribute defined in the TLD DTD).
10. The DAOs return null if the DB isnt cloudscape, sybase or oracle which in turn leads to crashes when using them.
11. loginpage.jsp assumes it is executed in the directory it resides in which might not be the case depending on form-auth implementation (the implementation details are being further specified in the errata and expert groups for JSP and Servlets right now).
To fix,
change src="images/..." to src="<%=request.getContextPath()%>/images/...".
12. The code catches IOExceptions without rethrowing them (instead it prints them, IOExceptions occur whenever there's a HTTP-layer error like a client disconnecting etc, should only be propagated).
13. The login-page is specified as "/estore/login.jsp" while in fact it should be "/login.jsp", same goes for the error-page.

Design questions:
1. Use of BMP? This is a big topic, we'd suggest CMP but that's personal preference.
2. Since it uses BMP - Lack of CMP baseclass (CMP baseclass should then be overriden by the BMP impl to keep it clean and keep your options open).
3. The "screen" JSP should not iterate over the body of each of the screens, it should only process the body of the "selected" screen and from
there directly set the values in the screen tag (not it's parent, it's parent's parent).
