Enterprise Java applications heavily rely on annotations and XML metadata for configuration, yet enforcing cross-file consistency among these heterogeneous sources is complex and error-prone, often leading to runtime failures and security vulnerabilities. To address this, we propose RSL—a domain-specific language that formally specifies metadata consistency constraints spanning Java annotations, XML files, and bytecode. We further develop MeCheck, a static analysis tool that integrates bytecode parsing, XML schema-aware analysis, and rule-driven semantic extraction to perform explainable and extensible joint verification. Evaluated on 45 manually seeded buggy applications, MeCheck achieves 100% precision and 96% recall. Applied to 70 real-world open-source projects, it identifies 156 genuine configuration defects, 53 of which have already been confirmed and fixed. This work establishes the first systematic, sound, and practical static verification framework for ensuring metadata configuration reliability in enterprise Java systems.

When building enterprise applications (EAs) on Java frameworks (e.g., Spring), developers often configure application components via metadata (i.e., Java annotations and XML files). It is challenging for developers to correctly use metadata, because the usage rules can be complex and existing tools provide limited assistance. When developers misuse metadata, EAs become misconfigured, which defects can trigger erroneous runtime behaviors or introduce security vulnerabilities. To help developers correctly use metadata, this paper presents (1) RSL -- a domain-specific language that domain experts can adopt to prescribe metadata checking rules, and (2) MeCheck -- a tool that takes in RSL rules and EAs to check for rule violations. With RSL, domain experts (e.g., developers of a Java framework) can specify metadata checking rules by defining content consistency among XML files, annotations, and Java code. Given such RSL rules and a program to scan, MeCheck interprets rules as cross-file static analyzers, which analyzers scan Java and/or XML files to gather information and look for consistency violations. For evaluation, we studied the Spring and JUnit documentation to manually define 15 rules, and created 2 datasets with 115 open-source EAs. The first dataset includes 45 EAs, and the ground truth of 45 manually injected bugs. The second dataset includes multiple versions of 70 EAs. We observed that MeCheck identified bugs in the first dataset with 100% precision, 96% recall, and 98% F-score. It reported 156 bugs in the second dataset, 53 of which bugs were already fixed by developers. Our evaluation shows that MeCheck helps ensure the correct usage of metadata.