WebApp Sec mailing list archives
Re: Heavy Security Issue
From: Marco Caramma <marco () etrading-colombia com>
Date: Thu, 04 Aug 2005 09:27:58 -0500
On Thu, 2005-08-04 at 08:20 -0500, Dan Simon wrote:
Two thoughts: 1. Please do let us know what servlet engine you are using (as someone else suggested). 2. I would also recommend that you look into implementing a proper MVC architecture for your code. I prefer the Spring Framework (www.springframework.org), but that's just me...I find it clean, simple, and elegant. By implementing a proper MVC architecture for your JSP application, you can prevent access to the JSP files entirely -- with only the servlet engine itself allowed to view the files. It also encourages proper separation of code from the UI. Some very, very nice ideas for the security-minded.
just to complement the information ... IMHO a full set of tools to have J2EE development done in the wright way - "clean, simple, elegant and security-minded" - is using all together Spring Framework + Hibernate ORM + Apache Tapestry + Acegi Security
Dan Simon C|EH, SCJP, SCJD Remington Associates, Ltd. http://www.remingtonltd.comHi Guys! My name is Jonathan, I am really pleased to let you know that I love your security site, it really help us the developers to find out many of our security doubts. One more time I am recurring for your help, the issue is the following: I have an apache server and an app. running on it, but I recently found a little problem that consist in the following: - When I make a request for the following JSP for example: http://XX.XX.XX.XX:8081/en/dynapage/scripts/page.jsp the Jsp is interpreted and the request is successful an html is displayed in the browser. - But at the time I add a forward slash ether after the "en" or "dynapage" for example request must look as the following: http://XX.XX.XX.XX:8081/en//dynapage/scripts/page.jsp http://XX.XX.XX.XX:8081//en/dynapage/scripts/page.jsp what I get is a "download file" window that lets me download the .jsp file and view the source code :( Could you please help me know if this is a missing configuration in my apache httpd or if is a bug of this same technology. Thank you in advance guys! hope to hear you soon Jonathan Orlando ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
-- Marco Caramma J2EE Architect Developer IT Security Consultant www.etrading-colombia.com
Current thread:
- Heavy Security Issue jonathan Davis (Aug 03)
- Re: Heavy Security Issue Saqib Ali (Aug 03)
- Re: Heavy Security Issue Dan Simon (Aug 04)
- Re: Heavy Security Issue Marco Caramma (Aug 04)