WebApp Sec mailing list archives
Re: [WEB SECURITY] How to Create Secure Web Applications with Struts
From: Stephen de Vries <stephen () corsaire com>
Date: Mon, 20 Mar 2006 15:30:13 +0700
Great article!It did make me think of a particular architectural issue which seems to be cropping up more and more; that is, the impact that implementing security in the web tier has on the future extensibility of the app.
For applications that were designed as web apps and will continue to only be web apps for the rest of their lives, this shouldn't impact much on the extensibility of the apps. If the validation rules or access control requirements change, these can easily be changed in the web tier (and as you've shown Struts makes it really easy, because it's all declarative). But if the application needs to be extensible, e.g. must have a fat client down the road or must expose web services, then any security implemented in the web tier would have to be re-implemented in all the other facades. To be truly extensible applications should implement security functionality in the business tier so that any changes to the presentation technology (or new technologies) don't impact the core functionality. E.g. for classic J2EE technologies this would mean implementing access control on the EJB's themselves rather than in the web tier. This is also the approach taken by the Spring framework: both access control and input validation are tied to the beans that form the middle tier, not the presentation.
It may not be a big issue, but I think it's important to understand how choosing the web tier as a security provider could impact the extensibility of the app down the line.
2p Stephen On 20 Mar 2006, at 02:44, bugtraq () cgisecurity net wrote:
"This article will focus on developing secure Web applications with the popular Java framework Struts. It will detail a set of best practices using the included security mechanisms. The first section will provide an overview of both Struts and Web application security as a context for discussion. Each subsequent section will focus on a specific security principle and discuss how Struts can be leveragedto address it." http://be.sys-con.com/read/192434.htm - zeno http://www.cgisecurity.com/ Application Security News, and more! http://www.cgisecurity.com/index.rss [RSS Feed] --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
-- Stephen de Vries Corsaire Ltd E-mail: stephen () corsaire com Tel: +44 1483 226014 Fax: +44 1483 226068 Web: http://www.corsaire.com ------------------------------------------------------------------------- This List Sponsored by: SpiDynamicsALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- How to Create Secure Web Applications with Struts bugtraq (Mar 19)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Stephen de Vries (Mar 20)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Pilon Mntry (Mar 21)
- A Modular Approach to Data Validation in Web Applications Stephen de Vries (Mar 27)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts George Capehart (Mar 21)
- XST Frederic Charpentier (Mar 21)
- Re: [WEB SECURITY] XST Amit Klein (AKsecurity) (Mar 21)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Pilon Mntry (Mar 21)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Stephen de Vries (Mar 20)