[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] How to Create Secure Web Applications with Struts

From: Stephen de Vries <stephen@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] How to Create Secure Web Applications with Struts
Date: Mon, 20 Mar 2006 15:30:13 +0700


Great article!

It did make me think of a particular architectural issue which seems to be cropping up more and more; that is, the impact that implementing security in the web tier has on the future extensibility of the app.

For applications that were designed as web apps and will continue to only be web apps for the rest of their lives, this shouldn't impact much on the extensibility of the apps. If the validation rules or access control requirements change, these can easily be changed in the web tier (and as you've shown Struts makes it really easy, because it's all declarative). But if the application needs to be extensible, e.g. must have a fat client down the road or must expose web services, then any security implemented in the web tier would have to be re-implemented in all the other facades. To be truly extensible applications should implement security functionality in the business tier so that any changes to the presentation technology (or new technologies) don't impact the core functionality. E.g. for classic J2EE technologies this would mean implementing access control on the EJB's themselves rather than in the web tier. This is also the approach taken by the Spring framework: both access control and input validation are tied to the beans that form the middle tier, not the presentation.

It may not be a big issue, but I think it's important to understand how choosing the web tier as a security provider could impact the extensibility of the app down the line.

2p

Stephen


On 20 Mar 2006, at 02:44, bugtraq@xxxxxxxxxxxxxxx wrote:

"This article will focus on developing secure Web applications with the popular Java framework Struts. It will detail a set of best practices using the included security mechanisms. The first section will provide an overview of both Struts and Web application security as a context for discussion. Each subsequent section will focus on a specific security principle and discuss how Struts can be leveraged to address it."
http://be.sys-con.com/read/192434.htm
- zeno
http://www.cgisecurity.com/ Application Security News, and more!
http://www.cgisecurity.com/index.rss [RSS Feed]
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


--
Stephen de Vries
Corsaire Ltd
E-mail: stephen@xxxxxxxxxxxx
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts
  - From: George Capehart
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts
  - From: Pilon Mntry

References:
- [WEB SECURITY] How to Create Secure Web Applications with Struts
  - From: bugtraq

Prev by Date: [WEB SECURITY] How to Create Secure Web Applications with Struts
Next by Date: [WEB SECURITY] Re: Re: Jeremiah Grossman writes about buffer overflow myths
Previous by thread: [WEB SECURITY] How to Create Secure Web Applications with Struts
Next by thread: Re: [WEB SECURITY] How to Create Secure Web Applications with Struts
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org