Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: [WEB SECURITY] How to Create Secure Web Applications with Struts

Re: [WEB SECURITY] How to Create Secure Web Applications with Struts

From: Stephen de Vries <stephen_at_corsaire.com>
Date: Mon, 20 Mar 2006 15:30:13 +0700

Great article!

It did make me think of a particular architectural issue which seems
to be cropping up more and more; that is, the impact that
implementing security in the web tier has on the future extensibility
of the app.

For applications that were designed as web apps and will continue to
only be web apps for the rest of their lives, this shouldn't impact
much on the extensibility of the apps. If the validation rules or
access control requirements change, these can easily be changed in
the web tier (and as you've shown Struts makes it really easy,
because it's all declarative).
But if the application needs to be extensible, e.g. must have a fat
client down the road or must expose web services, then any security
implemented in the web tier would have to be re-implemented in all
the other facades. To be truly extensible applications should
implement security functionality in the business tier so that any
changes to the presentation technology (or new technologies) don't
impact the core functionality. E.g. for classic J2EE technologies
this would mean implementing access control on the EJB's themselves
rather than in the web tier. This is also the approach taken by the
Spring framework: both access control and input validation are tied
to the beans that form the middle tier, not the presentation.

It may not be a big issue, but I think it's important to understand
how choosing the web tier as a security provider could impact the
extensibility of the app down the line.

2p

Stephen

On 20 Mar 2006, at 02:44, bugtraq_at_cgisecurity.net wrote:

> "This article will focus on developing secure Web applications with
> the popular Java framework Struts.
> It will detail a set of best practices using the included security
> mechanisms. The first section will
> provide an overview of both Struts and Web application security as
> a context for discussion. Each
> subsequent section will focus on a specific security principle and
> discuss how Struts can be leveraged
> to address it."
>
> http://be.sys-con.com/read/192434.htm
>
> - zeno
> http://www.cgisecurity.com/ Application Security News, and more!
> http://www.cgisecurity.com/index.rss [RSS Feed]
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 

-- 
Stephen de Vries
Corsaire Ltd
E-mail: stephen_at_corsaire.com
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 20 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]