[WEB SECURITY] How to Create Secure Web Applications with Struts

Stephen de Vries stephen at corsaire.com
Mon Mar 20 03:30:13 EST 2006


Great article!

It did make me think of a particular architectural issue which seems  
to be cropping up more and more; that is, the impact that  
implementing security in the web tier has on the future extensibility  
of the app.

For applications that were designed as web apps and will continue to  
only be web apps for the rest of  their lives, this shouldn't impact  
much on the extensibility of the apps.  If the validation rules or  
access control requirements change, these can easily be changed in  
the web tier (and as you've shown Struts makes it really easy,  
because it's all declarative).
But if the application needs to be extensible, e.g. must have a fat  
client down the road or must expose web services, then any security  
implemented in the web tier would have to be re-implemented in all  
the other facades.  To be truly extensible applications should  
implement security functionality in the business tier so that any  
changes to the presentation technology (or new technologies) don't  
impact the core functionality.  E.g. for classic J2EE technologies  
this would mean implementing access control on the EJB's themselves  
rather than in the web tier.  This is also the approach taken by the  
Spring framework: both access control and input validation are tied  
to the beans that form the middle tier, not the presentation.

It may not be a big issue, but I think it's important to understand  
how choosing the web tier as a security provider could impact the  
extensibility of the app down the line.

2p

Stephen


On 20 Mar 2006, at 02:44, bugtraq at cgisecurity.net wrote:

> "This article will focus on developing secure Web applications with  
> the popular Java framework Struts.
> It will detail a set of best practices using the included security  
> mechanisms. The first section will
> provide an overview of both Struts and Web application security as  
> a context for discussion. Each
> subsequent section will focus on a specific security principle and  
> discuss how Struts can be leveraged
> to address it."
>
> http://be.sys-con.com/read/192434.htm
>
> - zeno
> http://www.cgisecurity.com/ Application Security News, and more!
> http://www.cgisecurity.com/index.rss [RSS Feed]
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>

-- 
Stephen de Vries
Corsaire Ltd
E-mail: stephen at corsaire.com
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com






---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list