[WEB SECURITY] Apache Struts vs. Wicket - security?
Stephen de Vries
stephendv at gmail.com
Mon May 23 04:44:52 EDT 2011
It is possible to build secure web applications using either of those frameworks. The question then becomes: "which one offers the best security by default". At the web tier there will only be a handful of features that will be relevant to security, so I would look for:
- Anti-XSS: Does the framework encode HTML content in fields by default? Field values, content and attributes.
- Does the framework provide adequate guidance to use this safe encoded way of doing things as opposed to the non-safe way (i.e. how likely are developers to use the frameworks encoding mechanism and not try to bypass it)
- Does the framework provide CSRF protection be default? Sometimes this happens when the framework supports page-flows, it includes a nonce in POST requests to control the order of pages in a wizard, and so you get CSRF protection free of charge.
- How well does the framework integrate with the authentication and access control framework?
On 19 May 2011, at 18:38, Jari Pirhonen wrote:
> I was asked about security of Wickets compared to Struts. I'm not familiar with either of those. I didn't find any good security comparisons or Wicket security challenges with Google, except that Wicket is apparently more complicated to use.
> I would appreciate any information you can give or point out.
> best regards,
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
More information about the websecurity