[WEB SECURITY] Apache Struts vs. Wicket - security?

Stephen de Vries stephendv at gmail.com
Mon May 23 04:44:52 EDT 2011


Jari,

It is possible to build secure web applications using either of those frameworks.  The question then becomes: "which one offers the best security by default".  At the web tier there will only be a handful of features that will be relevant to security, so I would look for:
- Anti-XSS: Does the framework encode HTML content in fields by default?  Field values, content and attributes.
- Does the framework provide adequate guidance to use this safe encoded way of doing things as opposed to the non-safe way (i.e. how likely are developers to use the frameworks encoding mechanism and not try to bypass it)
- Does the framework provide CSRF protection be default?  Sometimes this happens when the framework supports page-flows, it includes a nonce in POST requests to control the order of pages in a wizard, and so you get CSRF protection free of charge. 
- How well does the framework integrate with the authentication and access control framework?

regards,
Stephen


On 19 May 2011, at 18:38, Jari Pirhonen wrote:

> Hi,
> 
> I was asked about security of Wickets compared to Struts. I'm not familiar with either of those. I didn't find any good security comparisons or Wicket security challenges with Google, except that Wicket is apparently more complicated to use.
> 
> I would appreciate any information you can give or point out.
> 
> best regards,
> Jari
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org





More information about the websecurity mailing list