[WEB SECURITY] Apache Struts vs. Wicket - security?

Stephen de Vries stephendv at gmail.com
Mon May 23 04:44:52 EDT 2011


It is possible to build secure web applications using either of those frameworks.  The question then becomes: "which one offers the best security by default".  At the web tier there will only be a handful of features that will be relevant to security, so I would look for:
- Anti-XSS: Does the framework encode HTML content in fields by default?  Field values, content and attributes.
- Does the framework provide adequate guidance to use this safe encoded way of doing things as opposed to the non-safe way (i.e. how likely are developers to use the frameworks encoding mechanism and not try to bypass it)
- Does the framework provide CSRF protection be default?  Sometimes this happens when the framework supports page-flows, it includes a nonce in POST requests to control the order of pages in a wizard, and so you get CSRF protection free of charge. 
- How well does the framework integrate with the authentication and access control framework?


On 19 May 2011, at 18:38, Jari Pirhonen wrote:

> Hi,
> I was asked about security of Wickets compared to Struts. I'm not familiar with either of those. I didn't find any good security comparisons or Wicket security challenges with Google, except that Wicket is apparently more complicated to use.
> I would appreciate any information you can give or point out.
> best regards,
> Jari
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list