Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Apache Struts vs. Wicket - security?

JP
Jari Pirhonen
Thu, May 19, 2011 4:38 PM

Hi,

I was asked about security of Wickets compared to Struts. I'm not
familiar with either of those. I didn't find any good security
comparisons or Wicket security challenges with Google, except that
Wicket is apparently more complicated to use.

I would appreciate any information you can give or point out.

best regards,
Jari

Hi, I was asked about security of Wickets compared to Struts. I'm not familiar with either of those. I didn't find any good security comparisons or Wicket security challenges with Google, except that Wicket is apparently more complicated to use. I would appreciate any information you can give or point out. best regards, Jari
SD
Stephen de Vries
Mon, May 23, 2011 8:44 AM

Jari,

It is possible to build secure web applications using either of those frameworks.  The question then becomes: "which one offers the best security by default".  At the web tier there will only be a handful of features that will be relevant to security, so I would look for:

  • Anti-XSS: Does the framework encode HTML content in fields by default?  Field values, content and attributes.
  • Does the framework provide adequate guidance to use this safe encoded way of doing things as opposed to the non-safe way (i.e. how likely are developers to use the frameworks encoding mechanism and not try to bypass it)
  • Does the framework provide CSRF protection be default?  Sometimes this happens when the framework supports page-flows, it includes a nonce in POST requests to control the order of pages in a wizard, and so you get CSRF protection free of charge.
  • How well does the framework integrate with the authentication and access control framework?

regards,
Stephen

On 19 May 2011, at 18:38, Jari Pirhonen wrote:

Hi,

I was asked about security of Wickets compared to Struts. I'm not familiar with either of those. I didn't find any good security comparisons or Wicket security challenges with Google, except that Wicket is apparently more complicated to use.

I would appreciate any information you can give or point out.

best regards,
Jari

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Jari, It is possible to build secure web applications using either of those frameworks. The question then becomes: "which one offers the best security by default". At the web tier there will only be a handful of features that will be relevant to security, so I would look for: - Anti-XSS: Does the framework encode HTML content in fields by default? Field values, content and attributes. - Does the framework provide adequate guidance to use this safe encoded way of doing things as opposed to the non-safe way (i.e. how likely are developers to use the frameworks encoding mechanism and not try to bypass it) - Does the framework provide CSRF protection be default? Sometimes this happens when the framework supports page-flows, it includes a nonce in POST requests to control the order of pages in a wizard, and so you get CSRF protection free of charge. - How well does the framework integrate with the authentication and access control framework? regards, Stephen On 19 May 2011, at 18:38, Jari Pirhonen wrote: > Hi, > > I was asked about security of Wickets compared to Struts. I'm not familiar with either of those. I didn't find any good security comparisons or Wicket security challenges with Google, except that Wicket is apparently more complicated to use. > > I would appreciate any information you can give or point out. > > best regards, > Jari > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Empathy v1.0   2024 ©Harmonylists.com