What steps can be taken to make sure a web application using Hibernate, Spring and JSF is secure? What vulnerabilites can exist and what security framework if any is standard?
|
I'm making a web application in which certain pages are login-protected. I have created a JDBC security realm in glassfish for this, and used Form authentication (Similar to the method |
I've developed custom ActionListener:
public class SecureActionListener extends ActionListenerImpl implements ActionListener {
private ActionListener _delegate;
public SecureActionListener(ActionListener delegate) {
...
|
I have tested a JSF application with the CSRFtester tool, and the tool didn't report any CSRF problems. But I had read in the "OWASP_Top_10_2007_for_JEE.pdf", that all Java EE web application ... |
i am looking for a book which has JSF 2.0 security topics and decent amount of tutorial/examples how to implement those security features (e.g session management, roles, limited number of login ... |
I've been doing it like this lately and find it so much better than XML hell(Spring security) or Glassfish security(because I don't need to have groups or set the tables up ... |
I have some XHTML pages. When I run the project, I can view the page even if I am not logged in. When I type directly in the adress bar, I ... |
|
I am steeped in Struts, and I am starting to learn JSF 2.0. Can I keep using what worked in Struts to reduce attack vectors, or are there new attack vectors ... |
I have implemented some pages for my webproject. However, now I would like to add security.
I will have a couple of roles, like admin, user, other and some pages shall only ... |
I am developing a web application where there are few roles like Admin,Reporter,Manager,Customer.Agent.Based on Role, some menu item need to be displayed . Admin can give permission (dynamically) to user say ... |
I'm building a Web application using jsf, ejbs and jpa.
I currently use form based j_security_check to handle authentication.
I need to implement support for cookies ie "Remember me" option.
Also I want ... |
hello i'm trying to perform a based form authentication on jboss:
these are my configuration files.
login-config.xml:
<application-policy name="MyPolicy">
<authentication>
<login-module flag="required"
code="org.jboss.security.auth.spi.DatabaseServerLoginModule">
...
|
I get the username of the connected user (using j_security_check) this way, through a managed bean:
......
username = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();
And then display it in a jsf page ... |
Spring Security is a choice, I know, but I dont know how good it is with JSF 2.0 ! But, I do know, it is too complex.
Apache Shiro is also an ... |
I've been asked by a freelancer friend of mine to join him on a JSF 2.0 project, and I'm slowly picking up speed and putting the pieces together. Coming from a ... |
I have an .xhtml page in which I have tried both BalusC's suggestion here and also the following without avoiding the OP's issue
<meta http-equiv="refresh" content="#{session.maxInactiveInterval}"/>
Basically, I start ... |
I am making a web app that has a login page (Using Facelets with JSF 2.0) which checks credentials before redirecting to a isLoggedIn or error page. I have access to ... |
I have been looking into several possible security solutions in the past days, in an attempt to secure my JSF application & came across several frameworks (like JAAS, Shiro, ... |
I have been looking for simple security for a simple JSF web site.
I found this solution http://http://devgrok.blogspot.com/2009/07/access-control-using-phaselistener.html#comment-form
Many of the idea in here is taking from the above link ... |
|
Most of my security is handled in a servlet filter. That basically controls who can visit what page. Now what you probably want to know more about is how to display or not display certain components on a form depending on the role of the user viewing the page. So the security filter has already been hit and now it's up ... |
|
|
The following code <% String path = request.getContextPath(); String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + path + "/"; %> Works well for setting the base path relative to the server and application path. So you could just substitute request.getScheme() with https in some sort ... |
I have an app which is currently being used by my company. It uses container based security with only one role (sufficient for now). I now have to come up with a new release that will allow our clients to use it as well, with a complex set of rules defining what they can and can't do with it. At the ... |
|
Ok, I think I have a question for someone with alot more knowledge of JSF than me. I'm creating an app with custom security and I want to make sure that there will only be one session per account at a time (or one session per account if it's an privileged account of some sort). I was thinking of scanning a ... |
|
|
|
Hey guys, Ive just had a search over the boards about implementing security in JSF and Im still a little unsure about the best way to go about implementing security... My situation is that we are going to have a large number of users for our system...in the region of 400 we expect. Each user will have access to defined sections ... |
|
|
|
|
|
Programmatic security is not considered the optimal way to secure applications. Programs can have bugs and the last place you want bugs is in security. Plus changing the security architecture requires rewriting the security code, and that often means modify the application logic. Declarative security is preferable, where possible. Because, unlike program code, declarations have a fairly small number of possibilities, ... |
38. Security coderanch.com |
|
|
|