On 16/07/2010 11:34 PM, Viktor Klang wrote:
On Fri, Jul 16, 2010 at 3:21 PM, jitesh dundas <jbdun...@gmail.com
<mailto:jbdun...@gmail.com>> wrote:
JSF is good for security purposes and t he reason that it is in
demand (again :)..) is the back-end security with integration that
makes life so easy..
Sorry, but JSF has nothing when compared to Lift when it comes to
security.
I have often meant to start off a thread on web frameworks when security
is an issue. The above statements intrigued me. What do people mean by
"security" in the above? Why is Lift more secure than JSF?
There are lots of aspects to security:
* Authentication schemes (e.g. single sign on with IE + AD, SAML, or
CAS, or fill in form versus HTTP basic authentication etc). How
radically do you have to change your code for each? (Is it all
abstracted away?)
* Has framework and widgets been tested for vulnerabilities (cross
site scripting, output encoding, etc). For example I remember a
cross site scripting vulnerability in a JSF component some time
back. With big frameworks (lots of widgets, JavaScript etc), how
do you ensure there are not such defects in them?
* Session identification and projection (random number cookies for
session management and relying on HTTPS to protect the tokens
seems pretty common)
* How to make sure sensitive data does not leak out. E.g. how to
guarantee session id values never appear on a URL.
* How easy is it to verify an application for correctness (can you
automate the security verification step, or is it manual code
inspection?)
I hear lots about frameworks on how flexible or easy to use, but not
much on how robust they are (or how tested/verified) from a security
perspective.
These days I think the security aspect would actually be my number one
consideration if I was personally selecting a new web framework (or RIA)
to choose. Is the Flex or JavaFX approach more secure than a web app
where you have to worry about input validation and output escaping? How
far do I trust Adobe technology (Flash) after all the Acrobat defects,
or JavaFx given how new it is? Fundamentally, the more complex the
technology (no matter what it is), the more security defects that are
likely.
Alan
PS: Just listened to an OWASP security podcast interview some ex-army(?)
guy (now in industry). He asked "what is security". He went on to talk
about the marines, army, air force, navy, etc - each would have a
different interpretation of "securing a building" - (invade and kill
everyone, put a fence around, lock the doors when you leave, or sign a
new leasing agreement). That part was mildly amusing, but made a good
point - what do people *really* mean when they say "security"?
--
You received this message because you are subscribed to the Google Groups "The Java
Posse" group.
To post to this group, send email to javapo...@googlegroups.com.
To unsubscribe from this group, send email to
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/javaposse?hl=en.