Frans if you want to throw darts at Frameworks Im amazed that nobody mentioned the vulnerability from Struts Ajax Framework Rival "IceFaces IntervalRenderer not supporting isUserInRole() " https://www.owasp.org/index.php/Java_Server_Faces
(you can integrate ACEGI but that's an afterthought) J2EE Containers usually front-end their app with a redirect to Apache w/mod_ssl (or possibly SingleSignOnPortal) The most basic Java Security (JSSE) would implement Java Key Exchange with the user supplied key once JSSE Handshake is completed the authenticated User (selected from ADS, LDAP or other NameServer) is assigned predefined Roles (consequent access would be granted or denied by testing if isUserInRole()) Martin Gainty ______________________________________________ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > Date: Wed, 31 Jul 2013 14:10:23 +0100 > Subject: Re: Apple sec breach.. Struts? > From: gkogk...@tcd.ie > To: user@struts.apache.org > > Hi Vicky, > > the .action by itself in the Urls is a good hint. Furthermore, if you check > the html source you'll probably find struts written somewhere e.g., dojodivs > Antonios > > > On 31 July 2013 14:04, vicky b <vickyb2...@gmail.com> wrote: > > > I browsed through apple site i could not find any clue that it was made in > > struts, can you please let me know how did the hacker recognized that it > > was developed in struts, secondly how could he exactly hiek , sorry if this > > is out of scope for this forum > > > > > > On Wed, Jul 31, 2013 at 6:08 PM, Frans Thamura <fr...@meruvian.org> wrote: > > > > > Any apple guy here? > > > > > > I.just want to.know.how.struts.use there. > > > > > > I just know they use .action means struts apps. > > > On Jul 31, 2013 7:22 PM, "Christian Grobmeier" <grobme...@gmail.com> > > > wrote: > > > > > > > I read that. I don't think we should do anything. > > > > > > > > The blog post is speculative. Nobody from Apple did tell us if it was > > > > really a Struts problem or not. If it is, then well, we can't do > > > > anything. This doesn't make Struts a dangerous framework at all, it > > > > just highlights you should update when your framework provider > > > > recommends it. It also highlights we are taking security issues > > > > serious. > > > > > > > > Also it should be mentioned that no company (to my knowledge) is in > > > > any way supporting the development of Struts. Apple got a lot of > > > > money, they could fund the development of the framework of their > > > > choice. At least they should be able to roll out new security patches. > > > > > > > > Maybe others think different, but except with continuing to improve > > > > struts, we cannot do anything bout it. > > > > > > > > > > > > On Wed, Jul 31, 2013 at 2:13 PM, Frans Thamura <fr...@meruvian.org> > > > wrote: > > > > > Anyone read this? > > > > > > > > > > http://java.dzone.com/articles/was-struts-responsible-apples > > > > > > > > > > How we handle this? > > > > > > > > > > F > > > > > > > > > > > > > > > > -- > > > > http://www.grobmeier.de > > > > https://www.timeandbill.de > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > > > For additional commands, e-mail: user-h...@struts.apache.org > > > > > > > > > > > > > > > > > > > -- > > *Thanks & Regards > > Vickyb > > > > * > >
