We are putting some websites open to all IP addresses using Appservers. We have successfully stayed well within JSTL and Struts.
My google searches didn't get me to any open information on how to use struts in a safe manner. So, I had to start inventing the wheel. I hope I didn't spend this much effort to 'reinvent'. Our struts-based web-applications here, have survived hack-vulnerability tools that the company uses. I was the only one involved in the development side to get the "secure" stamp of approval for these web-applications. I ended up creating a new struts-contrib based on this experience. I am sending this email, since, after a few trials, I feel that I have a reasonably simple approach to make the individual URLs/Actions pass the typical secure-web-site tests. I thought maybe I could get feedback to improve my code, and as well let others benefit. ---------------------------------------- The basic motivation : There should be very little changes to struts applications to make them hacker-proof. Also, this shouldn't change the way people design struts applications. There are java.security.policy issues that are orthogonal to this email, that I am not including in here. The entire details are in one nice HTML web page that I wrote up just for this. http://mysite.verizon.net/sarma/GNU/SafeValidatorForm.html Thanks. Udaybhaskar Sarma Seetamraju -------------------------------------------------------- The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Thank you, Standard & Poor's --------------------------------------------------------
