aspose file tools*
The moose likes HTML, CSS and JavaScript and the fly likes Security concerns in DWR Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "Security concerns in DWR" Watch "Security concerns in DWR" New topic
Author

Security concerns in DWR

Ghulam Rasool Raja
Greenhorn

Joined: Mar 10, 2007
Posts: 10
I would like to know that what are the security concerns pertaining to DWR. I know that by using DWR we expose our java class methods which are called by the browser thru Javascript.
Is there a possibility of script injection and getting hold of some methods and do some hanky panky stuff ?
How can we be sure that our code is safe and that no one will be able to penetrate?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42918
    
  68
I know that by using DWR we expose our java class methods which are called by the browser thru Javascript.

DWR uses HTTP requests to access the server like any other web app, meaning the exposure of server-side code is the same (which is to say, Java methods are not exposed at all).

Is there a possibility of script injection and getting hold of some methods and do some hanky panky stuff?

Any time HTTP requests are being made the possibility of script or SQL injection exists. In this regard DWR (and other AJAX libraries) aren't different from any other web app, and you need to take the same precautions. The http://faq.javaranch.com/java/SecurityFaq points to some good reads about building secure web apps.
Frank Zammetti
Ranch Hand

Joined: Dec 16, 2004
Posts: 136
There's a couple of security considerations, but the bottom line is that DWR takes security VERY seriously, and Joe Walker is a very knowledgable guy when it comes to security, and I personally feel better about leaving my app's security in his hands than in any other AJAX library I've seen.

Now, more specifically, DWR does some things to deal with things like cross-site scripting and script injection. I'm frankly not qualified to go into detail on those things, but I know they're there.

DWR also lets you only expose the things you want to expose, and by default exactly ZERO classes are exposed through DWR, you have to explicitly allow DWR to remote class... although, by default when you say class A can be called via DWR it allows *any* method of said class to be called, so you have to remember that. It's very easy to reverse that policy and make only those methods you want exposed be callable.

DWR also ties in with J2EE security roles, so you can tie execution of arbitrary methods to users in given role(s). I *believe* I saw integration with Acegi also is possible, but I have no knowledge of that.

I think security with DWR is like most things, but only better: by default it's probably safer than many other things, but you *can* screw yourself without trying too hard


-- <br />Frank W. Zammetti<br />Founder and Chief Software Architect<br />Omnytex Technologies<br /><a href="http://www.omnytex.com" target="_blank" rel="nofollow">http://www.omnytex.com</a><br />AIM/Yahoo: fzammetti<br />MSN: fzammetti@hotmail.com<br />Author of "Practical Ajax Projects With Java Technology"<br /> (2006, Apress, ISBN 1-59059-695-1)<br />and "JavaScript, DOM Scripting and Ajax Projects"<br /> (2007, Apress, ISBN 1-59059-816-4)<br />Java Web Parts - <a href="http://javawebparts.sourceforge.net" target="_blank" rel="nofollow">http://javawebparts.sourceforge.net</a><br /> Supplying the wheel, so you don't have to reinvent it!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security concerns in DWR