File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSF and the fly likes JSF and security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "JSF and security" Watch "JSF and security" New topic
Author

JSF and security

Kavya Anjali
Ranch Hand

Joined: Mar 23, 2006
Posts: 30
Does the Java Server Faces framework provide any security against unauthenticated access? I mean is it possible for a hacker to gain control over the underlying resources (Web server, Database server etc.) through some vulneraibility (manipulating URLs, etc.) in JSF framework?

Thank you in advance for your suggestions...


SCJP 5.0
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15286
    
    6

Does the Java Server Faces framework provide any security against unauthenticated access?

No

is it possible for a hacker to gain control over the underlying resources (Web server, Database server etc.) through some vulneraibility (manipulating URLs, etc.) in JSF framework?

No more than any other J2EE application/framework.


GenRocket - A Test Data Generation Platform
Kavya Anjali
Ranch Hand

Joined: Mar 23, 2006
Posts: 30
Thanks for the suggestions .

Also I wanted to know
1. Are there any shortcomings in JSF which a hacker can exploit and take undue advantage of it.

2. Any best practices or conventions followed for providiing secure JSF applications

Thanks for the suggestions in advance
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15286
    
    6

Originally posted by Kavya Anjali:
Thanks for the suggestions .

Also I wanted to know
1. Are there any shortcomings in JSF which a hacker can exploit and take undue advantage of it.

2. Any best practices or conventions followed for providiing secure JSF applications

Thanks for the suggestions in advance


You do realize that JSF is just a framework that renders HTML to a browser, don't you? It's not Flash or ActiveX. Treat JSF applications just as you would any other web application when it comes to security.
Dhananjay Inamdar
Ranch Hand

Joined: Jan 27, 2003
Posts: 130
Hi Kavya,

If you want to attach authentication logic to your JSF page then you some of the following options.

- In standard J2EE applications Servlet Filter is an API to authenticate user before displaying a desired page. This page may be .html, .jsp or a single resource on any page. You can use this API to authenticate user.

- JSF framework has it's own lifecycle composed of many phases. You can add some authentication code in these phase-listeners also, which will authenticate the user before 'restore view' phase of your jsf page

- If you want to manage this is in declarative way then you can use Spring AOP and declare JSF's phase-listener method using methodnamematching expression. Then this ASpect will get applied to each (approproate) method of life cycle and will authenticate the user.

All these and many other options are avaialble to authenticate the user.

Cheers


Just like you, struggeling to get the right solutions!<br /> <br />Sun Certified Java Programmer 1.5<br /> <br />Target - SCWCD
Kavya Anjali
Ranch Hand

Joined: Mar 23, 2006
Posts: 30
Thanks for the suggestions
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JSF and security
 
Similar Threads
what is seam frame work
JSF and JSP
Struts vs. JavaServer Faces vs. other?
Cleared SCEA part -1
Vulnerability issues in JSF