Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JSF and security

 
Kavya Anjali
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does the Java Server Faces framework provide any security against unauthenticated access? I mean is it possible for a hacker to gain control over the underlying resources (Web server, Database server etc.) through some vulneraibility (manipulating URLs, etc.) in JSF framework?

Thank you in advance for your suggestions...
 
Gregg Bolinger
GenRocket Founder
Ranch Hand
Posts: 15302
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does the Java Server Faces framework provide any security against unauthenticated access?

No

is it possible for a hacker to gain control over the underlying resources (Web server, Database server etc.) through some vulneraibility (manipulating URLs, etc.) in JSF framework?

No more than any other J2EE application/framework.
 
Kavya Anjali
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the suggestions .

Also I wanted to know
1. Are there any shortcomings in JSF which a hacker can exploit and take undue advantage of it.

2. Any best practices or conventions followed for providiing secure JSF applications

Thanks for the suggestions in advance
 
Gregg Bolinger
GenRocket Founder
Ranch Hand
Posts: 15302
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Kavya Anjali:
Thanks for the suggestions .

Also I wanted to know
1. Are there any shortcomings in JSF which a hacker can exploit and take undue advantage of it.

2. Any best practices or conventions followed for providiing secure JSF applications

Thanks for the suggestions in advance


You do realize that JSF is just a framework that renders HTML to a browser, don't you? It's not Flash or ActiveX. Treat JSF applications just as you would any other web application when it comes to security.
 
Dhananjay Inamdar
Ranch Hand
Posts: 130
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Kavya,

If you want to attach authentication logic to your JSF page then you some of the following options.

- In standard J2EE applications Servlet Filter is an API to authenticate user before displaying a desired page. This page may be .html, .jsp or a single resource on any page. You can use this API to authenticate user.

- JSF framework has it's own lifecycle composed of many phases. You can add some authentication code in these phase-listeners also, which will authenticate the user before 'restore view' phase of your jsf page

- If you want to manage this is in declarative way then you can use Spring AOP and declare JSF's phase-listener method using methodnamematching expression. Then this ASpect will get applied to each (approproate) method of life cycle and will authenticate the user.

All these and many other options are avaialble to authenticate the user.

Cheers
 
Kavya Anjali
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the suggestions
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic