File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JForum and the fly likes Security of JForum Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JForum
Bookmark "Security of JForum" Watch "Security of JForum" New topic

Security of JForum

Migrated From
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424

On your homepage you state that JForum is "very secure". What exactly does this mean? Can administrators only log in using https to avoid sending passwords in plaintext through the internet? Or should they install a client-certificate instead?

After logging in a few minutes ago, I was very surprised, that no e-mail validation happened. So how can I prevent, that my forum is flooded by spam?

[originally posted on by camper]
Migrated From
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
There is security at the application level and security at the web level. HTTPS is security at the web level. You can't use it unless your web server has a certificate, either the private or "trusted" kind. As to individual Certificates... that's more of a web / security level issue as well. Don't know of any general application that supports that.

Of course, since jForum has an SSO mechanism, you can front end it with any Web base security mechanism you feel you need for security.

As to other features:

e-mail validation on registration - can be turned on or off.. requires a good SMTP service.. which Raphael opted not to maintain for this server.

Captcha (enter phrase from image) - can be turned on for either / both registration and new posts.

Over all / Specific Group security - The group permissions can be used to define the level of "anonymous" access you want to having specific people only see specific forums, etc. Plus things like searching have been set up to honor the security constraints as well.
[originally posted on by monroe]
Migrated From
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
another security feature could be that it's most likely not responding to sql injection trials ... ^^

... considering how many apps on the web had such a leak... that's rather something good ;) even phpbb at some point like last year still had an sql injection flaw for several pages
[originally posted on by Sid]
I agree. Here's the link:
subject: Security of JForum
It's not a secret anymore!