Win a copy of Microservices Testing (Live Project) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

Security concerns in DWR

 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I would like to know that what are the security concerns pertaining to DWR. I know that by using DWR we expose our java class methods which are called by the browser thru Javascript.
Is there a possibility of script injection and getting hold of some methods and do some hanky panky stuff ?
How can we be sure that our code is safe and that no one will be able to penetrate?
 
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I know that by using DWR we expose our java class methods which are called by the browser thru Javascript.


DWR uses HTTP requests to access the server like any other web app, meaning the exposure of server-side code is the same (which is to say, Java methods are not exposed at all).

Is there a possibility of script injection and getting hold of some methods and do some hanky panky stuff?


Any time HTTP requests are being made the possibility of script or SQL injection exists. In this regard DWR (and other AJAX libraries) aren't different from any other web app, and you need to take the same precautions. The http://faq.javaranch.com/java/SecurityFaq points to some good reads about building secure web apps.
 
Ranch Hand
Posts: 136
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There's a couple of security considerations, but the bottom line is that DWR takes security VERY seriously, and Joe Walker is a very knowledgable guy when it comes to security, and I personally feel better about leaving my app's security in his hands than in any other AJAX library I've seen.

Now, more specifically, DWR does some things to deal with things like cross-site scripting and script injection. I'm frankly not qualified to go into detail on those things, but I know they're there.

DWR also lets you only expose the things you want to expose, and by default exactly ZERO classes are exposed through DWR, you have to explicitly allow DWR to remote class... although, by default when you say class A can be called via DWR it allows *any* method of said class to be called, so you have to remember that. It's very easy to reverse that policy and make only those methods you want exposed be callable.

DWR also ties in with J2EE security roles, so you can tie execution of arbitrary methods to users in given role(s). I *believe* I saw integration with Acegi also is possible, but I have no knowledge of that.

I think security with DWR is like most things, but only better: by default it's probably safer than many other things, but you *can* screw yourself without trying too hard
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic