Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 02 > 120143.html (Request Expert securityfocus.com Support)

Re: JSP Security - Limiting URL's

From: Andrew Jaquith <ajaquith(at)atstake.com>
Date: Tue Dec 10 2002 - 09:39:28 EST

The author is correct is suggesting that order & flow should be managed external to the presentation pages. But I agree with Jeff that the code is a bit difficult to follow.

For those of you keeping score at home, the approach outlined by the author ought to look suspiciously like Model-View-Controller aka Model 2. But this begs a little question: why roll your own when there are some good ones out there already? Jakarta Struts is the dominant one; Jakarta Turbine is another. Webwork has a number of fans because it is fairly simple.

I can sense the author's guilty feelings oozing out of the last paragraph: "The JSP application framework that I presented in this column is designed to be simple [not], secure [unproven], and verifiable [huh?]... However, there are other more general, powerful, and comprehensive application frameworks that you can use. The Struts framework of the Apache-Jakarta project <http://jakarta.apache.org/struts/index.html> is an example of the latter. Struts goes beyond a simple state machine to provide extensive support for the Model-View-Controller paradigm."

So on balance I am not sure that the article adds too much value. The community (and particularly newbie MVC developers) would be better served if the examples were tailored to one of the existing MVC frameworks. That said, it's great to see more security-conscious articles coming out of the mainstream Java outlets.

Andrew

Jeff Williams @ Aspect wrote:

>If you have a site (or part of a site) where users are supposed to 

-- 
Andrew Jaquith
Program Director
@stake, Inc.
196 Broadway
Cambridge, MA 02139 USA

Direct:  617.768.2711
Mobile:  617.501.3278
Fax:     617.621.1478
Email:   ajaquith@atstake.com
PGP key: 
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x898CF546
Received on Tue Dec 10 10:00:47 2002
Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library