You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Oscar <os...@gmail.com> on 2010/03/22 21:28:34 UTC
About bank application using Struts 2
Hi to all, right now i'm going to develop something like bank application to
enable users to manage their accounts, transfer money, pay services and so
on, and really i have no experience developing applications like that (where
security is reeeeeally important) so i don't know if exists some book about
critical applications development with struts 2 or you can give me some tips
to develop a secure application, also tips about struts and ssl, or if you
know internet resources that talk about that.
Thanks in advance.
--
Oscar
RE: About bank application using Struts 2
Posted by adam pinder <ap...@hotmail.co.uk>.
hibernate can use parameterised statements out of the box and handles the encoding of values to stop sql injection.
you can use names like
:orgId
in an sql statement and set either the value with a set statement or by setting an object containing a getOrgId method and hibernate will call it for you.
----------------------------------------
> From: oscar.kalderon@gmail.com
> Date: Mon, 22 Mar 2010 15:59:37 -0600
> Subject: Re: About bank application using Struts 2
> To: user@struts.apache.org
>
> Thanks for the tips Wes, unfortunately we can't use Spring because the time,
> but i going to read about ssl in struts and the security in server
> (Glassfish in my case).
>
> For Martin, Hibernate doesn´t handle by default parametizered statements?
>
> 2010/3/22 Martin Gainty
>
>>
>> implementing parameterised dynamic statements are of particular interest to
>> me..
>>
>> does anyone know how i can achieve paramterised dynamic statements with
>> hibernate??
>>
>>
>> Many Thanks to Wes for the advice on hardening Tomcat
>> Martin Gainty
>> ______________________________________________
>> Please do not modify or disrupt this transmission. Thank You
>>
>>
>>
>>
>>
>>
>>> Date: Mon, 22 Mar 2010 17:01:22 -0400
>>> Subject: Re: About bank application using Struts 2
>>> From: wesw@wantii.com
>>> To: user@struts.apache.org
>>>
>>> There are quite a few good books about general security practices for
>>> software development...
>>>
>>> There used to be a library that you can use to help secure your web-app
>>>
>>> ...looking...
>>>
>>> http://www.hdiv.org/
>>>
>>> They used to support an s2 plugin, but I'm not sure which version it
>>> works with.
>>>
>>> In general, you want to treat security as something you approach in
>>> layers. Obviously, you want to encrypt communications that might
>>> expose sensitive information (apply ssl), and you want to utilize an
>>> authentication and authorization mechanism (spring-security). After
>>> that, you want to treat all user input as unsafe/tainted (escape
>>> before displaying to other users, use parameterized sql statements
>>> rather than constructing strings of sql) and make sure that you pay
>>> close attention that you try not to put sensitive data on the URL
>>> string (using form method="GET" for form-based authentication).
>>>
>>> In addition, it may not hurt and would probably be worth the money to
>>> involve a security professional to perform audits or to participate in
>>> code reviews. There are new attack mechanisms that crop up all the
>>> time and a lot of times security pros can point out things that you
>>> didn't know where potential problems.
>>>
>>> Lastly, make sure you secure your application server... There is a
>>> guide to hardening Tomcat here -
>>>
>>>
>> http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.servers.web.apache
>>>
>>> If you are not using tomcat, make sure you know enough about your
>>> application server that you don't open up attack vectors at the
>>> server.
>>>
>>> -Wes
>>>
>>> On Mon, Mar 22, 2010 at 4:28 PM, Oscar wrote:
>>>> Hi to all, right now i'm going to develop something like bank
>> application to
>>>> enable users to manage their accounts, transfer money, pay services and
>> so
>>>> on, and really i have no experience developing applications like that
>> (where
>>>> security is reeeeeally important) so i don't know if exists some book
>> about
>>>> critical applications development with struts 2 or you can give me some
>> tips
>>>> to develop a secure application, also tips about struts and ssl, or if
>> you
>>>> know internet resources that talk about that.
>>>>
>>>> Thanks in advance.
>>>>
>>>> --
>>>> Oscar
>>>>
>>>
>>>
>>>
>>> --
>>> Wes Wannemacher
>>>
>>> Head Engineer, WanTii, Inc.
>>> Need Training? Struts, Spring, Maven, Tomcat...
>>> Ask me for a quote!
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>>
>> _________________________________________________________________
>> The New Busy is not the old busy. Search, chat and e-mail from your inbox.
>>
>> http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:WL:en-US:WM_HMP:032010_3
>
>
>
>
> --
> Oscar
_________________________________________________________________
Do you have a story that started on Hotmail? Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: About bank application using Struts 2
Posted by Oscar <os...@gmail.com>.
Thanks for the tips Wes, unfortunately we can't use Spring because the time,
but i going to read about ssl in struts and the security in server
(Glassfish in my case).
For Martin, Hibernate doesn´t handle by default parametizered statements?
2010/3/22 Martin Gainty <mg...@hotmail.com>
>
> implementing parameterised dynamic statements are of particular interest to
> me..
>
> does anyone know how i can achieve paramterised dynamic statements with
> hibernate??
>
>
> Many Thanks to Wes for the advice on hardening Tomcat
> Martin Gainty
> ______________________________________________
> Please do not modify or disrupt this transmission. Thank You
>
>
>
>
>
>
> > Date: Mon, 22 Mar 2010 17:01:22 -0400
> > Subject: Re: About bank application using Struts 2
> > From: wesw@wantii.com
> > To: user@struts.apache.org
> >
> > There are quite a few good books about general security practices for
> > software development...
> >
> > There used to be a library that you can use to help secure your web-app
> >
> > ...looking...
> >
> > http://www.hdiv.org/
> >
> > They used to support an s2 plugin, but I'm not sure which version it
> > works with.
> >
> > In general, you want to treat security as something you approach in
> > layers. Obviously, you want to encrypt communications that might
> > expose sensitive information (apply ssl), and you want to utilize an
> > authentication and authorization mechanism (spring-security). After
> > that, you want to treat all user input as unsafe/tainted (escape
> > before displaying to other users, use parameterized sql statements
> > rather than constructing strings of sql) and make sure that you pay
> > close attention that you try not to put sensitive data on the URL
> > string (using form method="GET" for form-based authentication).
> >
> > In addition, it may not hurt and would probably be worth the money to
> > involve a security professional to perform audits or to participate in
> > code reviews. There are new attack mechanisms that crop up all the
> > time and a lot of times security pros can point out things that you
> > didn't know where potential problems.
> >
> > Lastly, make sure you secure your application server... There is a
> > guide to hardening Tomcat here -
> >
> >
> http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.servers.web.apache
> >
> > If you are not using tomcat, make sure you know enough about your
> > application server that you don't open up attack vectors at the
> > server.
> >
> > -Wes
> >
> > On Mon, Mar 22, 2010 at 4:28 PM, Oscar <os...@gmail.com> wrote:
> > > Hi to all, right now i'm going to develop something like bank
> application to
> > > enable users to manage their accounts, transfer money, pay services and
> so
> > > on, and really i have no experience developing applications like that
> (where
> > > security is reeeeeally important) so i don't know if exists some book
> about
> > > critical applications development with struts 2 or you can give me some
> tips
> > > to develop a secure application, also tips about struts and ssl, or if
> you
> > > know internet resources that talk about that.
> > >
> > > Thanks in advance.
> > >
> > > --
> > > Oscar
> > >
> >
> >
> >
> > --
> > Wes Wannemacher
> >
> > Head Engineer, WanTii, Inc.
> > Need Training? Struts, Spring, Maven, Tomcat...
> > Ask me for a quote!
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
>
> _________________________________________________________________
> The New Busy is not the old busy. Search, chat and e-mail from your inbox.
>
> http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:WL:en-US:WM_HMP:032010_3
--
Oscar
RE: About bank application using Struts 2
Posted by Martin Gainty <mg...@hotmail.com>.
implementing parameterised dynamic statements are of particular interest to me..
does anyone know how i can achieve paramterised dynamic statements with hibernate??
Many Thanks to Wes for the advice on hardening Tomcat
Martin Gainty
______________________________________________
Please do not modify or disrupt this transmission. Thank You
> Date: Mon, 22 Mar 2010 17:01:22 -0400
> Subject: Re: About bank application using Struts 2
> From: wesw@wantii.com
> To: user@struts.apache.org
>
> There are quite a few good books about general security practices for
> software development...
>
> There used to be a library that you can use to help secure your web-app
>
> ...looking...
>
> http://www.hdiv.org/
>
> They used to support an s2 plugin, but I'm not sure which version it
> works with.
>
> In general, you want to treat security as something you approach in
> layers. Obviously, you want to encrypt communications that might
> expose sensitive information (apply ssl), and you want to utilize an
> authentication and authorization mechanism (spring-security). After
> that, you want to treat all user input as unsafe/tainted (escape
> before displaying to other users, use parameterized sql statements
> rather than constructing strings of sql) and make sure that you pay
> close attention that you try not to put sensitive data on the URL
> string (using form method="GET" for form-based authentication).
>
> In addition, it may not hurt and would probably be worth the money to
> involve a security professional to perform audits or to participate in
> code reviews. There are new attack mechanisms that crop up all the
> time and a lot of times security pros can point out things that you
> didn't know where potential problems.
>
> Lastly, make sure you secure your application server... There is a
> guide to hardening Tomcat here -
>
> http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.servers.web.apache
>
> If you are not using tomcat, make sure you know enough about your
> application server that you don't open up attack vectors at the
> server.
>
> -Wes
>
> On Mon, Mar 22, 2010 at 4:28 PM, Oscar <os...@gmail.com> wrote:
> > Hi to all, right now i'm going to develop something like bank application to
> > enable users to manage their accounts, transfer money, pay services and so
> > on, and really i have no experience developing applications like that (where
> > security is reeeeeally important) so i don't know if exists some book about
> > critical applications development with struts 2 or you can give me some tips
> > to develop a secure application, also tips about struts and ssl, or if you
> > know internet resources that talk about that.
> >
> > Thanks in advance.
> >
> > --
> > Oscar
> >
>
>
>
> --
> Wes Wannemacher
>
> Head Engineer, WanTii, Inc.
> Need Training? Struts, Spring, Maven, Tomcat...
> Ask me for a quote!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:WL:en-US:WM_HMP:032010_3
Re: About bank application using Struts 2
Posted by Wes Wannemacher <we...@wantii.com>.
There are quite a few good books about general security practices for
software development...
There used to be a library that you can use to help secure your web-app
...looking...
http://www.hdiv.org/
They used to support an s2 plugin, but I'm not sure which version it
works with.
In general, you want to treat security as something you approach in
layers. Obviously, you want to encrypt communications that might
expose sensitive information (apply ssl), and you want to utilize an
authentication and authorization mechanism (spring-security). After
that, you want to treat all user input as unsafe/tainted (escape
before displaying to other users, use parameterized sql statements
rather than constructing strings of sql) and make sure that you pay
close attention that you try not to put sensitive data on the URL
string (using form method="GET" for form-based authentication).
In addition, it may not hurt and would probably be worth the money to
involve a security professional to perform audits or to participate in
code reviews. There are new attack mechanisms that crop up all the
time and a lot of times security pros can point out things that you
didn't know where potential problems.
Lastly, make sure you secure your application server... There is a
guide to hardening Tomcat here -
http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.servers.web.apache
If you are not using tomcat, make sure you know enough about your
application server that you don't open up attack vectors at the
server.
-Wes
On Mon, Mar 22, 2010 at 4:28 PM, Oscar <os...@gmail.com> wrote:
> Hi to all, right now i'm going to develop something like bank application to
> enable users to manage their accounts, transfer money, pay services and so
> on, and really i have no experience developing applications like that (where
> security is reeeeeally important) so i don't know if exists some book about
> critical applications development with struts 2 or you can give me some tips
> to develop a secure application, also tips about struts and ssl, or if you
> know internet resources that talk about that.
>
> Thanks in advance.
>
> --
> Oscar
>
--
Wes Wannemacher
Head Engineer, WanTii, Inc.
Need Training? Struts, Spring, Maven, Tomcat...
Ask me for a quote!
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org