InfoQ

News

HDIV 2.0: Security framework now integrates with Spring MVC and JSTL

Posted by Ryan Slobojan on Sep 14, 2007 10:00 AM

Community
Java
Topics
Web Frameworks ,
Security ,
Open Source
Tags
JSF ,
HDIV ,
Struts ,
Spring

HDIV, an open-source web application security framework, recently released version 2.0. InfoQ spoke with HDIV project lead Roberto Velasco Sarasola to learn more about this release.

Sarasola described HDIV as a Java web application security framework which aims to prevent most of the common types of web application vulnerabilities, such as SQL injection, cross-site scripting, and parameter tampering. HDIV assumes that any remote HTTP client request can be an attack vector, and sets about validating that the request is not an attack of some sort - it is meant to address the gaps which exist in the validation strategies of existing frameworks:

Current web frameworks offer some validation functionalities but many times they are not enough to cover common validation needs. For example, if you have a link in your web application such as http://www.myhost.com/action1.do?account=56 to read information about the account number 56, how can you guarantee that a client doesn't update this value to be able to check someone else's account, for example account=40?

With standard security validators (more suitable for editable data validation), it's not possible to check that and you need to create custom validations. For example, including an account id at HttpSession or using user identity in the SQL executed in the database. This security problem, known as instance level security, it's very hard to solve because within a web application there are thousands of similar request that need to be validated.

Sarasola described the capabilities that HDIV provides to combat these sorts of vulnerabilities:

  • Data Integrity - HDIV guarantees that any server-generated, read-only data (e.g. hidden fields) are not edited on the client to avoid parameter tampering attacks
  • Editable Data Validation - HDIV analyzes all editable fields to remove cross-site scripting and SQL injection attacks
  • Data Confidentiality - HDIV makes non-editable data confidential by obfuscating parameter names and values, thus preventing internal data like column names or web directories from being exposed to the client
  • Detailed Attack Logging - HDIV logs information abut every attack it detects, providing information such as URL, username, IP address, and attack type

HDIV is integrated into a Java web application through the use of custom JSP tags which are substituted for the normal link and form tags. An HDIV web filter is then inserted into the application's web.xml, and validation is then automatically performed on all requests. In previous versions HDIV supported Struts 1.x and Struts 2.x, however this release now also supports Spring MVC 2.0 and JSTL. Support for these new frameworks was added by extending the Spring and JSTL tags themselves to add in the HDIV functionality - neither the core HDIV libraries nor the web filter required any changes to support them. Also, since Spring and Struts are both action-based frameworks, from HDIV's perspective they are very similar - Sarasola said the biggest challenge has been extending the framework tags themselves because extension points are poorly defined or nonexistent on the tags. He also expressed hope that framework developers would add well-defined extension points to tags to enable other framework developers to integrate with them more easily.

Sarasola was also asked what the future held for HDIV, and he described a plan for webflow integration:

Currently HDIV supports three state management strategies. On the memory and hash strategies HDIV stores an object (state) at the server side for each possible request processed within a JSP (one of each link or form). From a scalability point of view it's interesting to limit the size of the server side cache. In the current release it's possible to define a maximum cache size but many times it's difficult to define an appropriate number because it depends on the application.

We thought about Webflow to solve this problem, because it provides a way to logically divide clients navigation. Thus, HDIV will use webflow listeners capabilities to decide when to delete objects from the cache.

Another interesting feature it's to add automatically the webflow execution key to each link or form using HDIV's custom tags. Now within Struts, Struts 2 and Spring MVC applications we have to add this id manually and we would like to automatize this task.

He also indicated that support for WebWork, Stripes and JSF are planned.

Related Sponsor

The Adobe Flash Platform provides everything you need to develop applications, content and video across operating systems and devices.

No comments

Watch Thread Reply

Educational Content

Bindings, Platforms, and Innovation

This presentation focuses on the Internet and separating myth from fact, history from the future, and the mundane from the imaginative. Bob Frankston presents a vision of what could and should be.

  •  Jul 02, 2009,
  •  

Orchestrating Long Running Activities with JBoss / JBPM

This article explores the use of JBoss and jBPM to implement design solutions that effectively address the issue of orchestrating long running activities.

  •  Jul 01, 2009,
  •  

Neo4j - The Benefits of Graph Databases

This presentation covers the use of graph databases as an optimal solution for data that is difficult to fit in static tables, rapidly evolving data or data that has a lot of optional attributes.

Realistic about Risk: Software development with Real Options

This session introduces Real Options and shows how it can help in running your project. Real Options is a decision-making process that can be used to manage risk.

  •  Jun 30, 2009,
  •  

Communication Flexibility Using Bindings

This article discusses the use of bindings on services and references (including the instance of non-configured bindings) as the means to implement SCA communications in a Web and SOA environment.

  •  Jun 30, 2009,
  •  

Writing DSLs in Groovy

After a short introduction to DSLs, Scott Davis plays with the keyboard showing how to approach the creation of a DSL by typing working snippets of Groovy code that get executed.

Scaling Agile with C/ALM (Collaborative Application Lifecycle Management)

IBM Rational and InfoQ present, Scaling Agile with C/ALM, an eBook showing organizations how to become “finely tuned software delivery machines” by enabling team integration and scaling.

Concurrent Programming with Microsoft F#

Amanda Laucher presents a real life enterprise application written in F#. She shows actual code snippets, explaining design decisions and suggesting how to use some of the F# constructs.