• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Liutauras Vilda
  • Paul Clapham
Sheriffs:
  • paul wheaton
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Piet Souris
Bartenders:
  • Mike London

JSP Security

 
Ranch Hand
Posts: 118
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
from the security point of view is jsp still good to use in today's date? can we still use it in the backend please guide me.
 
Bartender
Posts: 7488
171
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
JSP is a view templating engine - there's nothing specifically about it that would have much of a negative impact on security. But any technology can be used in an unsafe way (whereas not all can be used in a safe way).

But there are a lot of things about web apps in general, and Java web apps in particular, should do to provide a secure web app. Some starting points can be found at https://coderanch.com/wiki/659873/Security-FAQ
 
Ranch Hand
Posts: 180
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Houssam El wrote:

obaid abbassi wrote:from the security point of view is jsp still good to use in today's date? can we still use it in the backend please guide me.



JSP is more secure when you've used with Standard Tag Library, JSTL for brevity, it secures the website from being attacked using cross-site scripting (XSS) as well as SQL Injection according to a book named Murach Servlet API and JSP, in addition, JSP is a good to use for interactive website

 
Tim Moores
Bartender
Posts: 7488
171
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Houssam El wrote:JSP is more secure when you've used with Standard Tag Library, JSTL for brevity, it secures the website from being attacked using cross-site scripting (XSS) as well as SQL Injection according to a book named Murach Servlet API and JSP


It is perfectly possible to create a web site that has XSS problems with JSTL (although when used properly it can help avoid those).

As to SQL injection, JSP does not protect against those. Nor could it, since DB operations are executed in backing beans or servlets, not in JSPs.

But these are just two of the more common security issues with web apps, there are many more to watch out for.
 
Saloon Keeper
Posts: 26554
187
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No, don't expect JSTL to be a magic solution to security.

It should be noted, however, that JSP URLs, like servlet URLs can be protected by the JEE standard container-managed security system and that system has never, to my knowledge, been breached. You can write bad security rules, but the security manager itself has a very strong record. And it blocks malicious URLs from ever reaching the webapp at all.
 
Houssam El
Ranch Hand
Posts: 180
2
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Moores wrote:

Houssam El wrote:JSP is more secure when you've used with Standard Tag Library, JSTL for brevity, it secures the website from being attacked using cross-site scripting (XSS) as well as SQL Injection according to a book named Murach Servlet API and JSP


It is perfectly possible to create a web site that has XSS problems with JSTL (although when used properly it can help avoid those).

As to SQL injection, JSP does not protect against those. Nor could it, since DB operations are executed in backing beans or servlets, not in JSPs.

But these are just two of the more common security issues with web apps, there are many more to watch out for.



About the 2sd statement, JSP couldn't protect databases, otherwise, Servlet API does, it has numerous way to help you mitigate attacks against your database, although, web security is a tough topic, we can't resume it in two sentences or three, it demands much work to grasp it well, there were such constraints as hacker creates methods everyday to conquer security
 
Houssam El
Ranch Hand
Posts: 180
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:No, don't expect JSTL to be a magic solution to security.

It should be noted, however, that JSP URLs, like servlet URLs can be protected by the JEE standard container-managed security system and that system has never, to my knowledge, been breached. You can write bad security rules, but the security manager itself has a very strong record. And it blocks malicious URLs from ever reaching the webapp at all.



I agree, but JSTL could mitigate XSS against your website as mentioned in Servlet API and JSP book
 
Tim Moores
Bartender
Posts: 7488
171
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Houssam El wrote:About the 2sd statement, JSP couldn't protect databases, otherwise, Servlet API does, it has numerous way to help you mitigate attacks against your database


The Servlet API has no facilities at all to deal with protecting databases.
 
obaid abbassi
Ranch Hand
Posts: 118
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
is it a good practice to use core jsp  to build websites?
 
Tim Moores
Bartender
Posts: 7488
171
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Not sure what you mean by "core JSP", but there is nothing wrong with using it. Usually, you'd use a framework alongside it, though - it'd be unusual to build a web site from scratch just using servlets and JSPs these days.
 
Tim Holloway
Saloon Keeper
Posts: 26554
187
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

obaid abbassi wrote:is it a good practice to use core jsp  to build websites?



Not by itself. But it is my understanding that The Bear does favor rolling websites from scratch using servlets plus JSPs under the Model/View/Controller architecture.

I'm long-time moderator for the JavaServer Faces forum, and JSF originally also did use JSPs with custom tags to prototype its Views, although JSF2 uses an XHTML file format. It's not for all things, but it is nice for form-based data entry and display because you don't have to write any custom servlets, just use the JSF master servlet and define only the Models and Views - and get free data validation and controller logic. And it's also got the same safeguards against XSS that the JSTL c:out tag offers.

Other popular frameworks are Struts (which was like first-generation JSF, but still popular), Spring Web, and Wicket.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic