What security features are available in Struts?
https://stackoverflow.com/questions/302357
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am tasked with developing a web application and am thinking of using the Struts framework as it seems to be a standard and is easy to implement.
However, before making a decision I need to know the security features available in Struts.
Are there effective ways to handle the OWASP Top 10 using Struts? And if so, how would I accomplish it?
Solution
Struts is there to offer you an MVC framework, and it has limited security features, e.g. you can map roles to actions. I will recommend you to look into something more full-fledged like the Spring Security (formerly Acegi).
OTHER TIPS
The best way to handle the OWASP Top ten in struts is to look at the OWASP Enterprise Security API...
Even for the features that YC mentions, you probably don't want to use a Struts configuration file out of the box to set up the ACLs for your actions. It may be better to programmatically examine state in the HttpRequest as it gets out of the ActionServlet, before it reaches your Struts actions (i.e. is this HttpRequest coming from an authenticated and authorized user given the URL?). Alternatively, you could intercept the request with a ServletFilter, though you would have to be careful to make sure it's thread safe.
