Scala web frameworks' security

Question

I am choosing a Scala web framework. Among frameworks I am considering are Play, Scalatra and Lift. In the project I am preparing for, security is important. However, web security is a blurry subject for me, and I would like my framework to handle it to a reasonable extent. I seem to be drawn to Play.

I am not asking what is the most secure framework (according to ads – Lift), but, rather, do Scala frameworks handle security for me, and how do they compare in that respect? I don't want to solely rely on my knowledge to make the web-app secure.

Answer 1

To answer my own question, I have to learn this stuff, no one is going to do it for me. There's OWASP cheatsheets; and also OWASP Enterprise Security API or ESAPI. ESAPI looks promising, though I haven't used it yet.

Answer 2

I'd vote for Liftweb http://seventhings.liftweb.net/security

The major difference to other frameworks (and especially to java's, like Spring) is what one may call "default behavior". For example, while coding, you can forget to "escape", some html attribute. In a bad framework you'll get errors with corrupt html and security holes. In a good framework you'll have double-escape or an error.

A full list of examples can actually be read in link. What personally I love Lift for is it's statefulness, Scala bindings to HTML like

"#myHtmlNode li div [onclick]" #> ajaxInvoke(...scala code here...)

In the code above, you'll be 100% sure that no one will have access to the contents of ajaxInvoke except for those users you sent the page yourself. And separation of the logic and the view is a relief, of course.