I had the opportunity to contribute research and code to this paper. The appendix section contains several code examples showing how one might:
- Create an authentication interceptor
- Create a roles interceptor (Enforced page-level access controls based on a user's privilege level)
- Create a caching headers interceptor
- Prevent CSRF vulnerabilities using the built in tokenSession Interceptor
- Implement a custom error handler
- Create an interceptor that enforces SSL
- Regenerate session IDs when users cross an authentication boundary
http://www.owasp.org/index.php/Image:A_Gap_Analysis_of_Application_Security_in_Struts2.pdf
The code repository containing updated struts 2 modules can be found below:
http://code.google.com/p/struts2securityaddons/
Additionally, you can see discussion of these modules in my earlier blog posts:
- http://nickcoblentz.blogspot.com/2008/09/jsessionid-regeneration-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/10/http-caching-headers-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/10/ssltls-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/10/custom-error-pages-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/11/page-level-access-controls-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/12/page-level-access-controls-in-struts-2.html
Posts
2 comments:
Thank you for the code in the appendix.
But I did not understand in the analysis if there is a way to use the ESAPI directly with struts2.
Eurrsk,
I am not that familiar with ESAPI. My knowledge centers around Struts 2. I recommend joining the OWASP ESAPI mailing list and asking folks there. I believe Arshan is a member of that mailing list. You can find it here:
https://lists.owasp.org/mailman/listinfo/owasp-esapi
Post a Comment