So I see you have apache 1.3 (with it's known hacks) in front of it. I assume you read up on securing apache.
I think very little has to do w/ Struts itself, unless you can crash the application remotely or disptach commands that give you something.
.V
Bill Chmura wrote:
I can't really speak to the actual code or process itself as I have not worked with struts in a little while - but anytime something is labled as "hacker proof" it kind of sticks under my nail.
Maybe its more aptly "securing validation", but I cannot imagine that this would "hacker proof your struts application"
In anycase, its noble to share and try to improve the community - kudos
On Wednesday 03 November 2004 10:42 am, Seetamraju, Uday wrote:
We are putting some websites open to all IP addresses using Appservers. We have successfully stayed well within JSTL and Struts.
My google searches didn't get me to any open information on how to use struts in a safe manner. So, I had to start inventing the wheel. I hope I didn't spend this much effort to 'reinvent'.
Our struts-based web-applications here, have survived hack-vulnerability tools that the company uses. I was the only one involved in the development side to get the "secure" stamp of approval for these web-applications.
I ended up creating a new struts-contrib based on this experience. I am sending this email, since, after a few trials, I feel that I have a reasonably simple approach to make the individual URLs/Actions pass the typical secure-web-site tests.
I thought maybe I could get feedback to improve my code, and as well let others benefit.
----------------------------------------
The basic motivation : There should be very little changes to struts applications to make them hacker-proof. Also, this shouldn't change the way people design struts applications.
There are java.security.policy issues that are orthogonal to this email, that I am not including in here.
The entire details are in one nice HTML web page that I wrote up just for this. http://mysite.verizon.net/sarma/GNU/SafeValidatorForm.html
Thanks.
Udaybhaskar Sarma Seetamraju
-------------------------------------------------------- The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer.
Thank you,
Standard & Poor's
--------------------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
