JWIG Yet Another Framework for Maintainable and Secure Web Applications

Similar documents
JWIG: Yet Another Framework for Maintainable and Secure Web Applications

Sample HP OO Web Application

Application Security

Novell Identity Manager

Hello World RESTful web service tutorial

Web Applications. Originals of Slides and Source Code for Examples:

Servlet 3.0. Alexis Moussine-Pouchkine. mercredi 13 avril 2011

Controlling Web Application Behavior

Java Servlet 3.0. Rajiv Mordani Spec Lead

In this chapter, we lay the foundation for all our further discussions. We start

c. Write a JavaScript statement to print out as an alert box the value of the third Radio button (whether or not selected) in the second form.

Complete Java Web Development

<Insert Picture Here>

Announcements. Comments on project proposals will go out by in next couple of days...

BAPI. Business Application Programming Interface. Compiled by Y R Nagesh 1

2- Forms and JavaScript Course: Developing web- based applica<ons

NGASI AppServer Manager SaaS/ASP Hosting Automation for Cloud Computing Administrator and User Guide

An Overview of Servlet & JSP Technology

2. Follow the installation directions and install the server on ccc

Intell-a-Keeper Reporting System Technical Programming Guide. Tracking your Bookings without going Nuts!

Forms, CGI Objectives. HTML forms. Form example. Form example...

Chapter 22 How to send and access other web sites

Internet Technologies

Usability. Usability

Recommended readings. Lecture 11 - Securing Web. Applications. Security. Declarative Security

Volume 1: Core Technologies Marty Hall Larry Brown. An Overview of Servlet & JSP Technology

Contents. 2 Alfresco API Version 1.0

Liferay Enterprise ecommerce. Adding ecommerce functionality to Liferay Reading Time: 10 minutes

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Multimedia im Netz Online Multimedia Winter semester 2015/16. Tutorial 03 Major Subject

Creating Custom Web Pages for cagrid Services

Defeating XSS and XSRF with JSF Frameworks

BizFlow 9.0 BizCoves BluePrint

Configuring iplanet 6.0 Web Server For SSL and non-ssl Redirect

Real SQL Programming 1

Understanding Cross Site Scripting

White Paper March 1, Integrating AR System with Single Sign-On (SSO) authentication systems

Mobile development with Apache OFBiz. Ean Schuessler, Brainfood

Web Applications and Struts 2

WIRIS quizzes web services Getting started with PHP and Java

Simplify Your Web App Development Using the Spring MVC Framework

CS506 Web Design and Development Solved Online Quiz No. 01

Workshop for WebLogic introduces new tools in support of Java EE 5.0 standards. The support for Java EE5 includes the following technologies:

JAX-WS Developer's Guide

Connecting Custom Services to the YAWL Engine. Beta 7 Release

Web Applications. For live Java training, please see training courses at

Overview. In the beginning. Issues with Client Side Scripting What is JavaScript? Syntax and the Document Object Model Moving forward with JavaScript

Fortigate SSL VPN 4 With PINsafe Installation Notes

MASTERTAG DEVELOPER GUIDE

Secure Application Development with the Zend Framework

TCP/IP Networking, Part 2: Web-Based Control

JSP Java Server Pages

Pentesting Web Frameworks (preview of next year's SEC642 update)

How to use SSO with SharePoint 2010 (FBA) using subdomains. Moataz Esmat EXT.1386

Nome database: reddito

Web Programming II JSP (Java Server Pages) ASP request processing. The Problem. The Problem. Enterprise Application Development using J2EE

Exam Name: WebSpherePortal V5.1 Application Development Exam Type IBM Exam Code: Total Questions: 102

JAHIA CMS AND PORTAL SERVER

Further web design: HTML forms

Configuring IBM WebSphere Application Server 7.0 for Web Authentication with SAS 9.3 Web Applications

Design and Analysis of Web Application Frameworks

SSO Plugin. Integration for Jasper Server. J System Solutions. Version 3.6

Outline. CS 112 Introduction to Programming. Recap: HTML/CSS/Javascript. Admin. Outline

Web services can convert your existing applications into web applications.

Web Hosting Prep Lab Homework #2 This week: Setup free web hosting for your project Pick domain name and check whether it is available Lots of free

<?php if (Login::isLogged(Login::$_login_front)) { Helper::redirect(Login::$_dashboard_front); }

HTML Tables. IT 3203 Introduction to Web Development

Web Development 1 A4 Project Description Web Architecture

The Google Web Toolkit (GWT): Declarative Layout with UiBinder Basics

Ch-03 Web Applications


STREAMEZZO RICH MEDIA SERVER

Hello World Portlet Rendered with JSP for WebSphere Portal Version 4.1

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture # Apache.

Web Service Development Using CXF. - Praveen Kumar Jayaram

This course provides students with the knowledge and skills to develop ASP.NET MVC 4 web applications.

Manage Workflows. Workflows and Workflow Actions

Implementing Specialized Data Capture Applications with InVision Development Tools (Part 2)

SSC - Web applications and development Introduction and Java Servlet (II)

Fortigate SSL VPN 3.x With PINsafe Installation Notes

Building and Using Web Services With JDeveloper 11g

It is highly recommended that you are familiar with HTML and JavaScript before attempting this tutorial.

Building Web Services with Apache Axis2

Model-View-Controller. and. Struts 2

JavaScript and Dreamweaver Examples

WESTERNACHER OUTLOOK -MANAGER OPERATING MANUAL

Developing ASP.NET MVC 4 Web Applications MOC 20486

LICENSE4J AUTO LICENSE GENERATION AND ACTIVATION SERVER USER GUIDE

Dynamic Web-Enabled Data Collection

CTF Web Security Training. Engin Kirda

2.8. Session management

A detailed walk through a CAS authentication

Yandex.Widgets Quick start

e ag u g an L g ter lvin v E ram Neal G g ro va P Ja

RESTful web applications with Apache Sling

Web [Application] Frameworks

Fax via HTTP (POST) Traitel Telecommunications Pty Ltd 2012 Telephone: (61) (2) Page 1

PHP Form Handling. Prof. Jim Whitehead CMPS 183 Spring 2006 May 3, 2006

How To Write A Web Framework In Java

Quick Start Guide. Installation and Setup

Transcription:

JWIG Yet Another Framework for Maintainable and Secure Web Applications Anders Møller Mathias Schwarz Aarhus University

Brief history - Precursers 1999: <bigwig> Powerful template system Form field validation, concurrency, simple database... 2002: JWIG Java-based General XML 2003-: Xact XML transformations Type system Flow based template analysis 2008-: JWIG2! 2

Software Engineering Principles High cohesion and low coupling Code that belongs together should be together Secure by design e.g. resistance against XSS Convention over configuration (sensible defaults) 3

Many frameworks JSF 4

Struts and JSF 5

Yet Another Framework? Problems in current frameworks Not secure by design Lots of complicated configuration Low coherence (unclear flow between pages) Server push is too cumbersome to use No uniform support for XHTML web applications and XML based web services 6

Server vs Client-oriented? Recent trends: Move as much as possible to client side Rich UI in JavaScript Drawbacks of using client side Conflicts with the use of ORM systems Security considerations 7

JWIG Overview 8

Generating XML Output We want a solution: Unifies template and DOM-like approaches Permists static validation analysis Avoids XSS problems The solution: XACT An existing, powerful XML transformation framework 9

Hello World in JWIG import dk.brics.xact.xml; public class Main extends WebApp { public XML hello(string what) { return [[ <html> <head><title>example</title></head> <body> <p>hello <{ what ></p> </body> </html> ]]; http://www.example.com/main/hello?what=world 10

Web methods The base unit in JWIG is the web method (Different from Struts, JSF, Servlets) All public methods of a WebApp that: Return XML, URL, String or Carry a @URLPattern annotation Web methods are matched by priority (Set by @Priority annotation) Methods are invoked by reflection on request. There is no configuration. 11

Web method parameters The simplest way to take parameters? Formal parameters! Web methods may take parameters Of type Strings Of types that declare a tostring()/valueof() Session (Persistable) Collections/arrays of the above 12

MicroChat 13

MicroChat (1/2) public class MicroChat extends WebApp { List<String> messages = new ArrayList<String>(); public XML chat() { return [[ <html> <head><title>microchat</title></head> <body> <{ new XMLProducer(messages) { XML run() { if (!messages.isempty()) return [[ <ul> <{ [[<li><[msg]></li>]].plugwrap("msg", messages) > </ul> ]]; else return [[ ]]; > 14

MicroChat (2/2) <form method="post" action=[send]> <p> <input type="text" name="msg"/> <input type="submit" value="send"/> </p> </form> </body> </html> ]].plug("send", new SubmitHandler() { void run(string msg) { messages.add(msg); update(messages); ); 15

Observations about MicroChat Concise code Guaranteed well-formed and valid XHTML XSS impossible (secure by design) Clear flow between generating and handling form (high cohesion) Easy server push 16

Session State Session data is typically stored in a per-user string-to-object map Low cohesion between data and code using it Hard to clean up Potential conflicts in naming The solution is to divide session data into small typed units 17

Session Example URL hello(string what) { return makeurl("sayhi", new HelloSession(what)); class HelloSession extends Session { String name; public HelloSession(String s) { name = s; public XML sayhi(hellosession s) { return [[ <html> <head><title>example</title></head> <body><p>hello <{ s.name ></p></body> </html> ]]; 18

Filters in JWIG Filters are just web methods, that Have higher priority than other methods Call next() import dk.brics.xact.xml; public class Main extends WebApp { public XML hello(string what) { return [[ <html><head><title>example</title></head> <body> <p>hello <{ what ></p> </body></html> ]]; @Priority(PRE_CACHE) @URLPattern( hello ) public void log(string what) { System.out.println( Greeted + what); next(); next() invokes web methods of lower priority and returns the response 19

Aggressive cache Caching The cache filter caches any GET response WebApp.addResponseInvalidator(Object) makes a response dependant on some object WebApp.update(Object) clears all dependant responses from the cache 20

Status codes and Authorization Status codes (excluding 200 OK) are signaled using exceptions 401 - AuthorizationRequiredException Use for HTTP Basic Authentication 403 - AccessDeniedException 404 - NotFoundException 500 - All others 21

HTTP Basic Authentication Thus HTTP Basic Authentication is simple We can create a filter that thows an exception of no user is set import dk.brics.xact.xml; public class Main extends WebApp { public XML hello(string what) { return [[ <html><head><title>example</title></head> <body> <p>hello <{ what ></p> </body></html> ]]; @Priority(PRE_CACHE + 1000) @URLPattern( ** ) public void auth() { User u = getuser(); The User object can be used for checking username and password if (u == null) throw new AuthorizationRequiredException( Hello Service ); next(); 22

Deployment JWIG follows the same structure as Struts/ JSF: A fixed web.xml file in WEB-INF Classes in WEB-INF/classes JWIG implementation libraries in WEB-INF/lib There is a zip-file for you on the web page 23

Status and Future Work Case study: 30,000 lines course administration system (CourseAdmin) Done as PREP project: Static analysis of JWIG programs Matching parameter names, types, web app graph Future/current work: User input validation Tag mechanism for UI abstractions Automated (concolic) testing of applications Maybe your next PREP project? 24

Conclusion Simple framework from sound design principles High cohesion, low coupling Secure by design Convention over configuration Unified XML processing (via XACT) XMLProducer for server push Event handlers for user input 25

Questions? 26

QuickPoll (1/5) package quickpoll; import dk.brics.jwig.*; import dk.brics.xact.*; @URLPattern("quickpoll") public class QuickPoll extends WebApp { XML wrapper = [[ <html> <head><title>quickpoll</title></head> <body> <h1>quickpoll</h1> <[BODY]> </body> </html> ]]; class State { String question; int yes; int no; State state = new State(); 27

QuickPoll (2/5) @URLPattern("") public XML index() { return wrapper.plug("body", [[ <ul> <li><a href={makeurl("init")>initialize</a> (access control)</li> <li><a href={makeurl("vote")>vote</a></li> <li><a href={makeurl("results")>view results</a></li> </ul> ]]); @URLPattern("init") public void authenticate() { User u = getuser(); if (u!= null && u.getusername().equals("jdoe") && u.getpassword().equals("42")) next(); else throw new AuthorizationRequiredException("QuickPoll"); 28

QuickPoll (3/5) public XML init() { return wrapper.plug("body", [[ <form method="post" action=[init]> What is your question?<br/> <input name="question" type="text" size="40"/>?<br/> <input type="submit" value="register my question"/> </form> ]]).plug("init", new SubmitHandler() { XML run(string question) { synchronized (state) { state.question = question; state.yes = state.no = 0; update(state); return wrapper.plug("body", [[ Your question has been registered. Let the vote begin! ]]); ); 29

QuickPoll (4/5) public XML vote() { if (state.question == null) throw new AccessDeniedException("QuickPoll not yet initialized"); addresponseinvalidator(state); return wrapper.plug("body", [[ <{state.question>?<p/> <form method="post" action=[vote]> <input name="vote" type="radio" value="yes"/> yes<br/> <input name="vote" type="radio" value="no"/> no<p/> <input type="submit" value="vote"/> </form> ]]).plug("vote", new SubmitHandler() { XML run(string vote) { synchronized (state) { if ("yes".equals(vote)) state.yes++; else if ("no".equals(vote)) state.no++; update(state); return wrapper.plug("body", [[ Thank you for your vote! ]]); ); 30

QuickPoll (5/5) public XML results() { return wrapper.plug("body", new XMLProducer(state) { XML run() { synchronized (state) { int total = state.yes + state.no; if (total == 0) return [[No votes yet...]]; else return [[ <{state.question>?<p/> <table border="0"> <tr><td>yes:</td><td><{drawbar(300*state.yes/total)></td><td><{state.yes></td></tr> <tr><td>no:</td><td><{drawbar(300*state.no/total)></td><td><{state.no></td></tr> </table> ]]; ); private XML drawbar(int length) { return [[<table><tr><td bgcolor="black" height="20" width={length></td></tr></table>]]; 31

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information