Welcome!

Java IoT Authors: Liz McMillan, Elizabeth White, Yeshim Deniz, Carmen Gonzalez, Pat Romanski

Related Topics: Java IoT, IBM Cloud

Java IoT: Article

How to Create Secure Web Applications with Struts

Imagine building a house starting with only a pile of timber and a lump of iron

Imagine building a house starting with only a pile of timber and a lump of iron, or making a bowl of spaghetti from a sack of wheat and a bag of tomatoes. The importance of having the right materials makes the idea of building products from scratch seem absurd. Similarly, any software project that doesn't take advantage of the numerous frameworks available for any manner of development activity could be wasting valuable resources and ignoring established best practices.

The advantages of using frameworks are obvious to any developer who has implemented a complex, bug-ridden solution to a design problem that's already been elegantly addressed by a framework. And perhaps the most difficult design problems to get right are those concerning security. With the popularity of Web applications and services on the rise, there has been an increasing move to standardize security-critical tasks, such as authentication and session management, in the container or framework. This way, developers can focus on implementing business processes, rather than specialized tasks like cryptographic algorithms or pseudo-random number generation.

This article will focus on developing secure Web applications with the popular Java framework Struts. It will detail a set of best practices using the included security mechanisms. The first section will provide an overview of both Struts and Web application security as a context for discussion. Each subsequent section will focus on a specific security principle and discuss how Struts can be leveraged to address it.

Struts
Struts is a very popular framework for Java Web applications large and small because of the numerous advantages it offers developers. The main goal of the Struts framework is to enforce a MVC-style (Model-View-Controller) architecture, which means that there is a separation of concerns among different architectural components: the model is the representation of the logic, the view is in charge of displaying data to the user, and the controller is responsible for providing the user with a way to interact with the application and affect the model. A simple analogy for this is a video game, where you have a game console (the model), the television or monitor (the view), and a controller (quite appropriately, the controller). This architectural pattern promotes reuse and stability by reducing the effects of code changes (since the implementation of each component is agnostic to the implementation of the others and the model is isolated from the user).

Although it is approximately an implementation of the MVC pattern, Struts is more accurately based on the "Model 2" architecture specific to the Java servlet technology. Rather than having users access the JSPs directly, Struts applications have a "front controller" servlet that's the initial target of all requests and decides how to process requests and route users. Struts also has two different frameworks, the original (Struts Action Framework) and one based on JSF (Struts Shale). For the purposes of this article, we'll only consider the original framework.

Web Application Security
Web applications (such as those built on Struts) rely on users being able to access potentially sensitive information from all over the world over disparate untrusted networks. It's not exactly a surprise or a secret that many non-secure Web applications have been exploited, making front-page news and causing an enormous amount of problems for the organizations responsible. Application security attacks like SQL injection, cross-site scripting, session hijacking, and cookie poisoning are now mainstays in the toolkit of any hacker worth his salt, and it's becoming increasingly obvious that developers have to put more of an emphasis on security.

Organizations like OWASP (Open Web Application Security Project) and WASC (Web Application Security Consortium) have assembled a great deal of information on how to avoid common pitfalls and create more secure Web applications. These and other resources are invaluable for learning about Web application security, and this article complements them as a guide for best practices in Struts applications with respect to security. Here we'll focus on four specific types of security concerns and how they relate to Struts.

Struts & Input Validation
Input validation refers to the practice of verifying that input from an untrusted source is acceptable and safe to use. This has a significant security impact because malformed data submitted by a malicious user is the direct cause of numerous exploits (including SQL injection and cross-site scripting) and generally causes an application to behave unexpectedly and outside of its security design.

The Struts Validator plug-in lets you cleanly encapsulate all of your validation logic in XML configuration files instead of Java code. The Validator plug-in assists developers by standardizing common types of validations, preventing validation logic duplication, and being easier to verify and change (no recompilation is required). Two things to consider when using the Validator plug-in:

  1. There's a mechanism to validate the code of the ActionForm (org.apache.struts.action.ActionForm, the Java class in the controller responsible for handling user data). However, this doesn't offer the advantages described above and won't be discussed here.
  2. Any business-level validation should be performed in the model, and the controller should be limited to semantic validation (correct length, type, acceptable character set). For instance, in the Validator plug-in you might ensure a credit card number is the right format, but you'd ensure it's a valid card in the business logic.
Here's how the Validator plug-in works:

1.  User input is encapsulated in one of the ValidatorForm classes (which extend ActionForm classes):

public class UserValidatorForm extends org.apache.struts.validator.ValidatorForm {
      public String firstName;
      public String lastName;
      public String phoneNumber;
      public String userId;
      ...
}

2.  Validation functions (several standard ones come pre-baked) are defined in validator-rules.xml. This rule calls a validation method from a custom class:

<validator name="userId"
classname="com.jdjexample.validator.UserIdValidator"
method="validateUserId"
      methodParams="java.lang.Object,
      org.apache.commons.validator.ValidatorAction,
      org.apache.commons.validator.Field,
      org.apache.struts.action.ActionErrors,
      javax.servlet.http.HttpServletRequest"
    msg="errors.userid">
...
</validator>

3.  Validation.xml maps which fields have to be validated by which rules:

<form-validation>
  <formset>
     <form name="userForm">
       <field property="firstName" depends="required">
        <arg0 key="firstName.displayName"/>
      </field>
       <field property="lastName" depends="required ">
         <arg0 key="lastName.displayName"/>
       </field>
<field property="phoneNumber" depends="required, mask">
<arg0 key="phoneNumber.mask"/>
<var>
     <var-name>mask</var-name>
     <var-value>
     ^\D?(\d{3})\D?\D?(\d{3})\D?(\d{4})$
     </var-value>
</var>
</field>
</field>
     <field property="userId" depends="required, userId">
     <arg0 key="phoneNumber.mask"/>
     </field>
    </form>
   </formset>
</form-validation>

More Stories By Alex Smolen

Alex Smolen is a Software Security Consultant at Foundstone, where he provides security consulting services to clients to help find, fix, and prevent security vulnerabilities in enterprise software. His duties include threat modeling, code review, penetration testing and secure software development lifecycle (S-SDLC) design and implementation. Alex’s speaking engagements include Enterprise Architect Summit 2005 where he spoke on emerging trends in enterprise security as well as Better Software Conference 2005. Alex graduated from the University of California, Berkeley, with a BS in electrical engineering and computer science.

Comments (2) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
SYS-CON Belgium News Desk 03/19/06 01:48:20 PM EST

Imagine building a house starting with only a pile of timber and a lump of iron, or making a bowl of spaghetti from a sack of wheat and a bag of tomatoes. The importance of having the right materials makes the idea of building products from scratch seem absurd. Similarly, any software project that doesn't take advantage of the numerous frameworks available for any manner of development activity could be wasting valuable resources and ignoring established best practices.

SYS-CON India News Desk 03/19/06 10:15:48 AM EST

Imagine building a house starting with only a pile of timber and a lump of iron, or making a bowl of spaghetti from a sack of wheat and a bag of tomatoes. The importance of having the right materials makes the idea of building products from scratch seem absurd. Similarly, any software project that doesn't take advantage of the numerous frameworks available for any manner of development activity could be wasting valuable resources and ignoring established best practices.

@ThingsExpo Stories
NHK, Japan Broadcasting, will feature the upcoming @ThingsExpo Silicon Valley in a special 'Internet of Things' and smart technology documentary that will be filmed on the expo floor between November 3 to 5, 2015, in Santa Clara. NHK is the sole public TV network in Japan equivalent to the BBC in the UK and the largest in Asia with many award-winning science and technology programs. Japanese TV is producing a documentary about IoT and Smart technology and will be covering @ThingsExpo Silicon Val...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
With billions of sensors deployed worldwide, the amount of machine-generated data will soon exceed what our networks can handle. But consumers and businesses will expect seamless experiences and real-time responsiveness. What does this mean for IoT devices and the infrastructure that supports them? More of the data will need to be handled at - or closer to - the devices themselves.
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
@ThingsExpo has been named the Most Influential ‘Smart Cities - IIoT' Account and @BigDataExpo has been named fourteenth by Right Relevance (RR), which provides curated information and intelligence on approximately 50,000 topics. In addition, Right Relevance provides an Insights offering that combines the above Topics and Influencers information with real time conversations to provide actionable intelligence with visualizations to enable decision making. The Insights service is applicable to eve...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists will examine how DevOps helps to meet th...
NHK, Japan Broadcasting, will feature the upcoming @ThingsExpo Silicon Valley in a special 'Internet of Things' and smart technology documentary that will be filmed on the expo floor between November 3 to 5, 2015, in Santa Clara. NHK is the sole public TV network in Japan equivalent to the BBC in the UK and the largest in Asia with many award-winning science and technology programs. Japanese TV is producing a documentary about IoT and Smart technology and will be covering @ThingsExpo Silicon Val...
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
SYS-CON Events announced today that Hitachi, the leading provider the Internet of Things and Digital Transformation, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Hitachi Data Systems, a wholly owned subsidiary of Hitachi, Ltd., offers an integrated portfolio of services and solutions that enable digital transformation through enhanced data management, governance, mobility and analytics. We help globa...
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software in the hope of capturing value in IoT. Although IoT is relatively new in the market, it has already gone through many promotional terms such as IoE, IoX, SDX, Edge/Fog, Mist Compute, etc. Ultimately, irrespective of the name, it is about deriving value from independent software assets participating in an ecosystem as one comprehensive solution.
SYS-CON Events announced today that Hitachi Data Systems, a wholly owned subsidiary of Hitachi LTD., will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City. Hitachi Data Systems (HDS) will be featuring the Hitachi Content Platform (HCP) portfolio. This is the industry’s only offering that allows organizations to bring together object storage, file sync and share, cloud storage gateways, and sophisticated search an...