Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Development of Security Framework based on         OWASP ESAPI for JSF2.0
About Us• About Us  – Rakesh Kachhadiya    • Master work, Univeristy of Freiburg (Germany)  – Emmanuel Benoist    • Profes...
ESAPI• Enterprise Security API  – OWASP Project  – Support for : Java, Dot NET, Classic ASP, PHP,    ColdFusion, Python, O...
Java Server Faces• JSF: Advantages  – Model View Controler     • Controler: Faces Servlet     • View : xhtml files        ...
Integrating ESAPI in JSF• At different levels  – In the Model     • Authorization, Access control, logging, SQL/LDAP/XML/-...
Project goals• Provide a library for integrating ESAPI in JSF  – Reduces the work for the developers  – Secure implementat...
Architecture
Demo1 : Render Response
Demo2: Validation
Demo3 : Filtering
Demo4: File based  Authorization
Conclusion• Integrate ESAPI into JSF  – It will help programmers  – Makes security “invisible”• Known issues  – Access Con...
Questions• Feedback for OWASP• Contacts us:  – Emmanuel.Benoist (AT) bfh.ch  – RakeshKachhadiya (AT) gmail.com            ...
Upcoming SlideShare
Loading in …5
×

Development Security Framework based on Owasp Esapi for JSF2.0

1,158 views

Published on

  • Be the first to comment

Development Security Framework based on Owasp Esapi for JSF2.0

  1. 1. Development of Security Framework based on OWASP ESAPI for JSF2.0
  2. 2. About Us• About Us – Rakesh Kachhadiya • Master work, Univeristy of Freiburg (Germany) – Emmanuel Benoist • Professor, Bern University of Applied Sciences (Swizerland)
  3. 3. ESAPI• Enterprise Security API – OWASP Project – Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python, Objective C, Tuby, C, Perl, …• Groups all security features into one library: – Authentication, Authorization – Access control, logging and intrusion detection – Validation, decoding, encoding (for HTML, XML, SQL, Ldap, …) – Crypto functionalities
  4. 4. Java Server Faces• JSF: Advantages – Model View Controler • Controler: Faces Servlet • View : xhtml files – Component tree • Model: Java files using notations – Separation of layers • Front End: xhtml and components • Back End: Java – Libraries with reusable components • Apache, RichFaces, Oracle, etc… – Concepts like: Validators and Converters
  5. 5. Integrating ESAPI in JSF• At different levels – In the Model • Authorization, Access control, logging, SQL/LDAP/XML/- encoding, … – In the View • Create Validators – In the Controler (in the Faces Servlet) • Enhancing HTTP • HTML Encoding
  6. 6. Project goals• Provide a library for integrating ESAPI in JSF – Reduces the work for the developers – Secure implementation• Adapt ESAPI to JSF ”culture” – Provide out of the box tools – Easy to integrate in a project – Can be used by simple developers
  7. 7. Architecture
  8. 8. Demo1 : Render Response
  9. 9. Demo2: Validation
  10. 10. Demo3 : Filtering
  11. 11. Demo4: File based Authorization
  12. 12. Conclusion• Integrate ESAPI into JSF – It will help programmers – Makes security “invisible”• Known issues – Access Control: prevent updating of the model – CSRF: make it transparent for the programmer• Need feedback from security experts – What are the common vulnerabilities for JSF
  13. 13. Questions• Feedback for OWASP• Contacts us: – Emmanuel.Benoist (AT) bfh.ch – RakeshKachhadiya (AT) gmail.com QUESTIONS ?

×