[Esapi-user] Validation fields with JSF

Chris Schmidt chrisisbeef at gmail.com
Wed Feb 24 10:40:09 EST 2010


Sebastion -

There are some pretty good reasons to have client-side validation, at least
simple validation. The main reason being that it saves a trip to the server
and back for the client, so it makes the application perform slightly better
(this can become a bigger issue in very high traffic applications).

However, it should be noted that you should *never* rely completely on
client-side validation logic, as it is fairly easy for an attacker to bypass
it completely. There should be a balance between checking things on the
client-side and full validation on the server-side.

Here is how I usually break it down:

Client-side:
 - Checking required fields are answered
 - Simple pattern validations (email, website, etc)
 - Simple range validations for numbers or dates
 - Quick check for banned characters
 - Spellcheck (as an ajax feature this is nice)

Server-side:
 - Checking required fields are answered
 - Pattern Validation
 - Range Validation
 - Banned character/word validation
 - Domain specific validation (ie, validating against data)

Hopefully this helps to answer your question.

Thanks,

Chris

On Wed, Feb 24, 2010 at 8:04 AM, Sebastian <smarichal at seciu.edu.uy> wrote:

> Hi everybody, im new in the esapi-user list.
>
> Actually im investigating security configurations for a JavaEE + JSF
> application.
> The system has 2 components, a EJB Proyect called "Logica" and a
> presentation component called "WebComponent".
> So, the validations in the pages of WebComponent are done with
> JavaScript. And when the data arrives to "Logica" then it is validated
> again (server side).
> I would like to ask you if it is necesary validate fields in the
> "WebComponent" on server side, not only JavaScript. Why?
> And if the answer is "Yes" I'll apreciate it you can tell me if it is
> better validate the fields using <f:validate> or <h:inputText
> required='true'> or just validate in the code of the BackingBean ??
>
> Thanks you very much!
>
> Sebastian
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>



-- 
Chris Schmidt

OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/

OWASP ESAPI for JavaScript
http://code.google.com/p/owasp-esapi-js/

Yet Another Developers Blog
http://yet-another-dev.blogspot.com

Bio and Resume
http://www.digital-ritual.net/resume.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100224/e8d1a8be/attachment.html 


More information about the Esapi-user mailing list