[Esapi-user] Validation fields with JSF

Sebastian smarichal at seciu.edu.uy
Wed Feb 24 11:37:47 EST 2010


Thanks Chris, i understand that client side validation its important to 
make the application "faster" and that server side validation shouldn't 
be omitted.

----------------------------------------------------------------------------------------------------------- 
                ----------------------------------------
|                   ****   SERVER - SIDE  ****                          
                  |                |  *** CLIENT - SIDE ***   |
| {DB} <--> {EJB Application} <------> {Web Application (jsf)}     |  
<-------> |      {browser }               |
|                                                                      
                                    |                |                 
                       |
----------------------------------------------------------------------------------------------------------- 
                -----------------------------------------|

So, in client side there is JavaScript validation, thats ok.
My question is where to put server-side validation!!!! In the Web 
Application or in the EJB Application?? Or both??
If i put validation in Web Application, i shoul use jsf tags validators 
or it is better to write validation code on the Backing Bean calling 
ESAPI functions? Maybe JSF has alredy implemented some issues that ESAPI 
implements too and it isn't necessary to call ESAPI for that especific 
issues (for example put required='true' on an inpuText).

Thanks you again,
Sebastian


Chris Schmidt wrote:
> Sebastion -
>
> There are some pretty good reasons to have client-side validation, at 
> least simple validation. The main reason being that it saves a trip to 
> the server and back for the client, so it makes the application 
> perform slightly better (this can become a bigger issue in very high 
> traffic applications). 
>
> However, it should be noted that you should *never* rely completely on 
> client-side validation logic, as it is fairly easy for an attacker to 
> bypass it completely. There should be a balance between checking 
> things on the client-side and full validation on the server-side. 
>
> Here is how I usually break it down:
>
> Client-side:
>  - Checking required fields are answered
>  - Simple pattern validations (email, website, etc)
>  - Simple range validations for numbers or dates
>  - Quick check for banned characters
>  - Spellcheck (as an ajax feature this is nice)
>
> Server-side:
>  - Checking required fields are answered
>  - Pattern Validation
>  - Range Validation
>  - Banned character/word validation
>  - Domain specific validation (ie, validating against data)
>
> Hopefully this helps to answer your question.
>
> Thanks, 
>
> Chris 
>
> On Wed, Feb 24, 2010 at 8:04 AM, Sebastian <smarichal at seciu.edu.uy 
> <mailto:smarichal at seciu.edu.uy>> wrote:
>
>     Hi everybody, im new in the esapi-user list.
>
>     Actually im investigating security configurations for a JavaEE + JSF
>     application.
>     The system has 2 components, a EJB Proyect called "Logica" and a
>     presentation component called "WebComponent".
>     So, the validations in the pages of WebComponent are done with
>     JavaScript. And when the data arrives to "Logica" then it is validated
>     again (server side).
>     I would like to ask you if it is necesary validate fields in the
>     "WebComponent" on server side, not only JavaScript. Why?
>     And if the answer is "Yes" I'll apreciate it you can tell me if it is
>     better validate the fields using <f:validate> or <h:inputText
>     required='true'> or just validate in the code of the BackingBean ??
>
>     Thanks you very much!
>
>     Sebastian
>     _______________________________________________
>     Esapi-user mailing list
>     Esapi-user at lists.owasp.org <mailto:Esapi-user at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
>
>
> -- 
> Chris Schmidt
>
> OWASP ESAPI Developer
> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
> Check out OWASP ESAPI for Java
> http://code.google.com/p/owasp-esapi-java/
>
> OWASP ESAPI for JavaScript
> http://code.google.com/p/owasp-esapi-js/
>
> Yet Another Developers Blog
> http://yet-another-dev.blogspot.com
>
> Bio and Resume
> http://www.digital-ritual.net/resume.html
>



More information about the Esapi-user mailing list