[Esapi-user] Validation fields with JSF

John Melton jtmelton at gmail.com
Wed Feb 24 11:45:05 EST 2010

As I see it, you're talking specifically about validation here, which is but
one of ESAPI's features.  JSF has a number of built in validators that work
perfectly well if that's the route you choose.  Namely, the required, length
and range validators are simple validations and the JSF versions work fine
and provide similar security to the equivalent validators in ESAPI, so pick
whichever you like.  However, as you get into more complex validations (such
as banned character/word, and business specific data validations) , there
are good reasons to use ESAPI including the fact that JSF does not have
those types of validation out of the box.  One important point to note about
JSF specifically is that it's built-in validators already do the work of
detecting a problem and then placing the error messages in the right scope
for display to the user.  If you choose to use ESAPI, you'll have to do some
of that work yourself.
Also, we're specifically talking about input validation in this example, but
as you get into other common issues such as output encoding, ESAPI does a
more thorough job than most any other framework, including JSF.
As for whether to put the validation in your web-app vs. EJB, that's up to
your business.  The general rule of thumb I follow is to put the validations
as early as I can in the process where security is still ensured.  In other
words, if you are sure your webapp is the only one accessing the EJB, then I
would put the validations in the webapp, otherwise they need to go in the
EJB.  Another point to note is that your programming should be defensive,
meaning you should validate that the EJB has the appropriate inputs to
perform it's job whether or not you do full validation there.  One reason I
suggest validating in the webapp is that most web frameworks (including JSF)
already have mechanisms to support validation and error reporting to the end
user, whereas EJB does not.
Hope this helps.
On Wed, Feb 24, 2010 at 11:24 AM, Sebastian <smarichal at seciu.edu.uy> wrote:

> David:
> I've been investigating this for a month and i've read a lot of
> ESAPI-OWASP documents, what is more, actually im using CSRFGuard in
> order to prevent CSRF attacks. I know about the existance of encoders
> and validators provided by ESAPI. In the document "OWASP Top Ten For
> JAVAEE" says this:
> Use JSF validation server-side:
> o f:validateLength for the allowed length of input
> <f:validateLength minimum="2" maximum="10"/>
> o <h:inputText required=”true”> if an input field is required
> So you recomend no to use this? You recomend call ESAPI functions in the
> backing bean code ?
> I think that ESAPI validators has a good point because it is capable to
> detect attacks too...
> David Sklarew wrote:
> > Sebastian,
> >
> >
> >>> " I'll apreciate it you can tell me if it is
> >>>
> > better validate the fields using <f:validate> or <h:inputText
> > required='true'>
> >
> > This is the ESAPI mailing list and hopefully most members would agree
> that
> > you could use the EASPI Java library (the latest 2.X version is
> recommended
> > over the 1.x verion) to validate input and to encode all variable output
> > included in your webpages ( to prevent Cross Site Scripting Attacks).
>  The
> > OWASP website has a good wiki page on preventing cross site scripting
> > attacks..
> >
> > David
> >
> >
> >
> > -----Original Message-----
> > From: esapi-user-bounces at lists.owasp.org
> > [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Sebastian
> > Sent: Wednesday, February 24, 2010 10:05 AM
> > To: esapi-user at lists.owasp.org
> > Subject: [Esapi-user] Validation fields with JSF
> >
> > Hi everybody, im new in the esapi-user list.
> >
> > Actually im investigating security configurations for a JavaEE + JSF
> > application.
> > The system has 2 components, a EJB Proyect called "Logica" and a
> > presentation component called "WebComponent".
> > So, the validations in the pages of WebComponent are done with
> > JavaScript. And when the data arrives to "Logica" then it is validated
> > again (server side).
> > I would like to ask you if it is necesary validate fields in the
> > "WebComponent" on server side, not only JavaScript. Why?
> > And if the answer is "Yes" I'll apreciate it you can tell me if it is
> > better validate the fields using <f:validate> or <h:inputText
> > required='true'> or just validate in the code of the BackingBean ??
> >
> > Thanks you very much!
> >
> > Sebastian
> > _______________________________________________
> > Esapi-user mailing list
> > Esapi-user at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/esapi-user
> >
> >
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100224/fa634461/attachment.html 

More information about the Esapi-user mailing list