struts validation framework part 2
DESCRIPTION
null Bangalore January 2014 MeetTRANSCRIPT
![Page 1: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/1.jpg)
Disclaimer
opinions expressed here are my own and are a result of the way in which my mind interprets a particular situation or concept.
![Page 2: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/2.jpg)
Courtesy
Google for Images….
Slide share for Slides…
Wikipedia for text…
![Page 3: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/3.jpg)
Struts validation frameworkWEB Application Security
![Page 4: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/4.jpg)
Structure
what why how - MVC ?Concept and OriginExecution Process
what why how - Web framework?Features
what why how Validation framework?
![Page 5: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/5.jpg)
Attacker’s – why should I care..Applications are getting smarter
Applications are getting tougher Old strategy may not work..
Strategy – outside inn to inside out Understanding of internals
Defenders how to write/suggest defensive programming
![Page 6: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/6.jpg)
1979
Formulated by Norwegian computer scientist Trygve Reenskaugfor Graphic User Interphase (GUI) software design, the MVC architecture was one of the primary outcomes of GUI development.
Fist Prototype of a Computer Mouse
Early Apple GUIIntroduction of graphic
“views” in computing
SOFTWARE EVOLUTION
![Page 7: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/7.jpg)
Software Architecture Pattern
Separates representation of information from user interaction.
Promotes:
• Code Reusability• Separation of Concerns
![Page 8: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/8.jpg)
Separation of Concerns
• Shortens development
• Code Libraries
• Design Patterns
• Frameworks
Code Reusability
• Improves code clarity and organization
• Helps troubleshooting by isolating issues
• Allows for multiple teams to develop simultaneously
Application A Application B
![Page 9: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/9.jpg)
Big Picture
Design Patterns
MVC
Frameworks
Struts
Validation Framework
Spring
Validation Framework
![Page 10: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/10.jpg)
With framework
• XSS
• SQL injection
• Command Injection
• Xml injection
Without framework
Opportunity to attack
![Page 11: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/11.jpg)
Types of MVC Frameworks
ASP.NET
PHP (Zend, Symfony, CakePHP, CodeIgniter)
Javascript ( Backbone.js, Ember.js, JavascriptMVC)
Java (Struts, Spring, Expresso, Stripes, JSF, Tapestry, Wicket…)ASP.NET 4.0 Framework
![Page 12: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/12.jpg)
MVC Execution Process
Controller – Mediates input and commands for the model or view
Model – Application data, business rules, logic, and functions.
View – Output and representation of data
![Page 13: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/13.jpg)
Advantages MVC
• Easier to Manage Complexity• Does not use view state or server based forms• Rich Routing Structure• Support for Test-Driven Development• Supports Large Teams Well
![Page 14: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/14.jpg)
Data-validation Framework
![Page 15: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/15.jpg)
Inputs Filters
• Headers
• Input form fields– Text, button, select, ratio, hidden, Browse
• URL
• Session / Cookie
![Page 16: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/16.jpg)
Output filter
• Response object
• Automatic HTML entity encoding (spring)
![Page 17: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/17.jpg)
Validation Strategy• Centralize the data flow : Struts-config.xml
– List the address of the input form
• Control each piece of field(data) :Validation form
– List each Include all input fields
• Assign validation logic to each field:Validation.xml
– For each field, specify one or more validation rules
• Define validation logic : Validation-rules.xml
– Max length, min length, knowngood validation
• Bind each field to a Regular expression
![Page 18: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/18.jpg)
Max length
Min Length
Knowngood
Max length
Min Length
Known good
Web App with out framework
![Page 19: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/19.jpg)
Max length
Min Length
Knowngood
Sturts-config.x
ml
Validation.xml
^[0-9a-zA-Z]*$
0123456789abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
null123
‘--1
Abx12p
@!#$%
null123
Abx12p
null123
Abx12p
Max length
Min Length
Knowngood
![Page 20: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/20.jpg)
Web App with out framework
![Page 21: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/21.jpg)
Sturts-config.xml
Chars Encoding
< <
> >
& &
null<xyz>123&
null<xyz>123&
![Page 22: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/22.jpg)
Regex^[a-z0-9_-]{3,15}$
Characters alloweda to z (only small case)
Numbers allowed0 1 2 3 4 5 6 7 8 9
Special Chars allowedUnderscore and Hyphen
Max length 15
Min length 3
![Page 23: Struts validation framework Part 2](https://reader036.vdocuments.us/reader036/viewer/2022081506/5585a884d8b42a7b1a8b4c8d/html5/thumbnails/23.jpg)
End..
Slides --- will be uploaded to null site and slide share…
Need hands on…Scream for a bachaav session…
I am open to take a session…