jsr372-experts@javaserverfaces-spec-public.java.net

[jsr372-experts] Re: Fwd: Java Web Frameworks guide

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Thu, 19 Mar 2015 16:06:39 +0100

Hi,

On Thu, Mar 19, 2015 at 3:18 PM, Kito Mann <kito.mann_at_virtua.com> wrote:

>
> A new JRebel guide -- always an interesting read:
> http://pages.zeroturnaround.com/JRNurture_08GuidetoJavaWebFrameworks-DemoCOnfirmation.html
>


While not entirely bad, I've found the report a bit lacking at some areas.
It states for instance that for security JSF does not offer anything beyond
the Java EE platform security.

This is of course not true. JSF escapes all rendered user values by
default, which by itself is a very valuable and safe default that guards
against injection attacks. Then non-stateless views are by default
protected against CSRF attacks, and there's an explicit CSRF protection
mechanism.

If I'm not mistaken the community has pointed this out in the comments of a
previous report, so JRebel should be aware of this by now.

Kind regards,
Arjan Tijms









>
> ___
>
> Kito D. Mann | @kito99 | Author, JSF in Action
> Virtua, Inc. | http://www.virtua.com | JSF/Java EE training and consulting
> http://www.JSFCentral.com | @jsfcentral
> +1 203-998-0403
>
> * Listen to the Enterprise Java Newscast: *http://w
> <http://blogs.jsfcentral.com/JSFNewscast/>ww.enterprisejavanews.com
> <http://ww.enterprisejavanews.com>*
> * JSFCentral Interviews Podcast:
> http://www.jsfcentral.com/resources/jsfcentralpodcasts/
> * Sign up for the JSFCentral Newsletter:
> http://oi.vresp.com/?fid=ac048d0e17
>
>