jsr372-experts@javaserverfaces-spec-public.java.net

[jsr372-experts] Re: [jsr372-experts mirror] Re: Fwd: Java Web Frameworks guide

From: Kito Mann <kito.mann_at_virtua.com>
Date: Fri, 20 Mar 2015 09:06:20 -0400

Good point, Arjan. I just forwarded your comment to Simon at Zeroturnaround.

___

Kito D. Mann | @kito99 | Author, JSF in Action
Virtua, Inc. | http://www.virtua.com | JSF/Java EE training and consulting
http://www.JSFCentral.com | @jsfcentral
+1 203-998-0403

* Listen to the Enterprise Java Newscast: *http://
<http://blogs.jsfcentral.com/JSFNewscast/>enterprisejavanews.com
<http://ww.enterprisejavanews.com>*
* JSFCentral Interviews Podcast:
http://www.jsfcentral.com/resources/jsfcentralpodcasts/
* Sign up for the JSFCentral Newsletter: http://oi.vresp.com/?fid=ac048d0e17

On Thu, Mar 19, 2015 at 11:06 AM, arjan tijms <arjan.tijms_at_gmail.com> wrote:

> Hi,
>
> On Thu, Mar 19, 2015 at 3:18 PM, Kito Mann <kito.mann_at_virtua.com> wrote:
>
>>
>> A new JRebel guide -- always an interesting read:
>> http://pages.zeroturnaround.com/JRNurture_08GuidetoJavaWebFrameworks-DemoCOnfirmation.html
>>
>
>
> While not entirely bad, I've found the report a bit lacking at some areas.
> It states for instance that for security JSF does not offer anything beyond
> the Java EE platform security.
>
> This is of course not true. JSF escapes all rendered user values by
> default, which by itself is a very valuable and safe default that guards
> against injection attacks. Then non-stateless views are by default
> protected against CSRF attacks, and there's an explicit CSRF protection
> mechanism.
>
> If I'm not mistaken the community has pointed this out in the comments of
> a previous report, so JRebel should be aware of this by now.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
>
>
>
>
>>
>> ___
>>
>> Kito D. Mann | @kito99 | Author, JSF in Action
>> Virtua, Inc. | http://www.virtua.com | JSF/Java EE training and
>> consulting
>> http://www.JSFCentral.com | @jsfcentral
>> +1 203-998-0403
>>
>> * Listen to the Enterprise Java Newscast: *http://w
>> <http://blogs.jsfcentral.com/JSFNewscast/>ww.enterprisejavanews.com
>> <http://ww.enterprisejavanews.com>*
>> * JSFCentral Interviews Podcast:
>> http://www.jsfcentral.com/resources/jsfcentralpodcasts/
>> * Sign up for the JSFCentral Newsletter:
>> http://oi.vresp.com/?fid=ac048d0e17
>>
>>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.