tags:

views:

35

answers:

2
+2  Q: 

Can JSF standard validation prevent code injection?

In my project, I do duplicate validation at the presentation layer as well as the persistence layer with the hope to increase security. So my question is: can standard JSF validation prevent code injections.

<h:inputText id="name" value="#{bean.customer.name}" required="true" requiredMessage="Validation Error: Value is required." title="Name" >
      <f:validateLength maximum="40"/>
</h:inputText>

Here I validate if the field is empty, and validate field length. I know validate field length will make it harder to do code injection, but sometimes you need a long field length, such as textArea. And if this is vulnerable, how will I fix it? Thank you so much in advance.

+3  A: 

JSF by default already prevents XSS attacks by escaping user-controlled input in UIInput and UIOutput components. This is controllable in h:outputText by setting escape="false" attribute. You don't need to worry about this.

Prevention against SQL injection attacks, on the other hand, is not the responsibility of JSF. You need to handle this in the persistence layer. For example JPA and/or Hibernate, when well used (i.e. do not concatenate user-controlled input in SQL/named query strings), also by default already prevents it. In plain vanilla JDBC, you need to ensure that you're using PreparedStatement instead of Statement to include user-controlled input in a SQL string. When well used, you also don't need to worry about this in JSF side.

Related questions:

BalusC  2010-08-25 16:41:50
This make me feel much better. :D Thank you +1
Harry Pham  2010-08-25 16:44:53
Oh nice, I was keying in my answer and there comes your answer. My day is doomed!!
Vineet Reynolds  2010-08-25 17:00:02
Is this considered a `concatenate user-controlled input in SQL/named query strings`: `@NamedQuery(name="Customer.delete", query="delete from Customer c where c.id = :id")`, then I would pass a string `customerId` as a parameter to method in session bean, then do this `query.setParameter("id", new Long(customerId));`
Harry Pham  2010-08-25 17:01:50
No, those are named/parameterized queries. That's absolutely fine. They will be escaped. With concatenating I mean more like: `"delete from Customer c where c.id = " + customerId`.
BalusC  2010-08-25 17:02:43
@Harry, the named query will be internally converted into a prepared statement that uses parameterized queries. That is the responsibility of the JPA provider. You'll need to worry about native SQL queries that you construct before handing off to the provider. Basically the strings passed to EntityManager.createQuery() and EntityManager.createNativeQuery() should not have concatenated user input.
Vineet Reynolds  2010-08-25 17:04:58
Thank you guys :D. +1 for both comments
Harry Pham  2010-08-25 17:12:49
+1  A: 
Vineet Reynolds  2010-08-25 16:58:46
awesome post. I am using JPA 2.0 btw. Most of my query involve `"@NamedQuery(name="...", query="... :id"`, then in session bean I would do `query.setParameter("id", new Long(Id));` where `Id` is a string I pass down from my managed bean. That should be ok, correct? Sorry but I can only up vote you, since BalusC definitely post first. I hope this post attract more traffic so you post can get more up vote.
Harry Pham  2010-08-25 17:09:29
I saw your comment up there. Thank you :D
Harry Pham  2010-08-25 17:12:08
@Harry, I'm a bit sluggish today. BalusC's answer deserves to be marked as correct. Glad to be of help :-)
Vineet Reynolds  2010-08-25 17:14:28

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java