Recently integrated hdiv framework into the web application I am working
on.
We had already had taken enough safety measures to secure the web
application, like
1. Always encoding the outputs (like always output from jsp using
<C:out> with xml encoding instead of just printing them)
2. Code to secure against SQL injections
3. etc.
But HDIV is an interesting framework, it seamlessly integrates
with the existing application, no need to change the existing code (most of the
time) and secures web application mainly against following attacks.
1. Cross site Scripting
2. SQL Injections
3. URL Tampering (I really like this protection, IMO only the links in
the web site should be used for navigation, user should not be able to change
the URL, especially the values in the path to navigate)
4. Spring bean auto binding, etc.
There are good documents about HDIV in its website hdiv.org, but did found much documentation about its
integration with existing applications. So decided to explore my self and found
an interesting example implementation at https://github.com/hdiv/hdiv-spring-mvc-showcase,
downloaded that and explored, it is really awesome. So I am documenting some
simple steps to integrate hdiv with your existing spring application.
Step 1: Dependencies
Include following dependencies in your project, for maven,
<dependency>
<groupId>org.hdiv</groupId>
<artifactId>hdiv-core</artifactId>
<version>2.1.1</version>
</dependency>
<dependency>
<groupId>org.hdiv</groupId>
<artifactId>hdiv-config</artifactId>
<version>2.1.1</version>
</dependency>
<dependency>
<groupId>org.hdiv</groupId>
<artifactId>hdiv-spring-mvc</artifactId>
<version>2.1.1</version>
</dependency>
<dependency>
<groupId>org.hdiv</groupId>
<artifactId>hdiv-jstl-taglibs-1.2</artifactId>
<version>2.1.1</version>
</dependency>
Step 2:
HDIV-Config.xml
Copy hdiv-config.xml to your resource folder(alternatively
classpath, sample found in the showcase app)
see details about hdiv-config at bottom of this post.
Step 3:
web.xml Changes
Step 3.1
Include hdiv-config.xml in context config location as
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:/spring-context.xml
classpath:/hdiv-config.xml
</param-value>
</context-param>
Step 3.2
include following hdiv specific entries as,
<!-- HDIV Init Listener -->
<listener>
<listener-class>org.hdiv.listener.InitListener</listener-class>
</listener>
<!-- HDIV Validator Filter -->
<filter>
<filter-name>ValidatorFilter</filter-name>
<filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ValidatorFilter</filter-name>
<servlet-name>dispatcher</servlet-name>
</filter-mapping>
here dispatcher is the nothing but spring dispatcher servlet, example
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
Step 3.3
point JSTL to hdiv customized JSTL tag
library.
<jsp-config>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/core</taglib-uri>
<taglib-location>/WEB-INF/tlds/hdiv-c.tld</taglib-location>
</taglib>
</jsp-config>
Step 4:
copy hdiv-c.tld to web-inf
copy the hdiv-c.tld from sample app to web-inf/tlds folder
Step 5:
Create your initial landing page
HDIV protected site always expects an HDIV state code to validate
the page, if you are trying to access any page without hdiv state it will
redirect you to the error page, so we have to create some initial landing page
which redirect to other page with hdiv state, following is an sample jsp for
initial landing page
name: index.jsp
<body>
<c:redirect
url="login/login.html"></c:redirect>
</body>
</html>
include this file in welcome pages list in web.xml and place it in the
root folder and add the root folder as starting pages folder in hdiv-config.xml,
example
<hdiv:config
errorPage="/error.jsp">
<hdiv:startPages>/</hdiv:startPages>
<hdiv:paramsWithoutValidation>
<hdiv:mapping
url="/job/[0-9]*/.*/update.ht"
parameters=".*"/>
</hdiv:paramsWithoutValidation>
</hdiv:config>
All the files in the root folder(/) is considered as landing or starting
page, so will be exampted from validation for hdiv state.
Important
points:
1. Spring tags 3.0 and later has build in support for hdiv, so they can
be simple used along with hdiv, but to use previous versions of
spring tags, you may need to point your tlds to customized spring tlds, please
refer the hdiv document for more details.
2. When using along with spring security or other frameworks which
intercept the request and redirects to different pages, special care should be
given otherwise it will end up in indefinite redirection loops. I had
spring security in the project, so moved all the spring security related
files(login, logout, etc) to different path which will not be intercepted by hdiv
for more clarity.
3. whenever accessing hdiv protected paths from non protected paths
always use redirects as mentioned in the landing pages step above.
Some
Points on hdiv-config.xml
There are three main sections in this file
1. <hdiv:config> section, which is used to configure the
start pages path, error page and validation exceptions
2. <hdiv:validation> section, which is used to define the acceptable
input formats
3. <hdiv:editableValidations> section, which is used to associate the
validations defined in <hdiv:validation> section with paths.
HDIV is really an added protection to the sites, developers may miss few
things when protecting the site. By using a framework like HDIV, developers can
concentrate more on building the logic than protecting each and every
page.
Give a try, post comment on how you go....