I am evaluating Broadleaf Commerce.
Currently I am having one concern. If I install Out-Of-Box Broadleaf Commerce how secure is it? What are existing vulnerabilities that I need to see while using out of box?
I went though documentation. It was mentioned that, SQL Injection and XSS has been taken care.But not sure as to what extent that has been taken care of.
I am new to eCommerce and security so am unable to evaluate this parameter.
From the offical Broadleaf forum:
Broadleaf Commerce uses an extendible ORM strategy based on JPA (and specifically Hibernate behind the scenes). If you drill down even further, we are entirely using prepared statements and we do not dynamically build queries at all using user input. This deals with the SQL injection issue.
As for XSS, we utilize Spring MVC as our de-facto engine for the presentation layer and even provide some out-of-the-box controllers to speed development in this area. Spring MVC has great support for protection against XSS through html escape sequences via simple configuration. This blog talks about it a bit more: http://sanjaysinghloha.blogspot.com/200 ... ng_05.html. Having said that, as an e-commerce framework, Broadleaf Commerce does not force you to use Spring MVC to create a site. Any modern Java-based MVC framework should work fine with Broadleaf Commerce, but care should be taken with any MVC framework choice to account for XSS protection.
One of our partners has built their entire e-commerce site on Broadleaf Commerce using Spring MVC and Spring Security and has utilized S3 Security (http://www.s3security.com) to perform their extensive penetration testing as part of their successful PCI certification. S3 uses several tools, one of which is Retina Scanner.
No vulnerabilities have been discovered so far.
IMHO as a penetration tester view, it seems pretty safe and developed with security in mind but still this doesn't mean it's invulnerable. By implementing a WAF such as mod_security and being aware of the updates you will be good to go.
Related
My company is big on sharepoint. but server side controls have inherent problem with performance. I want to move page rendering responsibility to client side with concept similar to SPA. what is best framework or architectural style for this.
Single Page Applications are gaining immense popularity these days mainly because of their fluidity and responsiveness. Clearly the framework and architectural style depends heavily upon the requirements.
Framework:-
There are host of frameworks available that can be leveraged depending upon the complexity of the SPA you are planning - Backbone, Angular, Knockout, Ember etc. I personally prefer Angular and Knockout frameworks because of their simplicity and data binding and directive capabilities. Moreover you can also efficiently handle REST calls to SharePoint using Breeze.js. Refer to this link for more details.
Architecture Styles:-
Typically SPAs use MVC or MVVM patterns to decouple the UI aspect from the business logic, but this again is requirement driven. Regardless of the style/pattern it is important to keep the code modular and no to expose implementation details as much as possible.
Packaging:-
As far as SPAs for SharePoint are concerned, the best way to package and deploy them is in the form of SharePoint Hosted Apps. SharePoint Hosted Apps only allow client side code and hence leveraging Javascript object model and REST API for SharePoint making them ideal for deployment of SPA over SharePoint.
References:-
https://www.pluralsight.com/courses/building-sharepoint-apps-spa-angularjs
I am building a new web app but i feel i don't have the big picture representation that I wish to have before building it so I am looking for resources to really understanding the web as whole throughout the full stack.
I've been a self-taught web developer since 2006 but I took a long break during university in 2010 and finished in 2014 and came out and the whole picture of web had changed.
I was familiar with the LAMP architecture and back then as long as you understood PHP, JavaScript, JQuery, MySQL, HTML & CSS you were fine; now MEAN is making a lot of noise and i just took a look at what Facebook is built with and it talks of HipHop which I have never heard of before and i feel quite lost with frameworks and languages popping out every other week.
I basically am looking for resources to understand the web as a whole, not just to create web pages so I can make informed decisions about building this and any other web app in the future. I want to know how all these new technologies are fitting into the picture.
Thank you
The big picture is you need a database, a data access layer that talks to that database, something to route the requests and something to display the result to the page.
There are lots of frameworks / technologies. IMO the LAMP stack is a bit old school. Not that it's not fit for purpose, it's just there are faster, better, easier stacks than that.
In terms of development languages and frameworks I would check out
Ruby-on-rails,
Spring-boot (with MVC, JPA, freemarker + mysql),
ASP.NET5
For databases mysql is always really popular because it's free. H2 is a free in memory database, I thinks it's a nice db to get up and running real fast.
Generally these days data access Is done through some sort of 'Object Relational Mapper' framework like Hibernate (if ur using Java), Linq (if ur using ASP.NET) or whatever ruby on rails uses.
For the view technology html, css is obviously standard but lately Bootstrap3 is really popular as a front end UI framework to make things a lot easier. In terms of Javascript, jQuery is basically a defacto standard these days. Something like Knockout.js or Angular.js provides nice data binding between your model and your view to make things a lot easier.
Not to mention as an extra layer these days people are also putting their apps inside Docker containers and deploying them that way for maximum portability. So that is something that is new and to you won't have seen before if you've been away from the game for a while.
Anyway, my favourite is the spring-boot stack. It has an embedded instance of the Tomcat web server and it comes all auto configured.
I believe the main changes that affected the course of current web development scenariois related to cloud based services, like Amazon AWS, Google Cloud, Microsoft Azure, and Virtual Private Servers (VPS).
Now is cheaper and possible to plan and develop a distributed environment to achieve a massive numbers of users. Servers are adapting their technologies to this new scenario and to providing easy webservices endpoints for mobile clients via REST APIs (like Google, Facebook, Soundcloud and almost every other service provider) using JSON for small data transfers between server ans clients.
This is the present and near future of web development. And we can no more close our eyes to mobile. Te mobile first era is comming.
You can use LAMP stack for webdevelopment, with or without frameworks like zend, cakephp and others, but the end product will be a REST or RESTfull service provider and a client to consume the services and integrate with many 3rdParties like Google, Yahoo, Facebook, Amazon services to build modern applications.
As for databases, there are now distributed non relacional noSQL hadoop, mongodb, mariadb bring more options to plan robust infra-structure and flexible ajustable for all needs.
To create a great web platform is necessary to know the existence of all this tools and possibilities, but specialize and deep learn only the tools you will choose to develop, because it is impossível learn everything, our brain cant handle :) and all se em to update very fast in this area.
Choose right one is difficult, there is a lot of options, but the main concept will be always the same, there will be a provider and consumer fronts, distributed or non-distributed, and a multi layered development involving UI, integration, business and data (big data) manipulation. But now on the Cloud.
You can find good official material for Php, amazon webservices, nonSQL databases, common 3rdparty APIs like Google Apps, Facebook...REST clients end framework, JSON...and there is a lot of good alternative sources too...get some open-source project example on Github (GIT is another mandatory tool to learn).
I particulary develop in Java now, Linux/MySQL/Tomcat on amazon AWS infra-structure, using Java-JSP for server and web client, and Java for Android..I just have to deal with Java environments and one language for Server (webserver and SO programs) and clients (web and mobile) development.
Well I hope I could help, I dont know if this is exactly the answer also if I made it clear cause my english is basic...
Well, have a nice weekend.
Leo
Want to improve this post? Provide detailed answers to this question, including citations and an explanation of why your answer is correct. Answers without enough detail may be edited or deleted.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I want to write a new REST style API and have looked at ServiceStack and quite like it. However, I have seen that Microsoft has released the ASP.Net Web API project as part of the new MVC 4 beta. Has anyone looked at the new Web API project? Can you give any pros/cons of each system?
They have very similar use-cases, as the lead maintainer for the ServiceStack project I have a good insight into ServiceStack's advantages and the many natural benefits of its message-based design.
ServiceStack has been around since 2008 as an OSS-run project from its inception with a single goal of promoting the correct design and implementation of friction-free remote services.
Simple and Elegant Design
In its pursuit for ultimate simplicity, it's built around a simple and elegant core - with most of its features naturally binding to your models, not your controllers - which is what MVC, WebApi does (as well as every other Web Service Framework Microsoft has produced).
Adopting a message-based design offers a superior approach for remote services, in that they promote more extensible and less brittle services, simplifies access and calling patterns, and contain many other natural benefits you get for free.
As a core mission, we fight complexity at every stage, aiming to keep an invisible and non-intrusive API and avoid introducing any new concepts or artificial constructs that aren't already familiar to .NET or web service developers today.
As an example your IService<T> service implementation is just a standard C# class with auto-wired dependencies. Thin and lightweight wrappers are used to provide a consistent and unified API around the core run-time IHttpRequest and IHttpResponse types. They also allow access to underlying ASP.NET or HttpListener's Request and Response classes so you're never restricted when using ServiceStack.
Contrasted with WCF and WebApi
Here's a brief overview of the contrasting API styles that ServiceStack and WCF promote. WebApi is different to WCF in that it encourages REST-ful API design. As for examples between the 2, this is the only known example I have with the same service written in both ServiceStack and WebApi.
Best Practices remote services
ServiceStack has a primary focus on simplicity, performance and in promoting web/remote service best-practices centered around embracing Martin Fowlers remote-service design patterns in as idiomatic C# as possible:
The Facade Pattern - Which suggests the usage of batchful, coarse-grained interfaces when ever you communicate across process boundaries.
The DTO pattern (MSDN) - Dictating the use of special-purpose POCOs to generate the wire format of your web services responses.
The Gateway Pattern (MSDN) to encapsulate your client and server communications between the Client Gateway / DTO models and Service Interface tiers.
These patterns ensure a clean separation of concerns and a friction-free iterative dev experience.
Empowering your services
A ServiceStack web service at its core is centered around a dependency-free and auto-wired pure C# IService<T> interface that gives you complete freedom to define your web service contract with your own Request and Response DTOs using clean POCOs - rendering ServiceStack's API practically invisible and non-invasive, i.e. it's trivial to extract your C# services logic and run it outside of a ServiceStack host.
This gist is a good example of what you get with just 1 C# .cs class in ServiceStack:
Metadata pages for all registered formats
With links to WSDLs, XSDs and C# client examples
Human friendly HTML report view
A single self-contained html page snapshot (i.e. no external refs). Includes embedded JSON web service response - allows programmatic access to data snapshots.
Built-in Mini Profiler (port of the excellent MVC Mini Profiler)
Includes Sql Profiling
JSON/JSONP, XML, JSV, CSV and SOAP end-points
The RestServiceBase and ServiceBase classes are intended to host your custom C# logic for maximum potential re-use as possible, e.g. Its DTO-first design trivially allows for deferred and proxied execution where your same C# Service can also be hosted and executed in an MQ Host which is what happens when you register an IMessageService like the RedisMQ host and call your service via the /asynconeway endpoint (i.e. client.SendOneWay() in C# Clients)
You can also easily delegate and create composite services using the base.ResolveService<T>() method which returns an auto-wired instance of the selected service as seen in the Nortwind CustomerDetails Service example:
var ordersService = base.ResolveService<OrdersService>();
var ordersResponse = (OrdersResponse)ordersService.Get(
new Orders { CustomerId = customer.Id });
Return plain C# objects
For the most part ServiceStack will serialize most C# objects as expected - here's a list of possible return types (from this answer):
Any DTO object -> serialized to Response ContentType
HttpResult, HttpError, CompressedResult (IHttpResult) for Customized HTTP response
The following types are not converted and get written directly to the Response Stream:
String
Stream
IStreamWriter
byte[] - with the application/octet-stream Content Type.
An example of the Custom HTTP headers support can be seen by this CORS example where you can configure HTTP Headers globally or on a per-service basis.
HTML Support
There are multiple options for returning HTML in ServiceStack that is explained in detail here.
Includes fastest text and binary serializers for .NET
Resilient and fast serializers are of primary importance in an API to ensure fast response times and a versionable API which doesn't break existing clients which is why ServiceStack includes the fastest text serializers for .NET with a NuGet option to enable #marcgravell's Protocol Buffers (.NET's fastest binary serializer).
ServiceStack's text serializers are very resilient and can withstand extreme versioning without error.
Friction-free dev experience End-to-End
ServiceStack's opinionated nature allows for a fast, typed, terse web service API end-to-end with built-in support for Sync/Async C#/.NET and Async Silverlight clients without any code-gen:
Sync C# Example
var response = client.Send<HelloResponse>(new Hello { Name = "World!" });
Async C# Example
client.SendAsync<HelloResponse>(new Hello { Name = "World!" },
r => Console.WriteLine(r.Result), (r, ex) => { throw ex; });
As it just returns pure JSON it's also trivially consumed with other HTTP Clients, e.g. JS client example using jQuery:
$.getJSON("http://localhost/Backbone.Todo/todos", function(todos) {
alert(todos.length == 1);
});
Highly testable
All C#/.NET ServiceClients share the same interfaces which make them highly testable and swappable to the point where you can have the same unit test also serve as an XML, JSON, JSV, SOAP Integration Test.
Rich Validation and Error Handling built-in
In its mission to provide a friciton-free and clean dev experience, ServiceStack also includes typed validation and error handling built-in where throwing an C# Exception or using its built-in Fluent validation provides clients structured, typed errors easily accessible on web service clients, e.g:
try {
var client = new JsonServiceClient(BaseUri);
var response = client.Send<UserResponse>(new User());
} catch (WebServiceException webEx) {
/*
webEx.StatusCode = 400
webEx.ErrorCode = ArgumentNullException
webEx.Message = Value cannot be null. Parameter name: Name
webEx.StackTrace = (your Server Exception StackTrace - if DebugMode is enabled)
webEx.ResponseDto = (your populated Response DTO)
webEx.ResponseStatus = (your populated Response Status DTO)
webEx.GetFieldErrors() = (individual errors for each field if any)
*/
}
To make it trivial to consume errors in JavaScript, you can use the lightweight ss-validation.js JavaScript library to trivially bind your response errors to your HTML form fields with a single line of code. The SocialBootstrapApi example project provides a good demo of this.
Rich Integration with ASP.NET and MVC
The ServiceStack MVC PowerPack re-writes and fixes a lot of the ails of ASP.NET and MVC with replacements for its crippling Session and Caching XML-encumbered ASP.NET providers with its own clean and dependency-free implementation of ICacheClient and ISession APIs.
ServiceStack also includes a newer and cleaner authentication and autorization provider model with a number of different AuthProviders in-built:
Credentials - For authenticating with username/password credentials by posting to the /auth/credentials service
Basic Auth - Allowing users to authenticate with Basic Authentication
Twitter OAuth - Allow users to Register and Authenticate with Twitter
Facebook OAuth - Allow users to Register and Authenticate with Facebook
The Authentication module is entirely optional and is built-on the clean ICacheClient / ISession APIs and OrmLite which allows your Sessions to be stored in Memory, Redis or Memcached and your UserAuth info persisted in OrmLite's supported RDBMS's of SQLServer, MySql, PostgreSQL, Sqlite as well as Redis data-store or InMemory (useful for dev/testing).
Great Documentation
ServiceStack is very well documented where most of the information about the framework is hosted on the GitHub wiki. Documentation for other parts of the framework (e.g. Serializers, Redis, OrmLite) can be found on servicestack.net/docs/
The ServiceStack.Examples Project provides the source code for all of ServiceStack's live demos and Starter Templates whilst the SocialBoostsrapApi project provides a great starting point of developing a Backbone.js Single Page App with ServiceStack and MVC based on Twitters Bootstrap template.
In addition to the above a treasure trove of information is contained within the Google Group which has expanded quite considerably in recent years.
Runs Everywhere
ServiceStack is a .NET 3.5 framework that runs on ASP.NET and HttpListener hosts and can be hosted on either .NET or Mono (trivia: www.servicestack.net is powered by CentOS/Mono). This allows your ServiceStack web services to be hosted on either:
Windows with .NET 3.5 & 4.0
IIS 5/6/7 (uses IHttpHandler)
VS.NET WebDevServer
Console App or Windows GUI
Windows Service
Linux/OSX with Mono
Apache + mod_mono
Nginx + MonoFastCGI
XSP
Console App
Developed with the Open Source development model
ServiceStack is a strong believer of the Open Source development model where it is actively developed in the open and has always been hosted under a liberal OSS licence (New BSD) since its inception. As of today it has received contributions from more than 47 developers and it currently stands at the 3rd most watched C# project on GitHub.
Disadvantages
I believe the biggest disadvantage is the same for most other OSS .NET projects where it wasn't developed (or even listed as an available option) by Microsoft. This means it's rarely ever the first choice when evaluating a framework. Most adopters will only evaluate ServiceStack as a last resort, where they're either frustrated with the imposed friction and brittleness of WCF or the performance of the preferred Microsoft Stack.
Feedback and Community Resources
ServiceStack has been very well received with positive feedback provided by most people who have evaluated it as visible by the positive sentiment in the mailing group. As of this year the #ServiceStack twitter account has been tracking mentions and feedback in its favorites.
The Community Resources wiki page is a good place to find out more about ServiceStack in the wild with links to Blog Posts, Pod Casts, Presentations, Gists and more.
There is a new main difference that needs to be accounted for - ServiceStack is no longer free to use as of v4. Since there is a pretty definitive answer on the SS pro's I wanted to throw a couple out for Web API
Web API
Pro's :
Free to use in your project (provided you have a VS license that allows commercial use)
Extraordinarily high level of free support available from Microsoft and all over the web, including here on StackOverflow.com.
Quickly integrates with other Microsoft technology stacks like ASP.NET MVC which is extremely popular in Microsoft shops
Built in support for RESTful authentication and authorization in your Microsoft stack
Con's :
Doesn't support SOAP
Ancillary Benefits
(Please feel free to leave comments below adding to why Web API has benefits or has pros / cons I can add)
I can't really say much about ServiceStack, but Web API has a lot of great features and is currently at version 2.
Some of the things you can do with Web API:
Self host in an OWIN application (i.e. runs anywhere).
Full support for async and await.
Good default Templates and tons of open source examples.
Used great Json.Net JSON serializer.
Rest-ish by default (you'll have to do hypermedia yourself).
and more...
As a customer of ServiceStack here is the pro for ServiceStack most important for me.
https://github.com/ServiceStack/Issues/issues/606
So. Bug found, bug identified, bug fixed. Same day. Extraordinary support!
It's been one year that I use SS and it's all great.
ORMLite is pure magic. I was able to remap an awfull MySQL DB to integrate in a mobile apps. No change on the database cause it's use with a php backend with another apps...
Mythz is an example regarding support and explanation. It upgraded my knowledge regarding apps design and simplicity on maintenance. Please try it and you will understand.
Also, don't compare SS with WebAPI. It's not enough, SS bring much more to your toolbox. ServiceStack.Text is a great Automapper too.
Security always tends to take the last place in a new project. Or you use a framework like Spring where security is already build-in and can be switched on easily.
I try to find an open security framework that can be plugged-in to both Swing and Web applications (and JavaFX?), maybe easy to digest. I looked at plain JAAS, JGuard and JSecurity but its just too complicated to get started.
Any recommendations or experience to share ?
I am working with NB, Glassfish and MySQL.
Thanks
Sven
I have just taken a view of this http://shiro.apache.org/
Apache Shiro is a powerful and
easy-to-use Java security framework
that performs authentication,
authorization, cryptography, and
session management. With Shiro’s
easy-to-understand API, you can
quickly and easily secure any
application – from the smallest mobile
applications to the largest web and
enterprise applications.
I would strongly recommend learning JAAS. It really isn't that difficult to pick up, and there are some useful tutorials and a reference guide on the Sun web site.
In my experience, JAAS is pretty widely used, so it's definitely something you'll be able to reuse once you're learnt it. It also happens to be one of the building blocks for the Glassfish authentication mechanism!
I have done a similar research in JAAS for web application and has ran into a "mind roadblock" until I finally realize JAAS is a framework addressing security at a different "layer" then traditional web applications in the Java World. It is build to tackle security issues in J2SE not J2EE.
JAAS is a security framework build for securing things at a much lower level then web-application. Some example of these things are code and resources available at the JVM level, hence all these ability to set policy files in the JVM level.
However, since J2EE is build on top of J2SE, a few modules from JAAS was reuse in J2EE security such as the LoginModules and Callbacks.
On the other hand, Acegi, aka Spring Security, tackles a much higher "layer" in the securing web-application problem. It is build on top of J2EE security hence J2SE hence JAAS. Unless you are looking to secure resources in the J2SE level (classes, System resources), I don't see any real use of JAAS other than the using the common class and interfaces. Just focus on using Acegi or plain old J2EE security which solves a lot of common web application security problems.
At the end of the day, it is important to learn which "layer" of the J2EE-J2SE security issue you are tackling and choose the write tool(s) for the problem.
I would recommend you take a look at OACC (http://oaccframework.org). OACC was designed for solving the problem of application security. Unlike most frameworks OACC is able to store/manage the authorization relationships in your application. OACC's authorization model is more powerful that Shiro or Spring Security.
There is alternative from JBoss. A new version for PicketBox. More information here:
https://docs.jboss.org/author/display/SECURITY/Java+Application+Security
apache shiro miserably fails when you stress a web application under JBoss (say 2 million requests of a simple GET with a concurrency of 50 threads).
was very dissapointing to find out this.
it happens when you use filters.
You can read http://code4reference.com/2013/08/guest-posttop-java-security-frameworks-for-developing-defensive-java-applications/
It gives 1000mile view from various Java Security framework, such as JAAS, Shiro or Spring Security. All are depended on your requirements and technology stacks that you choose
I have a mixed UI (Win App, WPF App, and soon an ASP.NET MVC App) setup, so far I'm using Client Application Services for security. I know how to programmatically get a user authenticated and doing so is working beautifully. However...
I want to implement some cross cutting that basically checks to see if the user is authenticated all the time. Since everything will be accessing web services I want to enable this as a standard execution for pretty much everything the UI does. So far I'm thinking the PIAB - Policy Injection Application Block - will serve that function. What I'm wondering is two things;
1 Will the PIAB cover that needed functionality? Verifying authentication at every practical step if used against the UI?
...and...
2 Are there alternatives out there besides the PIAB? I'm curious to do a comparison of aspect oriented policy injection frameworks.
I'm not really familiar with Client Application Services but from my experience, most AOP frameworks wrap interfaces in order to implement the cross-cutting functionality. If CAS uses interfaces, you could probably just wrap them with what ever functionality you require.
Alternative AOP frameworks:
Spring.NET
Castle Dynamic Proxy
Spring.NET and Dynamic proxy seem to work in much the same way and have much the same performance in my Hello World type tests (about half-way between direct calls and invoking through reflection). PIAB is significantly slower than both these frameworks and I found bit more verbose. It does have the ability to be configurable via xml and I'm not sure if that's a good thing or not. Not sure if the other frameworks provide that. It does of course have the MS stamp of approval though :P.