Web application firewall

Janis · August 5, 2010, 8:57am

Hi All,

Our company is currently evaluating Vaadin for use in our upcoming project and it seems to be good fit however we have some concerns about security.[indent]

[/indent] Our environment requires increased security and in our current solution we use web application firewall as one of security measures. Basically question is: is it possible to secure Vaadin application using application firewall? Problem lies in heavy Vaadin reliance on AJAX and quick study showed that it seems to be common problem to filter AJAX requests using application firewalls.[indent]

[/indent] Does anyone here have experience with this kind of problem?

Joonas · August 5, 2010, 10:25am

Vaadin should be one of the most secure choices for rich UI at the moment: all code stays (hidden) in the server-side and no publicly accessible (REST/…) API is needed.

If you do login outside the application (a separate JSP for example) and your firewall can ensure that the session is already authenticated, you can easily block all access to Vaadin based application for users that have not logged in.

Janis · August 5, 2010, 11:06am

Thanks for a reply, yes that is good that all code stays on server but the data is still exchanged between sever side and client rendering code. Main concern is to be sure that data cannot be altered that way that would lead to security breach on server side.

Joonas · August 6, 2010, 6:42am

True. Fortunately there are several security features in Vaadin to protect against this:

Add ids passed to client-side are generated and mapped by the Vaadin. Thus if one alters id on the client side to try to get to data that is not exposed to client-side Vaadin id mapper blocks this automatically.
Because all code runs in the server-side, all validation is also done on the server side. Thus it is not possible to forget to re-validate on the server as in client-side frameworks.
Vaadin uses double cookie pattern to secure prevent
CSRF

You might want to skim through my
presentation on Vaadin and server-side RIA security
. For the presentation I created two implementations for a banking application (one in GWT and one in Vaadin) and deliberately included all sorts of stupid security problems in the implementation. You are free to explore the difference imposed by the client-side and server-side frameworks to the security by breaking into the banking application.
App is online here
- see the presentation on tips for breaking in

Janis · August 6, 2010, 11:20am

Thank you very much for this information. It will definitely help us in our evaluation process.