3

I am choosing a Scala web framework. Among frameworks I am considering are Play, Scalatra and Lift. In the project I am preparing for, security is important. However, web security is a blurry subject for me, and I would like my framework to handle it to a reasonable extent. I seem to be drawn to Play.

I am not asking what is the most secure framework (according to ads – Lift), but, rather, do Scala frameworks handle security for me, and how do they compare in that respect? I don't want to solely rely on my knowledge to make the web-app secure.

Dominykas Mostauskis
  • 7,797
  • 3
  • 48
  • 67
  • 2
    "I don't want to solely rely on my knowledge to make the web-app secure." That is unfortunately a requirement that is impossible to fulfill. There are frameworks to make security easier, sure. But security doesn't work if you don't understand what you're securing how. – Cubic May 27 '13 at 17:24
  • 2
    One place to start is here: https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series – sourcedelica May 27 '13 at 18:35
  • 1
    @Cubic, that's exactly what I want. A framework that makes security easier, helps me handle it better. pedrofurla, I guess [this is what I mean](http://www.playframework.com/documentation/1.2.1/security) by security. Maybe you have tips on how to make my question more constructive? – Dominykas Mostauskis May 27 '13 at 19:30
  • 2
    @sourcedelica, [OWASP cheat sheets](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet) are of great help. – Dominykas Mostauskis May 27 '13 at 20:55
  • Good suggestion. More info in one spot. – sourcedelica May 28 '13 at 03:23

2 Answers2

2

I'd vote for Liftweb http://seventhings.liftweb.net/security

The major difference to other frameworks (and especially to java's, like Spring) is what one may call "default behavior". For example, while coding, you can forget to "escape", some html attribute. In a bad framework you'll get errors with corrupt html and security holes. In a good framework you'll have double-escape or an error.

A full list of examples can actually be read in link. What personally I love Lift for is it's statefulness, Scala bindings to HTML like

"#myHtmlNode li div [onclick]" #> ajaxInvoke(...scala code here...)

In the code above, you'll be 100% sure that no one will have access to the contents of ajaxInvoke except for those users you sent the page yourself. And separation of the logic and the view is a relief, of course.

VasiliNovikov
  • 9,681
  • 4
  • 44
  • 62
0

To answer my own question, I have to learn this stuff, no one is going to do it for me. There's OWASP cheatsheets; and also OWASP Enterprise Security API or ESAPI. ESAPI looks promising, though I haven't used it yet.

Dominykas Mostauskis
  • 7,797
  • 3
  • 48
  • 67