Skip to content

Tag: jsp

Validate JSPs at build time

JSPs compile to Java code at run time. This is helpful if we want to test code changes without a build and deploy. However, if errors are introduced, they may not be spotted till it’s too late. A useful compromise is to validate JSPs at build time to verify that they will compile. The validator catches syntax errors before the application deploys and starts. This speeds up our build and test cycle and prevents silly mistakes slipping through to production code.

Thymeleaf and Spring Security

Thymeleaf is a popular templating engine, particularly with Spring projects. Spring Boot has chosen Thymeleaf as the view technology of choice, largely replacing the need for JSP. With old JSPs, custom tag libraries provided integration with various technologies, including Spring Security. A similar library exists to integrate Thymeleaf and Spring Security – the Thymeleaf Spring Security Integration module.

Preventing XSS Vulnerabilities in Web Frameworks

Cross Site Scripting (XSS) vulnerabilities are among the top risks to web application security. However many web application developers have only a vague idea of what XSS is, let alone how to test for it or protect against it. Many web application frameworks such as Struts or Tapestry have some controls for preventing XSS attacks. Yet I’ve seen developers disable framework protections resulting in vulnerable applications. Usually this is simply due to ignorance or lack of attention. A basic awareness of what web frameworks do to prevent XSS vulnerabilities is required to stop developers making dumb, though potentially serious mistakes.