Security Guidelines for ZimWeb Applications
Welcome to our Knowledge Base
Documentation | Blog | Demos | Support
< All Topics
Print
Security Guidelines for ZimWeb Applications
5 out of 5 stars
1 rating
| 5 Stars | 100% | |
| 4 Stars | 0% | |
| 3 Stars | 0% | |
| 2 Stars | 0% | |
| 1 Stars | 0% |
| Key Guidelines for Creating Secure ZimWeb Applications |
|---|
| Secure access to the ZimWeb Administration servlet such that unpriviledged users cannot access it. The installation instructions for Tomcat (See Installation) show how to reserve it for a given user name and password. |
Ensure that the client DEBUG facility is disabled by default by setting the allow-debug configuration option to no. |
Specify a TEMPLATE in the security configuration for all procedures – this is described in the configuration file extensions. |
Avoid or restrict using Zim sessions if at all possible, as they are openings to a denial of service by committing all the Zim database agents:
|
Record the authentication of a user in an http session parameter e.g. session.AuthenticatedUser, which is present in all procedure templates and checked by all procedures. The initial authentication can be performed by the web server or the Zim application. |
| Place XSLT stylesheets and templates in a secure location that cannot be accessed directly by clients. A suitable location is under the WEB-INF directory of the application, as demonstrated by the ZimWeb example application. |
Be careful with the XML information output by the application. Remember that the client can specify style=none in any request to see the raw, unstyled XML data. |
Updated
ByJason Lee
Was this article helpful?
5 out of 5 stars
1 rating
| 5 Stars | 100% | |
| 4 Stars | 0% | |
| 3 Stars | 0% | |
| 2 Stars | 0% | |
| 1 Stars | 0% |
5
English 
Portuguese