/ Security Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Avoiding a Security Flaw in Your Java App [Code Snippet]

DZone's Guide to

Avoiding a Security Flaw in Your Java App [Code Snippet]

Learn how to prevent malicious users from accessing a security hole that can be created when designing a child window exit in your app.

by
Amuda Adeolu
·
Dec. 28, 16 · Security Zone
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Discover how to protect your applications from known and unknown vulnerabilities.

Suppose you designed an app where the child window exits. Your user may close the child window by clicking the close button. You may, however, disable the window as read-only with setReadOnly to true as setReadOnly(true). You may also make it invisible with CSS display:none, but doing so means you have just created a security hole with the CSS key. This is because a malicious user can access the button and close the window. The best pratice is to set the window to read-only, which also prevents closing on the server side.

Here is an example of the use of a child window in an application using a custom component with open and close button:

class WindowHole extends CustomComponent implements Window.CloseListener {
    Window mainwindow;
    Window mywindow;
    Button openbutton;
    Button closebutton;
    Label explanation;
    public WindowHole(String label, Window main) {
        mainwindow = main;
        final VerticalLayout layout = new VerticalLayout();
        openbutton = new Button("Open Window", this,"openButtonClick");
        explanation = new Label("Explanation");
        layout.addComponent(openbutton);
        layout.addComponent(explanation);
        setCompositionRoot(layout);
    }
    public void openButtonClick(Button.ClickEvent event) {
        mywindow = new Window("My Dialog");
        mywindow.setPositionX(200);
        mywindow.setPositionY(100);
        mainwindow.addWindow(mywindow);
        mywindow.addListener(this);
        mywindow.addComponent(new Label("A text label in the window."));
        closebutton = new Button("Close", this, "closeButtonClick");
        mywindow.addComponent(closebutton);
        openbutton.setEnabled(false);
        explanation.setValue("Window opened");
    }
    public void closeButtonClick(Button.ClickEvent event) {
        mainwindow.removeWindow(mywindow);
        openbutton.setEnabled(true);
        explanation.setValue("Closed with button");
    }
    public void windowClose(CloseEvent e) {
        openbutton.setEnabled(true);
        explanation.setValue("Closed with window controls");
    }
}


This example shows how we can inherit the CustomComponent class which consists of a button for the window opening and a label to show the attributes of the window.

Now you can see the window is open but the button is disabled. When the window is closed the button is enabled.

I hope this helps!

Find out how Waratek’s award-winning virtualization platform can improve your web application security, development and operations without false positives, code changes or slowing your application.

Like This Article? Read More From DZone

Preparing For The Future With Identity and Access Management
The Inevitable Need for Data Security and How Security Testing Can Help
74 Percent of Enterprises Say They Are Vulnerable to Insider Threats

Free DZone Refcard

Java EE Security Essentials
DOWNLOAD
Topics:
java app ,security ,prevention

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Amuda Adeolu. See the original article here.

Opinions expressed by DZone contributors are their own.

Security Partner Resources

Bring your Java apps up to date with the latest Java release with no code changes
Delivering Security in an Agile World
See how the Agile Security Manifesto can help your firm build secure software in an agile way.
Learn How to Build Security into the DevOps Life Cycle
CISO’s Guide to Application Security
Software Security Testing: Blending Art and Science
Building Security Into Cloud Applications
Traditional Application Security Approaches Are Not Working
Webinar: Secure your apps against a deserialization attack. It's not possible, is it?

Security Partner Resources

Bring your Java apps up to date with the latest Java release with no code changes
Delivering Security in an Agile World
See how the Agile Security Manifesto can help your firm build secure software in an agile way.
Learn How to Build Security into the DevOps Life Cycle
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone