Re: [jakartaee-platform-dev] Jakarta EE Http Firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jakartaee-platform-dev] Jakarta EE Http Firewall

From: Ivar Grimstad <ivar.grimstad@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Feb 2025 10:10:29 +0100
Delivered-to: jakartaee-platform-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jakartaee-platform-dev/>
List-help: <mailto:jakartaee-platform-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev>, <mailto:jakartaee-platform-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jakartaee-platform-dev>, <mailto:jakartaee-platform-dev-request@eclipse.org?subject=unsubscribe>

Hi,

Can you add an issue in the issue tracker for this? I'll add the EE12 label to it so we can follow up on the discussion.

https://github.com/jakartaee/platform/issues

Ivar

On Wed, Feb 19, 2025 at 10:04 AM Gurunandan Rao via jakartaee-platform-dev <jakartaee-platform-dev@xxxxxxxxxxx> wrote:

Hi All,

Please provide valuable suggestion for adding an Http Firewall as part of Jakarta Http Specification. Details of the proposal are explained in the below mail.

regards,

Guru

From: Gurunandan Rao <gurunandan.rao@xxxxxxxxxx>
Sent: 07 February 2025 15:34
To: EE4J Security project <jakarta-security-dev@xxxxxxxxxxx>
Subject: Jakarta EE Http Firewall

Hi Team,

Jakarta EE Application should have security against common exploits, various exploits that Jakarta Security can protects against can be grouped as follows:

Cross Site Request Forgery (CSRF) attack.

Secure HTTP Response Headers.

All HTTP-based communication, including static resources, should be protected by using TLS.

Http Firewall is one of the methods by which Jakarta Application can be secured and Whenever possible, the protection should be enabled by default.

Please advice on Http Firewall for Jakarta 12 Applications.

Please note Spring provides Http Firewall with following protection:

1) Spring security CSRF protection: https://docs.spring.io/spring-security/reference/features/exploits/csrf.html

2) Spring security HTTP Response Headers: https://docs.spring.io/spring-security/reference/features/exploits/headers.html

3) Spring Security HTTP protection: https://docs.spring.io/spring-security/reference/features/exploits/http.html

HTTP :: Spring Security

As a framework, Spring Security does not handle HTTP connections and thus does not provide support for HTTPS directly. However, it does provide a number of features that help with HTTPS usage.

docs.spring.io

_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev

Ivar Grimstad

Jakarta EE Developer Advocate | Eclipse Foundation Eclipse Foundation - Community. Code. Collaboration.

References:
- [jakartaee-platform-dev] Jakarta EE Http Firewall
  - From: Gurunandan Rao

Prev by Date: [jakartaee-platform-dev] Jakarta EE Http Firewall
Next by Date: Re: [jakartaee-platform-dev] [config-dev] [EXTERNAL] Re: [microprofile] Config for Jakarta EE 12 and MP.next
Previous by thread: [jakartaee-platform-dev] Jakarta EE Http Firewall
Next by thread: Re: [jakartaee-platform-dev] [config-dev] [EXTERNAL] Re: [microprofile] Config for Jakarta EE 12 and MP.next
Index(es):
- Date
- Thread

Breadcrumbs