back to article Spring break! Critical vuln in Pivotal framework's Data parts plugged

Pivotal Labs' Spring Data REST project has a serious security hole that needs patching. Pivotal's Spring Framework is a popular platform for building web apps. Spring Data REST is a collection of additional components for devs to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These …

  1. SVV

    Not technically correct

    "RESTful APIs are commonly publicly accessible, creating a mechanism for hackers to easily gain control over production servers and obtain sensitive user data."

    Well, the whole idea of web services is to make them accessible via the web - you can secure them for internal use only if you want, but otherwise, yes they are as accessible as any other web server HTTP services, because that's how they work. How you secure them (or don't) is your responsibility. It is really going too far to say they allow hackers to easily gain control over production servers, unless whoever set it up was a total dimwit.

    However, the convenience and simplicity of REST services has led to their popularity, so enough dimwits are inevitable statistically. Securing this stuff properly isn't for amateurs and the inexperienced. It needs both the sysadmins and devs to have a well planned way to do so. Still, REST has gained supremacy by its' very ease of use nature, and therein lies the trap for the unwary, as always.

    However, as one of the few remaining fans of the SOAP web service model, this looks like chickens coming home to roost. SOAP has an extensive inbuilt security model (optional of course - but not if you're sane), but never gained general favour because it was "too difficult and complex" and REST was "easy". And so difficult but complete security got discarded for a quick and dirty cludge, yet again, with the same old predictable results.

  2. Anonymous Coward
    Anonymous Coward

    Spring is a useless framework.

    The only people who use spring are the hacks who couldn't write proper code in the first place.

    Sorry but if you use the spring framework... you deserve what you get.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like