Security Guidelines for ZimWeb Applications

Key Guidelines for Creating Secure ZimWeb Applications
Secure access to the ZimWeb Administration servlet such that unpriviledged users cannot access it.
The installation instructions for Tomcat (See Installation) show how to reserve it for a given user name and password.
Ensure that the client DEBUG facility is disabled by default by setting the allow-debug configuration option to no.
Specify a TEMPLATE in the security configuration for all procedures - this is described in the configuration file extensions.
Avoid or restrict using Zim sessions if at all possible, as they are openings to a denial of service by committing all the Zim database agents:
  • Use http session variables to preserve state information instead - see parameter sources for more details about this.
  • Use the most secure setting possible for the zim-session-security configuration option- preferably disable persistent Zim sessions if they are not required, or track Zim sessions in the http session.
Record the authentication of a user in an http session parameter e.g. session.AuthenticatedUser, which is present in all procedure templates and checked by all procedures. The initial authentication can be performed by the web server or the Zim application.
Place XSLT stylesheets and templates in a secure location that cannot be accessed directly by clients. A suitable location is under the WEB-INF directory of the application, as demonstrated by the ZimWeb example application.
Be careful with the XML information output by the application. Remember that the client can specify style=none in any request to see the raw, unstyled XML data.