Most people who know about mod_python have run across it in situations when they needed to serve a Python-based application via Apache, like Mercurial or ViewVC.  Actually, mod_python is more than just a CGI/WSGI alternative and is self described as “an Apache module that embeds a Python interpreter into the server.”  This means you can use mod_python not only to serve Python-based applications that run faster than traditional CGI, but you can actually use exposed Apache APIs to write full-blown Apache modules using the Python language.  mod_python also includes a number of useful tools, like session management for example, that you get access to as well.  That being said, let’s learn more about mod_python by creating a simple application using most of the features that mod_python delivers.

mod_python features

mod_python is actually a suite of tools.  Not only can it emulate a CGI environment and allow you to create Apache modules written in Python, but it also provides tooling for:

• CGI environment (emulated)
• Access to Apache APIs, filters and handlers
• Session management
• Server-side includes
• Python server pages (Similar to any technology allowing logic and presentation in the same file and evaluated on the server, like Java’s JSPs)

As you can see, mod_python provides quite the tool-set to accommodate a very wide range of needs.  To showcase these features, we’re going to write a very simple application using as many mod_python features as are available.  We will then wrap up with using a mod_python authentication handler that uses your  Twitter credentials to authenticate yourself for your application.

mod_python handlers

Apache handles requests in phases and mod_python provides you with handlers that allow you to write a Python function that will be used by Apache to handle a phase.  So, if you wanted to have a Python-based authentication implementation for your SCM repository server in order to do fancy things like REST/SOAP/XML-RPC/etc to validate a user’s credentials, you could use Python and its PythonAuthenHandler to implement such a thing.  To see this in practice, let’s get mod_python hooked up to Apache and using a very simple handler to give us the obligatory “Hello World!”

# Load the modules
LoadModule python_module   libexec/apache2/mod_python.so

<Location /mod_python_article>
    # Tell Apache that mod_python will handle this Location
    SetHandler mod_python

    # Tell mod_python which module to use for handling requests
    PythonHandler olex.publisher

    # Fix the Python path to be able to locate our application
    PythonPath "[r'/home/jwhitlock/tutorials/mod_python_article/src']+sys.path"
</Location>

The above Apache configuration snippet creates a uri base (mod_python_article) and tells Apache that mod_python will use the PythonHandler handler, which is used to generate content and deliver it to the client.  We also told mod_python which Python module (olex.publisher) would be responsible for handling the request and where to find it using the PythonPath mod_python directive. (Of course, you might need to update your path to be where you extract the sample code to.)

from mod_python import apache

def handler(req):
    """ This is the controller function that will take a request and writes out the content. """
    publish(req, 'Hello from mod_python!', type='text/plain')

    return apache.OK

# handler

def publish(req, content, type='text/html'):
    """ Helper function that removes some boilerplate when writing content. """
    req.content_type = '%s; charset=UTF8' % type
    req.write(content, 0)

# publish

mod_python handler implementations will all accept a single argument, an Apache request object.  If you were to restart/start Apache and visit http://hostname/mod_python_article, you’d see “Hello from mod_python!” on your screen.  While this is a very simple example, you should have a good idea of how this will work.  When we need to do something via mod_python, all we have to do is write a handler and hook it up in Apache by registering the handler.  With the wiring taken care of, let’s move on to the next feature: Session Management.

Session Management

What good would any web-based application be without some session management?  Well thankfully, mod_python provides you with not only generic session management system that will work out of the box but it also gives you the necessary APIs to write your own.  (We will only be demonstrating the built-in session management at this time.)  With session management, we can only prompt you for credentials when you’ve not already logged in and only show you information about your profile if you’ve logged in.  Pretty standard stuff, but without an example it might not be useful.  So, below is an example of session management in our application.

from mod_python import apache, Session

def handler(req):
    """ This is the controller function that will take a request and delegate the
    request to some Python function. """
    # Create/Get the session
    session = Session.Session(req)

    if session.is_new():
        visit_token = 'for the first time'
    else:
        visit_token = 'again'

    # Save the session
    session.save()

    publish(req, 'Hello, %s, from mod_python!' % visit_token, type='text/plain')

    return apache.OK

# handler

def publish(req, content, type='text/html'):
    """ Takes the content and writes it to the client. """
    req.content_type = '%s; charset=UTF8' % type
    req.write(content, 0)

# publish

With the code above, your first visit should produce “Hello, for the first time, from mod_python!” for the output, while on subsequent visits (like by refreshing the page for now) you should see “Hello, again, from mod_python.”  What we’ll do after we’ve designed a login page, in the next section, is have people without a session get prompted for a name of their session so that they can then be redirected to their session information page.  Now that we have session management scaffolding in place, let’s wrap a UI around this and see the end result.  To do this, we’re going to use mod_python’s Python Server Pages.

Python Server Pages

mod_python’s Python Server Pages (PSP) are very similar to Java Server Pages in that you have a mix of business logic and presentation mixed together.  Of course you can break this out into a template file for the presentation and a function that populates the template with tokens, but in the end the concept isn’t new.  For our example, we’ll use PSPs to generate a simple login page that is displayed when you do not have a session, or you have a session and haven’t named it yet.  Here is an example of the PSP that is used for the login page:

<!-- Below is a PSP hack to avoid mod_python using 'text/plain' for the content type. -->
<% req.content_type = 'text/html' %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title>Session Information - Login</title>
  <!-- The stylesheet for this page is omitted here but is available in the download -->
</head>
<body>
  <div id="box">
    <h1 class="header">Session Information - Login</h1>
    <%=error%>
    <form id="login_form" name="login_form" method="POST" action="/mod_python_article">
      <ol>
        <li>
          <label for="session_name">Session name:</label>
          <input id="session_name" name="session_name" type="text" value="<%=session_name%>"/>
        </li>
        <li>
          <button id="create" name="create">Create Session</button>
        </li>
      </ol>
    </form>
  </div>
</body>
</html>

There isn’t much in this post other than the hack to fix a bug in mod_python, and you’ll also see a few PSP tags where we’ll put the content of an error into the page and the content of the session name into the form.  (These are denoted by the <%=error%> and <%=session_name%> texts respectively.)  A better example is in the PSP template used to display the session information (in the download).  Of course, it might make sense to know how to tell mod_python how to find a template and how to populate it with variables, like error and session_name above.  Here’s an example of how to create a template from a file and feed data to it:

data = {'error': '', 'session_name': '',}
template = psp.PSP(req, filename='create_session.tmpl')

template.run(data)

At this point, you really have seen an example of all parts of mod_python.  Here’s a summary of the topics we’ve covered:

• We’ve see how you can tell mod_python to use a publisher to publish content to the web using mod-python
• We’ve seen how to create a session and stuff information into it
• We’ve seen how to author a Python Server Page, load its contents from a file and give data to it

As promised, there is one more nifty piece of mod_python that we want to show you: how to use mod_python to write a custom authentication handler for Apache.

mod_python Authentication Handler

Have you ever wanted to have Apache authenticate you in a way that it didn’t support?  This is often the case in corporate worlds where people use directory systems like Active Directory and OpenLDAP for user/group/etc. management.  Well, while Apache does have LDAP support available, what if you wanted to authenticate to a system that Apache was unaware of, like authenticating to a third-party application?  Well, below is an example of how you can use Twitter to authenticate users of your Subversion repository, starting with the Apache configuration and ending with the mod_python handler:

<Location /svn/repos>
  # Subversion configuration
  ...

  # Authentication setup
  AuthType Basic
  AuthName "Subversion Repository"

  # Require a valid user
  Require valid-user

  # Make sure to use our authentication
  AuthBasicAuthoritative off

  # mod_python setup
  PythonAuthenHandler olex.twitter_authn
  PythonPath "sys.path+['/home/jwhitlock/tutorials/mod_python_article/src']"
</Location>

And below is the mod_python handler:

from mod_python import apache

# python-twitter is required for this example (http://code.google.com/p/python-twitter/)
import sys, twitter, urllib2

def authenhandler(req):
    """ Authenticates the user based on their Twitter credentials. """
    # As documented in mod_python, before you can successfully call req.user you must call
    # req.get_basic_auth_pw().
    # http://modpython.org/live/current/doc-html/pyapi-mprequest-mem.html#l2h-124
    password = req.get_basic_auth_pw()
    username = req.user
    api = twitter.Api(username=username, password=password)
    response = apache.OK

    # Since there is no API to authenticate a user, other than writing one
    # let's just call the function that returns the least data
    try:
        api.GetDirectMessages()
    except urllib2.HTTPError, e:
	# There are many Twitter failure codes that mean more than authentication
        # failure but for brevity, a failure means failed authentication.
        response = apache.HTTP_UNAUTHORIZED

        req.log_error('[authn] Failure to authenticate: %s' % str(e))
    except twitter.TwitterError, e:
        response = apache.HTTP_UNAUTHORIZED
    except:
        import traceback

        exception = sys.exc_info()
        traceLines = traceback.format_exception(exception[0], exception[1], exception[2])

	req.log_error('[authn] Unexpected error authenticating to Twitter')

        for line in traceLines:
            req.log_error('  %s' % line)

	return apache.HTTP_INTERNAL_SERVER_ERROR

    return response

Summary

mod_python is an excellent way for people knowledgeable in the Python programming language to secure Apache-served applications/content and to even write your own web-based applications.  Due to time constraints the above code samples are not 100% complete, so we’ve included a tar file with all of the source code above as well as all of the missing parts complete with documentation on how to run the examples.

Ed. Note: This article was originally published in March of 2009. It has been reprinted here because it provides excellent guidelines for evaluating and selecting the right Java web development framework. However, readers should be aware that some details about specific frameworks have changed in the year and a half since it was first published.

Open source application development frameworks have increased in both popularity and number over the past decade. Today, developers can choose from a wide range of frameworks, each of which offers a unique combination of features, limitations, and benefits.

But choosing the right framework can be a challenge.

Web application development frameworks have become very popular in the last several years. Wikipedia lists over 85 web application frameworks, with a large table comparing features.

This article covers some of the factors you should consider when evaluating and selecting a framework for building a Java web application. However, this is never a simple process and many different criteria can and should be considered. In other words, you will want to perform your own additional research.

When it comes to adopting a new technology, many of the decision points are organizationally — not developer — driven. When an organization intends to adopt an application development framework, it is typically looking to accomplish three things:

• Address the complexities of some lower level application architecture
• Reduce the amount of code developers have to write (aka “productivity”)
• Allow developers to focus on “business logic”

As you begin the evaluation and selection process, beware of people giving easy, emphatic answers. Your development environment and goals are unique. Use this article as a starting point and a general guide, and you should be able to make a decision that helps you increase productivity and decrease pain.

Background

First, we need to define the term application development framework and provide a little history. Application development frameworks are not new. They originally started with user interface (UI) development and have expanded into other areas. Just defining the term can be a little squishy. However, application development frameworks typically provide:

• A standard structure or design that allows the developer to create an application, without having to learn or understand complex low-level APIs.
• Some sort of programming paradigm or model. For example, for Java, Java EE is a great example of a framework that defines a paradigm.

Next, we need to define the types of application development frameworks currently available. There are, in general, three primary types of frameworks:

• “Application Frameworks,” which typically focus on the low-level details, abstracting the developer from an operating system or from a programming platform (e.g. Microsoft Foundation Classes).
• “Enterprise Architecture Frameworks,” which are at the other end of the spectrum, are used to govern or dictate the design of an enterprise system. An Enterprise Architecture Framework encompasses multiple different servers and software applications, allows for scalability, and supports “ility” constraints (e.g. Java EE, TOGAF).
• “Web Application Frameworks,” which fit “right in the middle.” Web application frameworks typically govern the overall architectural design, similar to Enterprise Architecture frameworks, but also are typically an extension of an application framework, albeit focused on a specific type of application development (web applications).

Zeroing in on web application frameworks, there are two broad classifications to be aware of:

• Server-side frameworks – focused on enabling back-end developers to create robust, scalable web applications (e.g., with Java, JSP with servlets; PHP is best known for server-side, and for .NET, ASP .NET).
• Client-side frameworks – focused on addressing the complexities and incompatibilities across browsers and user interactions.

Java Web Development Frameworks

So what’s the current landscape? Basically, there are two large conceptual categories that you need to be familiar with: “Full-stack” frameworks and Model View Controller (MVC) frameworks.

Full-stack frameworks address back-end web development for a web app from start to finish. They have some infrastructure or component that addresses the common MVC paradigm plus components that address interacting with databases, possibly in a create-update-and-delete (CRUD) fashion. They interact with message buses, and with naming and directory servers like LDAP.

• ADVANTAGES: Full-stack frameworks have a complete stack, so, as a developer, you don’t have to worry about how to integrate with a database, or how to integrate with a messaging system. It’s one stack of libraries that all work together. One nice “side-effect” of that is that as a developer, you don’t have to write the glue code to connect the “web tier” to the “enterprise tier.”
• DISADVANTAGES: Certain frameworks suggest or encourage certain technologies, which means you lose some plugability. For some developers, this is a real disadvantage.

MVC frameworks are typically the most popular frameworks in the Java web development world and are structured around the framework of a re-usable web application. Re-usability is discussed with the model, the business domain objects, or the controller that handles to request processing.

• ADVANTAGES: MVC frameworks are typically referred to as lightweight frameworks, meaning there’s less “baggage” and fewer connections with enterprise systems that you may or may not take advantage of.
• DISADVANTAGE: You do generally have to write the glue code to do CRUD operations.

In summary, both obviously have advantages and disadvantages, and there are too many to list them all. But at a high level, MVC frameworks are typically the most popular frameworks, so we’ll focus on those in our selection process below. However, should you decide to evaluate or select a full-stack framework, you’ll want to consider popular options like JBoss Seam and Spring (though it is debatable if Spring should be classified as a full-stack framework).

Understanding the MVC Paradigm

MVC is a design paradigm or design pattern that grew out of user interface development. Some people attribute it to Small Talk UI. At any rate, the real focus is to try to figure out how to structure a user interface application around good object oriented programming (OOPs) concepts like encapsulation, cohesion, loose couplings, and abstractions. All of these object oriented programming concepts can create re-usability.

If we were to dissect a user interface in the MVC world, in general we’d find three components:

1. The view is responsible for rendering the UI and is directly tied to a model for the state data of the UI. More specifically, as the view renders itself, it calls out to the model and gets back information from the model, so that it could draw a check-box either as a selected check-box or an unselected check-box, depending on the model structure.

2. The model contains the state data for the UI and supplies information to the view as requested.

3. Depending on the MVC paradigm, the controller functions as a traffic cop to allow the interactions that are triggered through the UI to propagate through the model. So, if somebody selects a check-box, that selection is going to go through a controller, and that controller is going to (hopefully) update the model. Then, the model notifies the view and the view redraws itself.

Of course, there are many ways an MVC architecture can be structured. In the interests of simplicity, we will not cover that information here. However, there are two main kinds of competing architectures or ideas on how an MVC framework should be implemented, and they are very important in making your decision. The two types of MVC frameworks that you will encounter are:

• Action-based (aka Push-based MVC) frameworks are the most common partially because they’ve been around longer (e.g. Struts). The idea is that when a request comes from a web browser and goes to a web server, there is a request handler that functions as a controller. That request handler takes the request data, puts it into some type of model, and that model then pushes that to the view — typically a JSP. Then, the JSP takes the model data and renders itself. Typically, it’s easy to understand and a very straight-forward process.
• Component-based (aka Pull-based MVC) frameworks focus on rich UI development. They’ve moved away from the concept of request-processing a little bit, into view generation or view rendering. Included is a nice UI component set that creates re-usability within the application. Three of most common ones are JSF, Wicket, and Tapestry. With Component-based MVC frameworks, it is the view’s responsibility to pull in data from potentially multiple controllers and render itself. Instead of having the controller give all the appropriate data, the view can pull in all the data from the appropriate controllers. There is still a model, and the model is still generally represented as a Java object. The model still could be a composition of objects; the difference is how the view accesses the information.

Comparison of Six Popular MVC Frameworks

We’ve selected six of the most popular MVC frameworks to compare – three action-based and three component-based.  You may wish to evaluate different options, but the evaluation process outlined below will help you determine the best framework for your needs regardless of the options you consider.

The action-based frameworks we’ll compare are:

• Struts 2 is sometimes called “the evolution of the Struts framework.” The Struts framework was originally popularized back in the late 1990s and early 2000s, and Struts 1 is still regularly used in enterprises. Struts 2 was released in February 2007 and is a redeveloped implementation of Struts 1, based on a framework called WebWork.
• Spring MVC 2.5 is the MVC component of the MVC Framework, built on top of the Spring Framework. It adds MVC capabilities, which means that you can leverage Spring features like inversion and control and dependence injection. It has organizational support from SpringSource which means good training and documentation, and a large supporting community.
• Stripes 1.5 has a big grass roots following but no organizational backing.

The component-based frameworks we’ll compare are:

• Java Server Faces (JSF) / MyFaces 1.2, probably the most popular implementation of the JSF specification, is the only framework supported by a Java community process specification. This gives multiple vendors the opportunity to implement JSF and, in turn, gives adopters many different vendor choices. However, many people believe that Sun dictates how the technology is implemented, so they feel there is a big marketing machine trying to push a standard.
• Wicket, sponsored by the Apache Foundation, is a web application development framework for Java developers, which means it’s focused on writing web applications in Java versus writing web applications in something like HTML. It is very Java focused.
• Tapestry 5, also a part of the Apache Foundation, it is a complete rewrite of Tapestry 4 that attempts to simplify some of the cumbersome features found in Tapestry 4.

Criteria for Choosing a Framework

There are many different opinions on how to choose the right framework.  Approaches used to select frameworks include:

• The Popularity Formula – How many Google searches? How many jobs on Dice?
• The Community Activity Formula – When was the last commit or release? How active is the mailing list?
• The Learning Formula – How many books? How’s the documentation?
• The Architect Formula – How clean are the results? How well does it scale?
• The Pragmatist Formula – How hard is it to build a prototype?

Since none of these approaches provides a complete picture, we decided to use them all to evaluate the six frameworks outlined above.

Popularity. If you choose a framework strictly based on popularity, you’ll pick JSF. But, consider that Sun, IBM, and Oracle have invested time and marketing dollars to make JSF popular, so popularity here is skewed by marketing budgets.

Community. If you choose by active community you might base your decision on frequent releases, or the most current release, or the most active mailing list. If your decision was based on the most current release, it would be Stripes. Obviously, in some cases, you might find a recent release simply because of coincidence.

Learning. In general, the availability of documentation is common, so perhaps you might narrow down this category to the number of books written on the subject. If that is your differentiator, then again you’ll choose JSF (based on Amazon numbers). But then again, it’s possible that JSF has more books because it’s harder to understand. Choosing, then, by larger numbers of books might not be a great thing to do.

Architecture. Looking for Plain Old Java Objects (POJO) is one way to examine the various frameworks. (POJO, used to be “JavaBeans” but the Java community does not like the term because of the enterprise JavaBeans world.) There is constant debate on how much imposition a framework should have on one’s architecture. The trend in the last 3-5 years is to separate the application from the framework by using some POJO structure. Some are POJO-based, some “hedge their bets” and let you use POJO with annotations or create a subclass of one of the pre-built classes already included. It’s all over the board, so it would be pretty hard to decide based on the cleanest architecture.

Pragmatist. One of the major reasons for choosing an application development framework is to reduce the amount of code you have to write, or to increase the productivity of the development team. In that case, you should first and foremost be using “The Pragmatist Formula” as well as the other criteria. Unfortunately, measuring productivity of a development team is a crap-shoot. If someone could figure that out conclusively, they would be very wealthy! Different developers code at different speeds, some developers learn really quickly, others take longer but really master it completely once they get it. Ultimately, it’s very hard to measure accurately.

The Productivity Formula

The real motivation for using an application framework is simplified development. While not always the case, simplified development usually translates into increased developer productivity. Therefore, we suggest choosing your framework with productivity in mind instead of using the five criteria mentioned above. Here are some key elements that could be used when making a productivity-focused decision.

When it comes to rapid application development (RAD) consider measuring productivity in terms of support for:

• Convention over configuration
• Scaffolding / CRUD
• Inversion of Control, also known as Dependency Injection

And, yes, it would certainly be possible to add other items here to measure, but the point is to narrow down the list to have a succinct discussion.

When it comes to rich internet application development (RIA), consider measuring productivity in terms of support for:

• RESTful URL structure
• Built-in Client side validation or some JavaScript to make the application more robust
• Built-in AJAX support

Understanding Variables of RAD: Three Trends within the RAD World

Convention over Configuration. The idea here is that as a Java developer — historically, at least — you spend 50%-60% of your development effort on configuration. Too much time is (or at least used to be) devoted to dealing with XML files, property files… lots of different pieces. It’s been said that “configuration is the demise of Java.” The hope has been to move some of that configuration burden off of the developer and let the platform be smart enough to adopt some convention. As long as the developer adopts best-practices or coding conventions the framework can figure out what’s being done.

Scaffolding. This generates a boilerplate code, the views, the controllers, the CRUD operations — in other words, a first rough pass at taking the developer’s database design and mapping to the web application. Scaffolding has become popular due to the RAILS movement.

Inversion of Control. In the Java world, specifically in the Java EE world, there is the mechanism called the Java Naming and Directory Interfaces (JNDI) used to look up internal or external services. These could be an enterprise JavaBean, a database, or a message queue. Instead of the developer doing all those extra steps to look up internal or external services, the framework does the work and hands to the component or object a reference to that external service. In other words, the service look-up responsibility is delegated to the framework.

Understanding Variables of RIA

RESTful URLs. In the real world, there are many reasons why people adopt RESTful URLs. The most prominent reason is search engine optimization (SEO) because it’s theoretically easier for a search engine to traverse your website and content and understand the categorization and hierarchy. So, a framework that helps create RESTful URLs is an immediate benefit to sales and marketing. Will the framework generate the client-side validation? Will it generate the JavaScript out of the developer’s view? Will it adhere to the validation that the developer defined? As a Java developer, you don’t want to fight with a bunch of different JavaScript variations. So, what kind of JavaScript help is included? This dovetails into Asynchronous JavaScript + XML (AJAX) or background processing within the web.

Client-side Validation. Will the framework generate the client-side validation? Will it generate the JavaScript out of the developer’s view? Will it adhere to the validation that the developer defined? As a Java developer, you don’t want to fight with a bunch of different JavaScript variations. So, what kind of JavaScript help is included?

Asynchronous JavaScript + XML (AJAX). AJAX provides background processing within the web. In this article we’re not looking at the formal RIA frameworks like Flex and Silverlight, but rather focusing just on the JavaScript and Ajax world. With Ajax, web applications can retrieve data asynchronously in the background without interfering with the display and behavior of the existing page. Ajax helps the developer avoid having to write background processing manually.

We categorized Struts 2 as a Configuration framework because if you look at the number of XML artifacts that you have to create to configure the framework (approximately 2-7 files) it’s very configuration-heavy. Read through the Struts 2 documentation to make your own decision whether it’s a Convention or Configuration framework. Stripes, however, is on the opposite end of the spectrum. It professes that it’s a very Convention over Configuration framework. It leverages not only coding conventions but also class reflection to help it understand what the different components are of the application. There is only one configuration file: web.xml. In the middle is Spring MVC, which started off as a Configuration framework but with every release it has moved more and more towards Convention. It currently has probably just two configuration, and in Spring 3 it is supposed to be even less.

One of the trickiest things with a web application is the question, “How do I deal with navigation paths?” In other words, when a request comes in and I process the request, where does the request go? What’s the target? For navigation, basically you’re going to end up with either XML or Java.

None of the RAD-based frameworks support scaffolding or basic CRUD operations, which means the developer has to go get a third party adapter or plug-in to create that functionality. There is one third party plug-in for Spring MVC that will do both.

In the Java world, Inversion of Control is a big trend in RAD. All three of the frameworks support it. And they also support annotations — the metadata to make development easier.

Not a single framework today supports RESTful URLs. For Struts, a plug-in is being developed. In Stripes, there are several different “ActionResolvers” that help you, and in Spring there is an annotation that helps.

There is some client-side validation supported. Struts has some automatic generation of client-side validation or client-side JavaScript based on its validator framework. And both Spring MVC and Stripes support client-side validation. When the developer creates the JSP, they use the onBlur or onClick or onSubmit, write some JavaScript code, and do the validation, but it’s typically a manual effort.

And none of the frameworks out-of-the-box will generate AJAX for the developer. The developer has to make the AJAX, the asynchronous calls, the XHR objects, and the interactions

So, none of the three really hold up to what we’re interested in from a productivity standpoint.

Using the same comparison criteria, only JSF is configuration heavy, and of the two Configuration frameworks, Wicket and Tapestry, Tapestry has only one configuration file. Navigation flow — where does a request end up, and how easy or hard is it to configure? — was looked at, and only JSF adopts an XML-based structure. Therefore, for both Wicket and Tapestry, the controller is going to govern where the target is located and what the target looks like.

For scaffolding, only one supports out-of-the-box scaffolding: Tapestry. When compared to Ruby on Rails or Grails, Tapestry 5 scaffolding allows you to take a Java object and annotate the object. It can be mapped to a view with a single tag — a tag and a tag library. The developer doesn’t have to generate the input text fields or the input submit fields or the drop-downs for the different states. The point is that is does NOT do the full scaffolding that you would find in Ruby on Rails.

If the developer spends a lot of money and is using IBM’s WebSphere or Oracle’s JDeveloper, there are some scaffolding capabilities in both of those tools to help minimize the amount of UI code that has to be created.

There’s no out-of-the-box support for CRUD.

Two of the three support Inversion of Control: JSF and Tapestry 5. Wicket does not directly, but you can layer Wicket on top of Spring to get some Inversion of Control. Both JSF and Tapestry 5 support annotations while Wicket, out-of-the-box, does not.

Evaluating for REST support, only Tapestry 5 supports it out-of-the-box. And Client-side validation — automatic generation of JavaScript — is only supported by Tapestry 5 as well. And finally, if the developer has to write the XHR objects or the JavaScript, both Wicket and Tapestry 5 support automatic AJAX generation. Wicket is a very event-driven framework, so for the developer to implement an AJAX callback within Wicket it is straight-forward. It looks and feels like implementing a JavaScript callback, onBlur, onSubmit, done in Java code. The message signatures look very much like the method signatures in JavaScript.

And the “Winner” is…?

Choosing a winner is obviously subjective. It’s certainly possible to use all of the various formulas discussed above: popularity, community, learning, and architecture, plus pragmatically looking at RAD and RIA. The chart below, then, is based purely on numeric ranking. The lower number is best.

For Popularity, JSF is ranked first.

Note: For RAD and RIA, the ranking is 1st, 2nd, and 3rd for Action-Based, and then again for Component-based, so they’re ranked twice. Therefore, Stripes is ranked as more productive under Action-based RAD, though it’s only more productive because it supports more of the evaluation criteria, and Spring MVC is better from a RIA perspective because it supports more of the capabilities that were identified. On the Component-based side, Tapestry supports more of the RAD capabilities for both RAD and RIA.

So, in conclusion, obviously the list of frameworks we evaluated is not comprehensive. You may want to add to the list or take things away. It depends very much on the type of web application that you intend to build and what features and functionality you are looking for. And, to be clear, in the table above, Tapestry comes out as the winner, but in no way does this suggest some sort of absolute winner. Nor is JSF the biggest loser.

Other Considerations

There are other criteria that you may very well want to consider. Licensing is one. In this case, every single framework supports the Apache 2 license, which is very good for the developer community.

They all support Java 1.5 except for Spring MVC, which utilizes Java 1.4. This may not be an issue if your organization only has 1.4.

Most of the frameworks support Spring, so typically you can layer your framework on top of Spring. There’s some debate and discussion on whether you can get Spring and Wicket to work nicely together, hence the question mark here.

JSF support is uneven, but all of the frameworks support a validation mechanism. You could also evaluate whether the framework supports JPA, or EJB, or has a templating engine.

A Note about Scaffolding
If you truly want to get that scaffolding functionality with generation of the UIs or the views, and generation of the controllers, models, and CRUD operations, the first thing you probably have to do is move away from an MVC and into a full-stack implementation. Seam, for example, has a full-stack implementation. The challenge with SEAM is that it is really focused on Java EE development, and if you don’t like Java EE that’s not so great for you. More commonly, if you want the full scaffolding support, you’ll use a dynamic language in a dynamic language framework like Ruby on Rails or Grails. The point is that if you want the full-stack capability interacting with a database you have to move beyond a framework that is just structured around re-usability of the model view and controller.

So… that’s how things stack up!

Affects:

• Solaris 10 and prior [Low]

Description

Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local users to affect confidentiality and integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2382
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Fusion Middleware 10.1.4.0.1 and prior [Low]

Description

Unspecified vulnerability in the Application Server Control component in Oracle Fusion Middleware 10.1.2.3 and 10.1.4.0.1 allows remote authenticated users to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2381
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Peoplesoft And Jdedwards Suite Scm 9.1 and prior [Medium]

Description

Unspecified vulnerability in the PeopleSoft Enterprise FSCM component in Oracle PeopleSoft and JDEdwards Suite SCM 8.9 Bundle #37, SCM 9.0 Bundle #30, and SCM 9.1 Bundle #4 allows local users to affect confidentiality, integrity, and availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2380
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Peoplesoft And Jdedwards Suite Hcm 9.1 and prior [Medium]

Description

Unspecified vulnerability in the PeopleSoft Enterprise HCM – Time & Labor component in Oracle PeopleSoft and JDEdwards Suite HCM 9.0 Bundle #13 and HCM 9.1 Bundle #2 allows remote authenticated users to affect confidentiality via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2379
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Peoplesoft And Jdedwards Suite Crm 9.1 and prior [Low]

Description

Unspecified vulnerability in the PeopleSoft Enterprise CRM component in Oracle PeopleSoft and JDEdwards Suite CRM 9.0 Bundle #28 and CRM 9.1 Bundle #4 allows local users to affect confidentiality and integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2378
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Peoplesoft And Jdedwards Product Suite 8.50.10 and prior [Medium]

Description

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft and JDEdwards Suite 8.49.27 and 8.50.10 allows remote authenticated users to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2377
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Solaris 10 and prior [Low]

Description

Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local users to affect confidentiality and integrity via unknown vectors related to Solaris Management Console.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2376
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Weblogic Server Component 10.3.3 and prior [Medium]

Description

Package/Privilege: Plugins for Apache, Sun and IIS web servers Unspecified vulnerability in the WebLogic Server component in Oracle Fusion Middleware 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2, and 10.3.3 allows remote attackers to affect confidentiality and integrity, related to IIS.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2375
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Solaris Studio 12 [Low]

Description

Unspecified vulnerability in Solaris Studio 12 update 1 allows local users to affect confidentiality and integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2374
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Enterprise Manager Grid Control 10.2.0.5 and prior [Medium]

Description

Unspecified vulnerability in the Console component in Oracle Enterprise Manager Grid Control 10.1.0.6 and 10.2.0.5 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2373
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Supply Chain Products Suite 6.1.1 [Medium]

Description

Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1.1 allows remote attackers to affect integrity via unknown vectors, a different vulnerability than CVE-2010-2371.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2372
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Supply Chain Products Suite 6.1.1 [Low]

Description

Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1.1 allows local users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2010-2372.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2371
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Fusion Middleware 10.3 and prior [Medium]

Description

Unspecified vulnerability in the Oracle Business Process Management component in Oracle Fusion Middleware 5.7 MP3, 6.0 MP5, and 10.3 MP2 allows remote attackers to affect integrity, related to BPM.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2370
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Opensolaris 10 [Medium]

Description

Unspecified vulnerability in Oracle OpenSolaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to rdist.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0916
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• E-business Suite 12.1.2 and prior [Medium]

Description

Unspecified vulnerability in the Oracle Advanced Product Catalog component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0915
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Sun Convergence 1.0 [Medium]

Description

Unspecified vulnerability in Oracle Sun Convergence 1.0 allows remote attackers to affect confidentiality via unknown vectors related to Mail, Calendar, Address Book, and Instant Messaging.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0914
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• E-business Suite 12.1.2 and prior [Medium]

Description

Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0913
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• E-business Suite 12.1.2 and prior [Medium]

Description

Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0912
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Database Server 11.2.0.1 and prior [High]

Description

Unspecified vulnerability in the Listener component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote attackers to affect availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0911
Severity: High

NIST National Vulnerabilities Database

Affects:

• Timesten In-memory Database 11.2.1.4.1 and prior [Medium]

Description

Unspecified vulnerability in the Data Server component in Oracle TimesTen In-Memory Database 7.0.6.0 and 11.2.1.4.1 allows remote attackers to affect availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0910
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• E-business Suite 12.1.2 and prior [Low]

Description

Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote authenticated users to affect confidentiality via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0909
Severity: Low

NIST National Vulnerabilities Database

Affects:

• E-business Suite 12.1.2 [High]

Description

Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0908
Severity: High

NIST National Vulnerabilities Database

Affects:

• Secure Backup 10.3.0.1 [Unknown Severity]

Description

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2010-0898, CVE-2010-0899, CVE-2010-0904, and CVE-2010-0906.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0907
Severity: Unknown Severity

NIST National Vulnerabilities Database

Affects:

• Secure Backup 10.3.0.1 [High]

Description

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0906
Severity: High

NIST National Vulnerabilities Database

Affects:

• E-business Suite 12.0.4 and prior [Medium]

Description

Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2 and 12.0.4 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0905
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Secure Backup 10.3.0.1 [Medium]

Description

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0904
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Database Server 11.2.0.1 and prior [High]

Description

Unspecified vulnerability in the Net Foundation Layer component in Oracle Database Server 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1, when running on Windows, allows remote attackers to affect availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0903
Severity: High

NIST National Vulnerabilities Database

Affects:

• Database Server 11.2.0.1 and prior [Medium]

Description

Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0902
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Database Server 11.2.0.1 and prior [Low]

Description

Unspecified vulnerability in the Export component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Select Any Dictionary.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0901
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Database Server 11.2.0.1 and prior [Low]

Description

Unspecified vulnerability in the Network Layer component in Oracle Database Server 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1, when running on Windows, allows remote attackers to affect availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0900
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Secure Backup 10.3.0.1 and prior [High]

Description

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2010-0898, CVE-2010-0907, and CVE-2010-0906.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0899
Severity: High

NIST National Vulnerabilities Database

Affects:

• Secure Backup 10.3.0.1 [Unknown Severity]

Description

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0898
Severity: Unknown Severity

NIST National Vulnerabilities Database

Affects:

• Database Server 3.2.0.00.27 [Medium]

Description

Unspecified vulnerability in the Application Express component in Oracle Database Server 3.2.0.00.27 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0892
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Timesten In-memory Database 7.0.6.0 [Unknown Severity]

Description

Unspecified vulnerability in the Data Server component in Oracle TimesTen In-Memory Database 7.0.6.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0873
Severity: Unknown Severity

NIST National Vulnerabilities Database

Affects:

• E-business Suite 12.1.2 and prior [Low]

Description

Unspecified vulnerability in the Oracle Knowledge Management component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0836
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Fusion Middleware 10.1.2.3 [Medium]

Description

Unspecified vulnerability in the Wireless component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0835
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Opensolaris 10 and prior [High]

Description

Unspecified vulnerability in Oracle OpenSolaris 8, 9, and 10 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0083
Severity: High

NIST National Vulnerabilities Database

Affects:

• Opensso Enterprise 8.0 [Medium]

Description

Unspecified vulnerability in Oracle OpenSSO Enterprise 8.0 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2009-3762
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Fusion Middleware 10.1.4.0.1 and prior [Low]

Description

Unspecified vulnerability in the Application Server Control component in Oracle Fusion Middleware 10.1.2.3 and 10.1.4.0.1 allows remote authenticated users to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0081
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Opensso Enterprise 8.0 [Medium]

Description

Unspecified vulnerability in the OpenSSO component in Oracle OpenSSO Enterprise 8.0 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2009-3764
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Opensso Enterprise 8.0 and prior [Medium]

Description

Unspecified vulnerability in the Access Manager / OpenSSO component in Oracle OpenSSO Enterprise 7.1, 7, 2005Q4, and 8.0 allows remote attackers to affect integrity via unknown vectors.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2009-3763
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Freebsd 8.1 and prior [High]

Description

FreeBSD 7.1 through 8.1-PRERELEASE does not copy the read-only flag when creating a duplicate mbuf buffer reference, which allows local users to cause a denial of service (system file corruption) and gain privileges via the sendfile system call.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2693
Severity: High

NIST National Vulnerabilities Database

Affects:

• Mysql 5.1.47 and prior [Low]

Description

MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2008
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Hierarchical Select 6.x-3.1 and prior [Low]

Description

Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 5.x before 5.x-3.2 and 6.x before 6.x-3.2 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via unspecified vectors in the hierarchical_select form.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2724
Severity: Low

NIST National Vulnerabilities Database

Affects:

• Listserv 16.0 and prior [Medium]

Description

Cross-site scripting (XSS) vulnerability in LISTSERV 15 and 16 allows remote attackers to inject arbitrary web script or HTML via the T parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2723
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Lyrics Engine 3.0 [Medium]

Description

Cross-site scripting (XSS) vulnerability in index.php in RightInPoint Lyrics Script 3.0 allows remote attackers to inject arbitrary web script or HTML via the artist_id parameter, which is not properly handled in a forced SQL error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2722
Severity: Medium

NIST National Vulnerabilities Database

Affects:

• Lyrics Engine 3.0 [High]

Description

SQL injection vulnerability in index.php in RightInPoint Lyrics Script 3.0 allows remote attackers to execute arbitrary SQL commands via the artist_id parameter in an addalbum action.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2721
Severity: High

NIST National Vulnerabilities Database

Affects:

• Phpaacms 0.3.1 [High]

Description

SQL injection vulnerability in list.php in phpaaCms 0.3.1 UTF-8, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-2720
Severity: High

NIST National Vulnerabilities Database