[undertow-dev] Session Cookie Domain?

peter royal peter.royal at pobox.com
Wed Aug 31 10:02:46 EDT 2016 

1- handlers are a chain, one won't be able to get to your resource
handler without going through the one before it first

2- very easy to do, check if the handler is running on the IO thread.
see "Dispatching to a worker thread" in
http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#undertow-handler-authors-guide

4- :)

-pete

--
(peter.royal|osi)@pobox.com - http://fotap.org/~osi


On Tue, Aug 30, 2016, at 08:16 PM, Hicks, Matt wrote:
> For a few reasons:
>  1. I'd have to insulate the resource handler and directly call it
>     from the authenticated resource (so that someone couldn't call the
>     modified path and get the resource bypassing security). Though
>     that wouldn't be terrible, it adds an additional stage in the
>     process where I'd like to handle everything at once.
>  2. In my specific use-case the security validation will be hitting
>     the database so I'd prefer it not occur on the IO thread anyway.
>  3. I'm working towards a more simplistic mapping of (path: String) =>
>     Option[Resource] to allow some paths to have different handling
>     based on the context or state of the server and add modularity in
>     so much as they don't need to know about each other.
>  4. It didn't occur to me until after I had almost finished writing
>     it. :)
> It doesn't seem Undertow has a convenient capability to just serve up
> a File easily.  That would be very useful for explicit files with
> explicit mappings without requiring a ResourceManager.
>
> On Tue, Aug 30, 2016 at 7:57 PM Stuart Douglas
> <sdouglas at redhat.com> wrote:
>> Why can't you just add a handler before the resource handler
>> to modify
>>  the path and verify the user is authenticated?
>>
>>  Stuart
>>
>>  On Wed, Aug 31, 2016 at 10:36 AM, Hicks, Matt <matt at matthicks.com>
>>  wrote:
>>  > That's unfortunate, so I completely translated ResourceHandler
>>  > into Scala to
>>  > be able to add the functionality I need:
>>  >
>>  > https://github.com/outr/hyperscala/blob/master/core/jvm/src/main/scala/org/hyperscala/FunctionalResourceManager.scala#L125
>>  >
>>  > It's not the ideal solution, but it does work.  I still need to do
>>  > some
>>  > cleanup as well, but a simple mechanism to allow some overrides or
>>  > some
>>  > separation of this massive block of logic into modular utilities
>>  > would make
>>  > Undertow far easier to customize.
>>  >
>>  > On Tue, Aug 30, 2016 at 6:03 PM Stuart Douglas
>>  > <sdouglas at redhat.com> wrote:
>>  >>
>>  >> The ResourceManager interface was not expected to be able to
>>  >> handle
>>  >> that, you should probably do that in a handler before the
>>  >> resource
>>  >> manager is invoked.
>>  >>
>>  >> Stuart
>>  >>
>>  >> On Wed, Aug 31, 2016 at 6:11 AM, Hicks, Matt <matt at matthicks.com>
>>  >> wrote:
>>  >> > Thanks Stuart, that did the trick.
>>  >> >
>>  >> > I'm extending FileResourceManager to convert from the web path
>>  >> > to an
>>  >> > internal storage path and also trying to validation against the
>>  >> > session
>>  >> > to
>>  >> > verify the logged-in state.  However, I'm running into a
>>  >> > roadblock
>>  >> > because
>>  >> > `getResource` doesn't have access to the exchange to be able to
>>  >> > get the
>>  >> > cookie value.  I tried using ThreadLocal, but it's dispatched
>>  >> > to another
>>  >> > thread so that won't work either.  How am I supposed to access
>>  >> > a cookie
>>  >> > or
>>  >> > session from within a ResourceManager.getResource?
>>  >> >
>>  >> > On Mon, Aug 29, 2016 at 8:05 PM Stuart Douglas
>>  >> > <sdouglas at redhat.com>
>>  >> > wrote:
>>  >> >>
>>  >> >> For servlet or Undertow native?
>>  >> >>
>>  >> >> For native it is controlled by the
>>  >> >> io.undertow.server.session.SessionCookieConfig implementation
>>  >> >> that is
>>  >> >> passed to the session manager.
>>  >> >>
>>  >> >> For Servlet the standard way to do it is to use a
>>  >> >> ServletContextListener to modify the domain under
>>  >> >> javax.servlet.ServletContext#getSessionCookieConfig
>>  >> >>
>>  >> >> Stuart
>>  >> >>
>>  >> >> On Fri, Aug 26, 2016 at 11:31 PM, Hicks, Matt
>>  >> >> <matt at matthicks.com>
>>  >> >> wrote:
>>  >> >> > I can't seem to figure out any way to configure the session
>>  >> >> > manager
>>  >> >> > to
>>  >> >> > define the domain of the cookie.  I want the domain to be
>>  >> >> > *.mydomain.com
>>  >> >> > so
>>  >> >> > the cookie is shared across multiple sub-domains.  Can
>>  >> >> > someone give
>>  >> >> > me
>>  >> >> > an
>>  >> >> > example of how to do this?
>>  >> >> >
>>  >> >> > Thanks
>>  >> >> >
>>  >> >> > _______________________________________________
>>  >> >> > undertow-dev mailing list
>>  >> >> > undertow-dev at lists.jboss.org
>>  >> >> > https://lists.jboss.org/mailman/listinfo/undertow-dev
> _________________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20160831/4455aae5/attachment-0001.html

More information about the undertow-dev mailing list