[Security & JAAS/JBoss] - Session fixation problem
by ladam
Hi group,
i have already posted this to jboss-user ml with no success so I hope I don't get slapped for crossposting...
We are currently looking for ways to improve the security in our web applications to prevent session fixation.
We are looking for ways to generate a new session ID after an user has been authenticated.
This is our scenario:
- The webapplication contains public and private content
- public content is available by http, private/restricted content is only available by https
- If the user is logging in, communication is done only by https
We now want to generate a new session ID for the user session once he has authenticated in order to prevent session fixation / session hijacking (e.g. if chuck sniffes the http - communication / user doesn't use cookies and publishes a link with ;jsessionid-parameter).
The solutions found so far suggested all a
HttpServletRequest.getSession(true) after an invalidation:
if (!session.isNew()) {
| session.invalidate(); // Invalidate old Session
| session= request.getSession(true); // Create new Session ID }
However running this code on JBoss does not show the expected behaviour, no new session id is created.
| System.out.println(session.getID()); // Prints "Foo"
| session.invalidate(); // Invalidate old
| HttpSession session= request.getSession(true); // Should create new SessionID
| System.out.println(session.getID()); // Prints "Foo" again.
Any hints how we can work around this issue or what we are doing wrong here are greatly appreciated.
Thanks,
Ludwig
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047164#4047164
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4047164
19 years, 1 month
[Messaging, JMS & JBossMQ] - JBoss throwing org.jboss.mq.SpyJMSException
by dey_s
Hi,
We are using jboss-4.0.1sp1 for a project running in Linux 2.4.21-47.ELsmp. There is a requirement in our project that we have to change the system time in the machine while our application (EAR) is running in JBoss to be compliant with a specification of the semi-conductor industry. When we take the System time back from whatever is the current time we get an Exception in what I think is the JMS service after which we are unable to publish or subscribe any message to the queue. A snippet of the stack trace is given below. Any help in this issue would be greatly appreciated.
03:17:41,233 WARN [Connection] Connection failure: org.jboss.mq.SpyJMSException: Exiting on
IOE; - nested throwable: (java.io.EOFException) at
org.jboss.mq.Connection.asynchFailure(Connection.java:436) at
org.jboss.mq.il.uil2.UILClientILService.asynchFailure(UILClientILService.java:145) at
org.jboss.mq.il.uil2.SocketManager$ReadTask.handleStop(SocketManager.java:406) at
org.jboss.mq.il.uil2.SocketManager$ReadTask.run(SocketManager.java:338) at
java.lang.Thread.run(Thread.java:595)
Thanks and regards,
Suvadeep
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047155#4047155
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4047155
19 years, 1 month
[JBoss Seam] - Exception definition in pages.xml
by kooudy
Hello,
I have defined in pages.xml page exception:
<exception class="cz.test.TestException">
| <end-conversation />
| <redirect view-id="/error.seam" />
| </exception>
In places, where jpdl is not defined it works well.
But when exception occurs in pageflow defined by jpdl, new Exception is thrown:
| 10:41:31,656 INFO [Exceptions] reading exception mappings from /WEB-INF/pages.xml
| 10:41:31,703 ERROR [SeamPhaseListener] uncaught exception
| java.lang.IllegalStateException: pageflow has not yet started
| at org.jboss.seam.core.Pageflow.getNode(Pageflow.java:156)
| at org.jboss.seam.core.Pageflow.getPage(Pageflow.java:189)
| at org.jboss.seam.core.Pageflow.validatePageflow(Pageflow.java:99)
| ...
|
| Caused by: cz.test.TestException: Bla
| at cz.test.NewProject.createProject(NewProject.java:377)
| ... 169 more
|
10:41:31,703 ERROR [DebugPageHandler] redirecting to debug page
| java.lang.IllegalStateException: pageflow has not yet started
| at org.jboss.seam.core.Pageflow.getNode(Pageflow.java:156)
| at org.jboss.seam.core.Pageflow.getPage(Pageflow.java:189)
| at org.jboss.seam.core.Pageflow.validatePageflow(Pageflow.java:99)
When TestException is not (manually) thrown, pageflow definition and transitions works, so I believe the pageflow is started in spite of IllegalStateException.
Where I did mistake?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047153#4047153
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4047153
19 years, 1 month
[Clustering/JBoss] - Accessing singleton MBean from a cluster node
by saxon747
Hello!
I have a cluster with 2 nodes (JBoss 4.0.5 GA) and a singleton MBean with name "kapart.mbean:service=ScheduleManager". The singleton works correctly, if the master fails it is started on the new master. The problem is, that I'd like to access this mbean from a session bean, which can run on any node. I tried the example described here:
http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossHASingletonRemoteAccess
So i created a "singleton-jmx-adapter-service.xml" with code:
| <?xml version="1.0" encoding="UTF-8"?>
| <server>
| <mbean code="org.jboss.invocation.jrmp.server.JRMPProxyFactory" name="jboss.jmx:type=singletonadaptor,name=Invoker,protocol=jrmp,service=proxyFactory">
| <depends optional-attribute-name="InvokerName">jboss:service=invoker,type=jrmp</depends>
| <depends optional-attribute-name="TargetName">jboss.jmx:type=adaptor,name=Invoker</depends>
| <attribute name="JndiName">jmx/invoker/SingletonRMIAdaptor</attribute>
| <attribute name="ExportedInterfaces">org.jboss.jmx.adaptor.rmi.RMIAdaptor,org.jboss.jmx.adaptor.rmi.RMIAdaptorExt</attribute>
| <attribute name="ClientInterceptors">
| <interceptors>
| <interceptor>org.jboss.proxy.ClientMethodInterceptor</interceptor>
| <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
| <interceptor>org.jboss.jmx.connector.invoker.client.InvokerAdaptorClientInterceptor</interceptor>
| <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
| </interceptors>
| </attribute>
| </mbean>
| </server>
|
I put this document in the "deploy-hasingleton" directory on both servers. I tried to access the MBean like this:
| Hashtable jndiProperties = new Hashtable();
| jndiProperties.put( Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory" );
| jndiProperties.put( Context.PROVIDER_URL, "localhost:1100" );
| jndiProperties.put( "java.naming.factory.url.pkgs","org.jboss.naming:org.jnp.interfaces" );
| Context context = new InitialContext( jndiProperties );
| RMIAdaptor rmiAdaptor = (RMIAdaptor) context.lookup("jmx/invoker/SingletonRMIAdaptor");
| if( (rmiAdaptor != null) && (rmiAdaptor.isRegistered(new ObjectName("kapart.mbean:service=ScheduleManager"))) ) {
| rmiAdaptor.invoke( new ObjectName("kapart.mbean:service=ScheduleManager"), "startSingleton", null, null );
| }
|
1100 is my HAJNDI port.
I got the following error:
| java.lang.SecurityException: Failed to authenticate principal=null, securityDomain=jmx-console
| at org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:97)
| at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
| at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
| at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
| at org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:179)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
| at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
| at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
| at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
| at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
| at org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
| at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
| at sun.rmi.transport.Transport$1.run(Transport.java:153)
| at java.security.AccessController.doPrivileged(Native Method)
| at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
| at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
| at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
| at java.lang.Thread.run(Thread.java:595)
| at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
| at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
| at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
| at org.jboss.invocation.jrmp.server.JRMPInvoker_Stub.invoke(Unknown Source)
| at org.jboss.invocation.jrmp.interfaces.JRMPInvokerProxy.invoke(JRMPInvokerProxy.java:133)
| at org.jboss.invocation.InvokerInterceptor.invokeInvoker(InvokerInterceptor.java:365)
| at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:197)
| at org.jboss.jmx.connector.invoker.client.InvokerAdaptorClientInterceptor.invoke(InvokerAdaptorClientInterceptor.java:66)
| at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:70)
| at org.jboss.proxy.ClientMethodInterceptor.invoke(ClientMethodInterceptor.java:74)
| at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:100)
| at $Proxy100.isRegistered(Unknown Source)
| at com.astron.kapart.schedule.ScheduleManagerBean.clearAll(ScheduleManagerBean.java:59)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112)
| at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166)
| at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:46)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
| at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:62)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.aspects.remoting.ReplicantsManagerInterceptor.invoke(ReplicantsManagerInterceptor.java:51)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
| at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:102)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:263)
| at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
| at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
| at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:828)
| at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:681)
| at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:358)
| at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:412)
| at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:239)
|
I have a user/pass account to my jmx-console, but I don't know if it counts.
Thanx in advance.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047151#4047151
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4047151
19 years, 1 month