Session fixation / getSession(true) does not create new SessionID
by Ludwig Adam
Hi group,
we are currently looking for ways to improve the security in our web
applications to prevent session fixation.
We are looking for ways to generate a new session ID after an user has
been authenticated.
This is our scenario:
- The webapplication contains public and private content
- public content is available by http, private/restricted content is
only available by https
- If the user is logging in, communication is done only by https
We now want to generate a new session ID for the user session once he
has authenticated in order to prevent session fixation / session
hijacking (e.g. if chuck sniffes the http - communication / user doesn't
use cookies and publishes a link with ;jsessionid-parameter).
The solutions found so far suggested all a
HttpServletRequest.getSession(true) after an invalidation:
if (session.isNew()) {
session.invalidate(); // Invalidate old Session
session= request.getSession(true); // Create new Session ID
}
However running this code on JBoss does not show the expected
beheaviour, no new session id is created.
System.out.println(session.getID()); // Prints "Foo"
session.invalidate(); // Invalidate old Session
session= request.getSession(true); // Should create new SessionID
System.out.println(session.getID()); // Prints "Foo" again.
Any hints how we can work around this issue or what we are doing wrong
here are greatly appreciated.
Thanks,
Ludwig
19 years
[JBoss Seam] - Re: @Filter example
by anescu
Thanks,
I was sure i also tested with that code and failed, but apparently now it's working.
I was not able to make it work with an entity type parameter, it's saying something about cannot detecting the type for the parameter. So I tested with a Long parameter (the id of the entity and it's working)
Does anyone know any more about that? The Type would be a POJO entity.
Also another problem. As I said, we have a combo box and the user chooses a "current object". If i go directly on the tab that contains my filtered entity, without setting a current object first, i get this kind of error:
Caused by: org.hibernate.HibernateException: Filter [hubFilteredChannels] parameter [currentHubId] value not set
| at org.hibernate.impl.FilterImpl.validate(FilterImpl.java:145)
| at org.jboss.seam.persistence.HibernatePersistenceProvider.enableFilter(HibernatePersistenceProvider.java:62)
Why not just use the null value instead???
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4046205#4046205
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4046205
19 years
[JBoss Seam] - @Factory method not called
by mavoine
Hi all,
I'm currently setting up Seam in an already working JSF based project. There is a hack that I wrote to call an action to init a bean when invoking a JSF page from a non-JSF servlet. I'm trying to replace it by a @Factory method but I'm really struggling here.
I'm running JSF on Resin web server using MyFaces implementation. I followed the setup instructions at chapter 21 of Seam documentation (http://docs.jboss.com/seam/1.2.1.GA/reference/en/html/configuration.html) and the bean is super simple, heavily inspired by the example found at: http://java.sys-con.com/read/180363.htm
Now my problem is that the @Factory method is never called and the server fails badly, giving me a blank page and throwing an ugly exception on the console:
| javax.servlet.ServletException: Could not retrieve value of component with path : {Component-Path : [Class: javax.faces.component.UIViewRoot,ViewId: /faces/dataview/news.jsp][Class: javax.faces.component.html.HtmlOutputText,Id: date]}
| at javax.faces.webapp.FacesServlet.service(FacesServlet.java:154)
| at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:106)
| at com.caucho.server.webapp.DispatchFilterChain.doFilter(DispatchFilterChain.java:115)
| at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:229)
| at com.caucho.server.webapp.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:277)
| at com.caucho.server.webapp.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:106)
| at com.firstline.report.WebActionHandler.sendJSFPage(WebActionHandler.java:190)
| at com.firstline.report.WebActionHandler.sendPage(WebActionHandler.java:110)
| at com.firstline.report.WebActionHandler.service(WebActionHandler.java:89)
| at com.firstline.report.WebActionHandler.service(WebActionHandler.java:36)
| at com.firstline.servlet.IServer.doGet(IServer.java:106)
| at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
| at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
| at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:106)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:63)
| at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:53)
| at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:79)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.SeamFilter.doFilter(SeamFilter.java:84)
| at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:70)
| at com.firstline.servlet.filter.PersistenceSessionFilter.doFilter(PersistenceSessionFilter.java:34)
| at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:70)
| at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:173)
| at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:229)
| at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:274)
| at com.caucho.server.port.TcpConnection.run(TcpConnection.java:511)
| at com.caucho.util.ThreadPool.runTasks(ThreadPool.java:520)
| at com.caucho.util.ThreadPool.run(ThreadPool.java:442)
| at java.lang.Thread.run(Thread.java:595)
|
My Bean :
| package com.mobicom.presentation.bean.page;
|
| import java.io.Serializable;
| import java.util.Date;
|
| import org.jboss.seam.ScopeType;
| import org.jboss.seam.annotations.Factory;
| import org.jboss.seam.annotations.In;
| import org.jboss.seam.annotations.Name;
| import org.jboss.seam.annotations.Out;
| import org.jboss.seam.annotations.Scope;
|
| import com.mobicom.model.bo.Language;
| import com.mobicom.model.bo.News;
| import com.mobicom.model.dao.LanguageDAO;
| import com.mobicom.presentation.bean.application.SessionBean;
| import com.mobicom.presentation.resources.text.TextResource;
| import com.mobicom.presentation.util.MessageHandler;
| import com.mobicom.presentation.util.TextKey;
| import com.mobicom.service.NewsService;
|
| @Name("newsBean")
| @Scope(ScopeType.SESSION)
| public class NewsBean implements Serializable {
|
| private static final long serialVersionUID = 1L;
| @In
| ToolbarBean toolbarBean;
| @In
| SessionBean sessionBean;
| @Out
| Date postDate;
| @Out
| String postText;
|
| public String process(){
|
| try {
| // update toolbar
| toolbarBean.setCurrentReport(ToolbarBean.CURRENT_REPORT_NOT_SET);
| toolbarBean.setPrinterFriendlyPath("/dynamic/faces/dataview/newsPF.jsf");
| toolbarBean.setShowExportToExcel(false);
| toolbarBean.setReportName(TextResource.getTextResourceString(new TextKey("News"),null,sessionBean.getCurrentLocale()));
| toolbarBean.setRefreshAction("newsBean.process");
|
| Language language = LanguageDAO.getInstance().findByPk(sessionBean.getLanguageCode());
| News news = NewsService.getInstance().findCurrentNews();
| postDate = news.getNewsTime();
| postText = news.getNewsDescription().getText(language);
|
| } catch (Exception ex){
| MessageHandler.handleGenericException(ex);
| return "error";
| }
|
| return "success";
| }
|
| @Factory("postDate")
| public void myFactory(){
| process();
| }
|
| public ToolbarBean getToolbarBean() {
| return toolbarBean;
| }
|
| public void setToolbarBean(ToolbarBean toolbarBean) {
| this.toolbarBean = toolbarBean;
| }
|
| public SessionBean getSessionBean() {
| return sessionBean;
| }
|
| public void setSessionBean(SessionBean sessionBean) {
| this.sessionBean = sessionBean;
| }
|
| public String getPostText() {
| return postText;
| }
|
| public void setPostText(String newsData) {
| this.postText = newsData;
| }
|
| public Date getPostDate() {
| return postDate;
| }
|
| public void setPostDate(Date postDate) {
| this.postDate = postDate;
| }
|
| }
|
And my page:
| <%@ taglib uri="/WEB-INF/taglib/myfaces_html.tld" prefix="h"%>
| <%@ taglib uri="/WEB-INF/taglib/myfaces_core.tld" prefix="f"%>
| <%@ taglib uri="/WEB-INF/taglib/tomahawk.tld" prefix="t"%>
|
| <f:view locale="#{sessionBean.currentLocale}">
|
| <f:loadBundle basename="com.mobicom.presentation.resources.text.TextResource" var="text"/>
|
| <jsp:include page="/inc/page-top-1.jsp"/>
| <!-- window title -->
| <h:outputText id="pageTitle" value="<title>#{text['News']}</title>" escape="false"/>
| <jsp:include page="/inc/page-top-2.jsp"/>
| <jsp:include page="/inc/main-header.jsp"></jsp:include>
|
| <jsp:include page="/faces/dataview/debugInfo.jsp"/>
|
| <div class="content">
|
| <jsp:include page="/inc/toolbar.jsp"/>
|
| <div class="container">
|
| <h:form id="newsForm">
| <table class="standardForm" style="width: 100%;">
| <tr>
| <th><h:outputText id="dateLabel" value="#{text['Date']}"/></th>
| <th><h:outputText id="newsLabel" value="#{text['News']}" escape="false"/></th>
| </tr>
| <tr>
| <td style="text-align: center; width: 100; font-weight: normal; background-color: #F7F7FB; ">
| <h:outputText id="date" value="#{newsBean.postDate}" escape="false">
| <f:convertDateTime pattern="yyyy-MM-dd" timeZone="#{sessionBean.timeZone}"/>
| </h:outputText>
| </td>
| <td style="text-align: center; font-weight: normal; background-color: #F7F7FB;">
| <h:outputText id="text" value="#{newsBean.postText}" escape="false"/>
| </td>
| </tr>
| </table>
| <table class="dataTableFooter" style="width: 100%;">
| <tr>
| <td>
| <h:commandLink id="reloadLink" action="#{newsBean.process}">
| <h:outputText id="reloadLinkLabel" value="#{text['Reload']}"/>
| </h:commandLink>
| </td>
| </tr>
| </table>
| </h:form>
| </div><!-- end div: container -->
|
| </div><!-- end div: content -->
|
| <jsp:include page="/inc/main-footer.jsp"/>
| <jsp:include page="/inc/page-bottom.jsp"/>
|
| </f:view>
|
Thanks for helping!
Math
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4046203#4046203
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4046203
19 years