[JBoss Seam] - Re: sessionId cookie: man-in-the-middle attack
by avbentem
> browsers don't actually maintain two session ids,
> one for HTTP and one for HTTPS
Ohhh, good thinking...!
You might know that a cookie can be set to be secure, and should then not be used for plain HTTP. I guess all browsers support that and won't send secure cookies over non-SSL connections.
Of course we can also find specifications for the specific situation you describe, but I doubt one can rely on those being implemented alike by all browsers. Like what happens while switching, and while using HTTP and HTTPS simultaneously. Maybe some browser sends back two cookies for SSL connections: both the HTTP and HTTPS cookies -- but then how would one tell from the HTTP header which is which... And another browser or a future version might do it differently I suppose. So: that's not going to help.
I assume the actual session handling is not done by Seam, right? (thus: one cannot use different cookie names for HTTP and HTTPS)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050757#4050757
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050757
18Â years, 10Â months
[EJB/JBoss] - Re: tx attributte - supports doesn't work as expected
by jaikiran
anonymous wrote : EntityManager must be access within a transaction
Which means that when you are accessing the entity manager in your createAirport method, there should be an active transaction. As you already correctly mentioned:
anonymous wrote :
| As you can see I configured it with SUPPORTS transaction attribute, so when there is a transaction all methods in my bean will use it, when there is no transaction context then bean wouldn't begin a new one
I believe when the createAirport method is being called, there is no active transaction and since the transaction attribute that you have specified is SUPPORTS, the server wont create a new one. You might want to change the transaction attribute to REQUIRED instead of SUPPORTS. For transaction attribute REQUIRED, a new transaction is created when there is no active transaction. If there is a active transaction then the same will be used for that method. So try changing
anonymous wrote : @TransactionAttribute(TransactionAttributeType.SUPPORTS)
to
@TransactionAttribute(TransactionAttributeType.REQUIRED)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050755#4050755
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050755
18Â years, 10Â months
[JBoss Seam] - Re: sessionId cookie: man-in-the-middle attack
by gavin.kingï¼ jboss.com
anonymous wrote : Old session data should then be copied to new session.
OK, I guess I can see how this is useful in some cases of upgrading from HTTP to HTTPS, but actually I was thinking more of the opposite case of HTTPS back down to HTTP. At this point the session data should be destroyed, since it can have sensitive information in it (esp. in a stateful Seam app).
However, my current implementation didn't account for multi-window operation (!) so I will have to actually enhance it to "remember" the latest scheme because (correct me if I'm wrong) browsers don't actually maintain two session ids, one for HTTP and one for HTTPS, they just pop up an impenetrable and ignorable dialog to the user saying "you are about to change from a secure to an insecure connection". Right?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050754#4050754
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050754
18Â years, 10Â months
[EJB/JBoss] - tx attributte - supports doesn't work as expected
by adamzrk
Hi
I've got an EJB:
|
| @Stateless
| @TransactionAttribute(TransactionAttributeType.SUPPORTS)
| public class AirportDaoBean implements AirportDaoLocal, AirportDaoRemote {
|
| @PersistenceContext
| private EntityManager manager;
|
| @Override
| public void createAirport(Airport airport) {
| manager.persist(airport);
| }
|
| @Override
| public Airport getAirportById(int id) {
| return manager.find(Airport.class, id);
| }
|
| @Override
| public List<Airport> getAll() {
| return manager.createQuery("from Airport order by city.country.name").getResultList();
| }
|
| }
|
|
|
As you can see I configured it with SUPPORTS transaction attribute, so when there is a transaction all methods in my bean will use it, when there is no transaction context then bean wouldn't begin a new one. So my question is: why i get the exception:
|
| Caused by: javax.persistence.TransactionRequiredException: EntityManager must be access within a tra
| nsaction
| at org.jboss.ejb3.entity.ManagedEntityManagerFactory.verifyInTx(ManagedEntityManagerFactory.
| java:150)
| at org.jboss.ejb3.entity.TransactionScopedEntityManager.persist(TransactionScopedEntityManag
| er.java:174)
| at master.airport.logic.impl.AirportDaoBean.createAirport(AirportDaoBean.java:24)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:597)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112)
| at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166)
| at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor
| .java:63)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedE
| ntityManagerIntercepto
|
|
Regards
Adam
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050752#4050752
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050752
18Â years, 10Â months
[Clustering/JBoss] - mod_jk 1.2 not distrubuting HTTP requests evenly
by mjgreene550
I've successfully configured jboss 4.0.5 for clustering and I have to say it was pretty easy with all the documentation provided by JBoss. Fail over and farming work as advertised.
I'm currently trying to configure HTTP Session Replication.
My only concern is the mod_jk connector doesn't seem to be distributing the http requests evenly over the two nodes. The documentation that I've read suggests that mod_jk should alternate the requests over all of the nodes. In my case, it will alternate requests over all the nodes but not evenly. What ends up happening is Node 1 will handle say 9 requests, Node 2 will get 1 request, and then Node 1 gets a bunch more.
I feel like I'm missing something simple here, can anyone point me in the right direction? Much obliged.
My workers.properties file:
# Define list of workers that will be used
| # for mapping requests
| worker.list=loadbalancer,status
|
| # Define Node1
| # modify the host as your host IP or DNS name.
| worker.node1.port=8009
| worker.node1.host=192.168.1.31
| worker.node1.type=ajp13
| worker.node1.lbfactor=1
| worker.node1.cachesize=10
|
| # Define Node2
| # modify the host as your host IP or DNS name.
| worker.node2.port=8009
| worker.node2.host=192.168.1.32
| worker.node2.type=ajp13
| worker.node2.lbfactor=1
| worker.node2.cachesize=10
|
| # Load-balancing behaviour
| worker.loadbalancer.type=lb
| worker.loadbalancer.balance_workers=node1,node2
| worker.loadbalancer.sticky_session=0
| #worker.list=loadbalancer
|
| # Status worker for managing load balancer
| worker.status.type=status
My mod-jk.conf file:
# Load mod_jk module
| # Specify the filename of the mod_jk lib
| LoadModule jk_module modules/mod_jk.so
|
| # Where to find workers.properties
| JkWorkersFile conf/workers.properties
|
| # Where to put jk logs
| JkLogFile logs/mod_jk.log
|
| # Set the jk log level [debug/error/info]
| JkLogLevel info
|
| # Select the log format
| JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
|
| # JkOptions indicates to send SSK KEY SIZE
| JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
|
| # JkRequestLogFormat
| JkRequestLogFormat "%w %V %T"
|
| # Mount your applications
| JkMount /* loadbalancer
|
| # You can use external file for mount points.
| # It will be checked for updates each 60 seconds.
| # The format of the file is: /url=worker
| # /examples/*=loadbalancer
| #JkMountFile conf/uriworkermap.properties
|
| # Add shared memory.
| # This directive is present with 1.2.10 and
| # later versions of mod_jk, and is needed for
| # for load balancing to work properly
| JkShmFile logs/jk.shm
|
| # Add jkstatus for managing runtime data
| <Location /jkstatus/>
| JkMount status
| Order deny,allow
| Deny from all
| Allow from 127.0.0.1
| </Location>
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050751#4050751
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050751
18Â years, 10Â months
[JBoss Messaging] - Re: MBean Servic cannot open jms session
by chip_schoch
I also have a web app from which I attempted to connect to JMS and I observe the same behavior.
| java.lang.NullPointerException
| at org.jboss.jms.client.container.FailoverValveInterceptor.invoke(FailoverValveInterceptor.java:86)
| at org.jboss.aop.advice.PerInstanceInterceptor.invoke(PerInstanceInterceptor.java:105)
| at org.jboss.jms.client.delegate.ClientConnectionDelegate$createSessionDelegate_6052335267724906805.invokeNext(ClientConnectionDelegate$createSessionDelegate_6052335267724906805.java)
| at org.jboss.jms.client.container.ClosedInterceptor.invoke(ClosedInterceptor.java:170)
| at org.jboss.aop.advice.PerInstanceInterceptor.invoke(PerInstanceInterceptor.java:105)
| at org.jboss.jms.client.delegate.ClientConnectionDelegate$createSessionDelegate_6052335267724906805.invokeNext(ClientConnectionDelegate$createSessionDelegate_6052335267724906805.java)
| at org.jboss.jms.client.delegate.ClientConnectionDelegate.createSessionDelegate(ClientConnectionDelegate.java)
| at org.jboss.jms.client.JBossConnection.createSessionInternal(JBossConnection.java:269)
| at org.jboss.jms.client.JBossConnection.createSession(JBossConnection.java:91)
| at com.eLynx.Controller.TestController.testMessaging(TestController.java:110)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at com.eLynx.Dispatch.XmlDispatcher.dispatch(XmlDispatcher.java:160)
| at com.eLynx.Dispatch.XmlDispatcher.dispatch(XmlDispatcher.java:81)
| at com.eLynx.Servlet.XmlWebappServlet.doPost(XmlWebappServlet.java:119)
| at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
| at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
The code in the servlet that the exception occurred on:
m_initialContext = ConnectionManager.getInitialContext ();
| ConnectionFactory factory = (ConnectionFactory) m_initialContext.lookup ("/ConnectionFactory");
| m_jmsConnection = factory.createConnection ();
| m_jmsSession = (QueueSession) m_jmsConnection.createSession (false, Session.AUTO_ACKNOWLEDGE);
|
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050749#4050749
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050749
18Â years, 10Â months