[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-2450) OWASP / New Session after Login
by ahus1 (JIRA)
OWASP / New Session after Login
-------------------------------
Key: JBSEAM-2450
URL: http://jira.jboss.com/jira/browse/JBSEAM-2450
Project: JBoss Seam
Issue Type: Feature Request
Affects Versions: 2.0.0.GA
Environment: Linux 2.6, jetty 6.1.5, java 6
Reporter: ahus1
Hello,
OWASP has compiled a "top 10" vulnerablilities for web applications.
One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login:
"Consider regenerating a new session upon successful authentication or privilege level change."
http://www.owasp.org/index.php/Top_10_2007-A7
Therefore there should be a (configurable?) switch to choose "continue with new session ID after successful log on"
I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session in my Authenticator. But Seam 2.0.0 doesn't allow this: When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects in my Authenticator as the new session doesn't exist yet.
The workaround I have come up with is a filter, that destroys the complete session before the log in.
This is not very elegant, but it works for me as I don't have i.e. a shoping basket that I'd like to preserve.
A "nice" implementation in seam shouldn't have this limitation.
shane.bryzak(a)jboss.com asked for this ticket to be assigned to her.
The Java Class:
Code:
/**
* This filter enforces a new session whenever there is a POST, should be mapped
* to the URL of the login page in your web.xml
* @author Alexander Schwartz 2007
*/
public class NewSessionFilter implements Filter {
private Log log = LogFactory.getLog(NewSessionFilter.class);
private String url;
public void destroy() {
// empty.
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
if (request instanceof HttpServletRequest) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (httpRequest.getMethod().equals("POST")
&& httpRequest.getSession() != null
&& !httpRequest.getSession().isNew()
&& httpRequest.getRequestURI().endsWith(url)) {
httpRequest.getSession().invalidate();
httpRequest.getSession(true);
log.info("new Session:" + httpRequest.getSession().getId());
}
}
chain.doFilter(request, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
url = filterConfig.getInitParameter("url");
if (url == null) {
throw new ServletException(
"please specify parameter 'url' with login URL");
}
}
}
The web.xml:
Code:
<filter>
<display-name>NewSessionFilter</display-name>
<filter-name>NewSessionFilter</filter-name>
<filter-class>
NewSessionFilter
</filter-class>
<init-param>
<param-name>url</param-name>
<param-value>/iss/login.jsf</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>NewSessionFilter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/iss/login.jsf</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
14 years, 8 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3493) The EntityHome should not preserve the value of its instance property after entering a nested transaction when having the @PerNestedConversation annotation
by Francisco Jose Peredo Noguez (JIRA)
The EntityHome should not preserve the value of its instance property after entering a nested transaction when having the @PerNestedConversation annotation
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Key: JBSEAM-3493
URL: https://jira.jboss.org/jira/browse/JBSEAM-3493
Project: Seam
Issue Type: Bug
Components: Core
Affects Versions: 2.0.2.SP1
Reporter: Francisco Jose Peredo Noguez
I have a reflective 1-n associations like
Person childof Person.
I would like to create a child from the PersonEdit.xhtml created by seam-gen then adapted by hands...
When I put @PerNestedConversation annotation to my PersonHome the behavior seems to be ok: Each conversation has it's own instance of PersonHome BUT: all of those instances is wired to the same instance of Person (the Entity)...
I've tried to trace modifications on the "instance" field of Home but it's never setted so it should stay to null and then call my createInstance() overrided method....but this never happen because (as I said) Person instance is the same as the parent conversation one....
Did I miss something?
Or is this a limitation of the CRUD framework?
nowhere on the code the field "instance" is setted so I believe this is due to javassist proxying that my eclipse debugger can't see...
If this feature isn't working how would you implement my "Create child" button to create a new Person has a child of the current conversation "personHome.instance" ?...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
14 years, 8 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4267) Token-based Remember-me is not working
by Johnny Ren (JIRA)
Token-based Remember-me is not working
--------------------------------------
Key: JBSEAM-4267
URL: https://jira.jboss.org/jira/browse/JBSEAM-4267
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.1.2.GA, 2.1.1.GA
Environment: JBOSS 4.2.3
Reporter: Johnny Ren
Steps to reproduce the problem:
Step1: create an AuthenticationToken class as described in 15.3.5.1.
Stpe2: Modify the components.xml as described in 15.3.5.1.
<security:jpa-token-stor token-class="org.jboss.seam.example.jpa.AuthenticationToken"/>
<security:remember-me mode="autoLogin"/>
<event type="org.jboss.seam.security.notLoggedIn">
<action execute="#{redirect.captureCurrentView}"/>
<action execute="#{identity.tryLogin()}"/>
</event>
<event type="org.jboss.seam.security.loginSuccessful">
<action execute="#{redirect.returnToCapturedView}"/>
</event>
Step 3: Modify the home.xhtml under examples\jpa\view as described in 15.3.5
<div>
<h:outputLabel for="rememberMe" value="Remember me"/>
<h:selectBooleanCheckbox id="rememberMe" value="#{rememberMe.enabled}"/>
</div>
Step 4: execute ant jboss
Step 5: deploy the jboss-seam-jpa.war
Step 6: go to http://localhost:8080/jboss-seam-jpa/home.seam
Step 7: Select Remember me and use "demo/demo" to login.
Result:
javax.servlet.ServletException: #{identity.login}: org.jboss.seam.security.management.IdentityManagementException: Could not create account
package org.jboss.seam.example.jpa;
import java.io.Serializable;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.Id;
import org.jboss.seam.annotations.security.TokenUsername;
import org.jboss.seam.annotations.security.TokenValue;
/**
*
*/
@Entity
public class AuthenticationToken implements Serializable {
private Integer tokenId;
private String username;
private String value;
@Id @GeneratedValue
public Integer getTokenId() {
return tokenId;
}
public void setTokenId(Integer tokenId) {
this.tokenId = tokenId;
}
@TokenUsername
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
@TokenValue
public String getValue() {
return value;
}
public void setValue(String value) {
this.value = value;
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
14 years, 8 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3918) org.jboss.seam.security.Identity needs to be decoupled from system for testing purposes
by Dan Hinojosa (JIRA)
org.jboss.seam.security.Identity needs to be decoupled from system for testing purposes
---------------------------------------------------------------------------------------
Key: JBSEAM-3918
URL: https://jira.jboss.org/jira/browse/JBSEAM-3918
Project: Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 2.1.1.GA
Environment: JBoss Seam 2.1.1.GA
Reporter: Dan Hinojosa
org.jboss.seam.security.Identity cannot be used in unit testing. Unit testing being defined as an isolated (no db, no app server) test. If I provide an identity into a test, once I call assertTrue(identity.hasRole("xxx")); I get an understandable NullPointerException because there is no Seam Context available.
If I may recommend that org.jboss.seam.security.Identity be either an interface or a POJO with no dependencies as an API so TDD advocates can test their code easily. This would also fulfill Seam's idea that everything for the end user is testable.
Example Test
@Test(groups = "unit")
public void testAuthenticateSuccessWithRoles() {
Log log = createMock(Log.class);
EntityManager entityManager = createMock(EntityManager.class);
Query query = createMock(Query.class);
Calendar createdDate = Calendar.getInstance();
Calendar updatedDate = Calendar.getInstance();
User user = new User();
user.setCreatedDate(createdDate);
user.setEmail("ricardo(a)aol.com");
user.setFirstName("Ricardo");
user.setLastName("Montalban");
user.setName("rmontalban");
user.setNotes("userNotes2");
user.setPassword("passw0rd");
user.setId(220L);
user.setUpdatedDate(updatedDate);
Role role = new Role();
role.setName("mgmt");
role.setId(665L);
Calendar createdDate2 = Calendar.getInstance();
createdDate2.set(2009, 1, 15, 12, 14, 15);
role.setCreatedDate(createdDate2);
Calendar updatedDate2 = Calendar.getInstance();
updatedDate2.set(2009, 1, 17, 13, 16, 20);
role.setUpdatedDate(updatedDate2);
role.setNotes("notes");
user.addRole(role);
role.addUser(user);
Credentials credentials = new Credentials();
credentials.setUsername("rmontalban");
credentials.setPassword("passw0rd");
Identity identity = new Identity();
log.info("authenticating #0", "rmontalban");
expect(entityManager.createQuery("SELECT u from User u " +
"WHERE u.name = #{credentials.username} AND u.password = #{credentials.password}")).andReturn(query);
expect(query.getSingleResult()).andReturn(user);
replay(entityManager, query, log);
Authenticator authenticator = new Authenticator();
authenticator.setLog(log);
authenticator.setIdentity(identity);
authenticator.setEntityManager(entityManager);
authenticator.setCredentials(credentials);
assertTrue(authenticator.authenticate());
assertTrue(identity.hasRole("mgmt")); //NullPointerException here
verify(entityManager, query, log);
}
Output from the above test:
java.lang.NullPointerException
at org.jboss.seam.security.Identity.tryLogin(Identity.java:164)
at org.jboss.seam.security.Identity.hasRole(Identity.java:444)
at com.manning.mymanning.AuthenticatorTest.testAuthenticateSuccessWithRoles(AuthenticatorTest.java:128)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
14 years, 8 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-2240) refactor for easier extensibility of seam identity: seam identiy interface + seam identity base impl
by koen handekyn (JIRA)
refactor for easier extensibility of seam identity: seam identiy interface + seam identity base impl
----------------------------------------------------------------------------------------------------
Key: JBSEAM-2240
URL: http://jira.jboss.com/jira/browse/JBSEAM-2240
Project: JBoss Seam
Issue Type: Feature Request
Components: Core
Affects Versions: 2.0.0.GA
Reporter: koen handekyn
Priority: Optional
to allow easier extensibility of the seam identity class it would be useful to have a clear seam identity interface with complementary base impl from (package org.jboss.seam.security)
use case: i'm trying to define my own seam identiy that contains as an extra parameter domain (login@domain/password).
to have a complete implementation (which also saves the domain into a cookie) i'm stuck as
1. i don't know have an interface that I should satisfy if I wanted to make an implementation from scratch
2. extending from seam idenity has some issues : i missing some protected accessors to some private members (that maybe could be protected?)
alternatively my question would be solved if i could have extension points within initFromCookie and at "setCookieValueIfEnabled( getUsername() ); from method postAuthenticate()" such that i could combine and split login and domain when saving/reading the cookie.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
14 years, 8 months