Search Results

Search found 2 results on 1 pages for 'shrini1000'.

Page 1/1 | 1 

  • session regeneration in tomcat ?

    - by shrini1000
    Hi, I am using Spring security to secure my Java web application which is deployed in tomcat. I found out that it is vulnerable to session fixation attacks because tomcat does not create a new session upon successful log in. On debugging some more, here's what I found. For the following code (which is supposed to create a new session - pl. note, it's just a snippet and not full code): HttpSession session = request.getSession(false); session.invalidate(); session = request.getSession(true); // we now have a new session I thought a new session will be created, but tomcat simply uses the same session that got invalidated and hence the session id does not change. I searched online and found a solution which uses a 'valve' - http://marvinsmutterings.blogspot.com/2010/02/fixing-session-fixation-in-liferay-on.html but could not get it to work because it's looking for a jboss logging class and when I add it to lib, I get a reflection exception and the server doesn't start up. I'm using tomcat 5.5.28. Will be glad to have any pointers. Pl. let me know if you need more details, since I don't want to make this post too long. Sincere thanks!

    Read the article

  • a completely decoupled OO system ?

    - by shrini1000
    To make an OO system as decoupled as possible, I'm thinking of the following approach: 1) we run an RMI/directory like service where objects can register and discover each other. They talk to this service through an interface 2) we run a messaging service to which objects can publish messages, and register subscription callbacks. Again, this happens through interfaces 3) when object A wants to invoke a method on object B, it discovers the target object's unique identity through #1 above, and publishes a message on the message service for object B 4) message services invokes B's callback to give it the message 5) B processes the request and sends the response for A on message service 6) A's callback is called and it gets the response. I feel this system is as decoupled as practically possible, but it has the following problems: 1) communication is typically asynchronous 2) hence it's non real time 3) the system as a whole is less efficient. Are there any other practical problems where this design obviously won't be applicable ? What are your thoughts on this design in general ?

    Read the article

1