[jboss-user] [JBoss Seam] - Re: OWASP / New Session after Login

Sat, 05 Jan 2008 12:54:53 -0800 

I found the following workaround to assure that there is a new session after a 
login: by destroying the original session before the login using a small 
filter. 

This is only a workaround as it destroys the previous session completly -- 
anything i.e. in a shopping basket will be lost (as my application doesn't have 
a shopping basket this is not a problem for me). 

A "nice" implementation in seam shouldn't have this limitation. 

I will open a ticket shortly.

Alexander. 

The Java Class:


  | /**
  |  * This filter enforces a new session whenever there is a POST, should be 
mapped
  |  * to the URL of the login page in your web.xml
  |  * @author Alexander Schwartz 2007
  |  */
  | public class NewSessionFilter implements Filter {
  |   private Log log = LogFactory.getLog(NewSessionFilter.class);
  |   
  |   private String url;
  |   
  |   public void destroy() {
  |     // empty.
  |   }
  |   
  |   public void doFilter(ServletRequest request, ServletResponse response,
  |       FilterChain chain) throws IOException, ServletException {
  |     if (request instanceof HttpServletRequest) {
  |       HttpServletRequest httpRequest = (HttpServletRequest) request;
  |       if (httpRequest.getMethod().equals("POST")
  |           && httpRequest.getSession() != null
  |           && !httpRequest.getSession().isNew()
  |           && httpRequest.getRequestURI().endsWith(url)) {
  |         httpRequest.getSession().invalidate();
  |         httpRequest.getSession(true);
  |         log.info("new Session:" + httpRequest.getSession().getId());
  |       }
  |     }
  |     chain.doFilter(request, response);
  |   }
  |   
  |   public void init(FilterConfig filterConfig) throws ServletException {
  |     url = filterConfig.getInitParameter("url");
  |     if (url == null) {
  |       throw new ServletException(
  |           "please specify parameter 'url' with login URL");
  |     }
  |   }
  |   
  | }
  | 

The web.xml:


  |     <filter>
  |             <display-name>NewSessionFilter</display-name>
  |             <filter-name>NewSessionFilter</filter-name>
  |             <filter-class>
  |                     NewSessionFilter
  |             </filter-class>
  |             <init-param>
  |                     <param-name>url</param-name>
  |                     <param-value>/iss/login.jsf</param-value>
  |             </init-param>
  |     </filter>
  |     <filter-mapping>
  |             <filter-name>NewSessionFilter</filter-name>
  |             <servlet-name>Faces Servlet</servlet-name>
  |             <url-pattern>/iss/login.jsf</url-pattern>
  |             <dispatcher>REQUEST</dispatcher>
  |     </filter-mapping>
  | 

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4117335#4117335

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4117335
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to