You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Hari Saptoadi <ha...@indonesian-aerospace.com> on 2005/02/17 04:53:49 UTC
problem with securityfilter
Hi all,
first i'd like to say sorry if someone already asked this question before, i'm develop web app with struts and tomcat as web server + securityfilter(securityfilter.sourceforge.net) , my problem is if someone already login , and that user open new window browser securityfilter can't blocked this request (i mean user does not have to face login page again ) as far as i know this problem occure because user have same session , and my question is how can i fix it ? (i want every user have to face login page before using app )
thank you for you answer ....
Re: problem with securityfilter
Posted by Hari Saptoadi <ha...@indonesian-aerospace.com>.
Thank for you reply DW :) , what make me concern about this situation is,
owner of this project doesn't want someone could "bypass" security by open
new window from within the original window , so he "pushed" me to make it
happen
----- Original Message -----
From: "Mr Maillist" <dw...@gmail.com>
To: "Struts Users Mailing List" <us...@struts.apache.org>
Sent: Thursday, February 17, 2005 11:34 AM
Subject: Re: problem with securityfilter
> Hari,
>
> I'm not sure exactly what the concern is? The nature of sessions
> requires that one of two options be used. 1) I can re-write all URLs
> to contain a special session key. This key in the URL is then used by
> the servlet container to locate and unserialize the session object
> corresponding to that key. If the client browser has cookies enabled
> then another option is available 2) the key is placed in a cookie that
> exists until the browser is closed, at which point it is deleted. On
> each request the servlet container uses the key stored in the cookie
> to locate and unserialize the session object.
>
> With this in mind, the only time that someone could "bypass" security
> filter is if they have logged in, NEVER closed the browser, and open a
> new window from within the original window. Once the browser has been
> closed the session key is destroyed. The biggest risk is if your
> users are at a public terminal and just walk away without closing the
> browser. If you provide the user with a logout option then you can
> destroy the session regardless of whether the browser has been closed
> or not.
>
> I'm not sure if this applies to SecurityFilter in general, since I
> have never used it and as I understand it, SecurityFilter simply wraps
> the container's security management. Good Luck...
>
> DW
>
>
> On Thu, 17 Feb 2005 10:53:49 +0700, Hari Saptoadi
> <ha...@indonesian-aerospace.com> wrote:
> > Hi all,
> > first i'd like to say sorry if someone already asked this question
before, i'm develop web app with struts and tomcat as web server +
securityfilter(securityfilter.sourceforge.net) , my problem is if someone
already login , and that user open new window browser securityfilter can't
blocked this request (i mean user does not have to face login page again )
as far as i know this problem occure because user have same session , and
my question is how can i fix it ? (i want every user have to face login page
before using app )
> >
> > thank you for you answer ....
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: problem with securityfilter
Posted by Mr Maillist <dw...@gmail.com>.
Hari,
I'm not sure exactly what the concern is? The nature of sessions
requires that one of two options be used. 1) I can re-write all URLs
to contain a special session key. This key in the URL is then used by
the servlet container to locate and unserialize the session object
corresponding to that key. If the client browser has cookies enabled
then another option is available 2) the key is placed in a cookie that
exists until the browser is closed, at which point it is deleted. On
each request the servlet container uses the key stored in the cookie
to locate and unserialize the session object.
With this in mind, the only time that someone could "bypass" security
filter is if they have logged in, NEVER closed the browser, and open a
new window from within the original window. Once the browser has been
closed the session key is destroyed. The biggest risk is if your
users are at a public terminal and just walk away without closing the
browser. If you provide the user with a logout option then you can
destroy the session regardless of whether the browser has been closed
or not.
I'm not sure if this applies to SecurityFilter in general, since I
have never used it and as I understand it, SecurityFilter simply wraps
the container's security management. Good Luck...
DW
On Thu, 17 Feb 2005 10:53:49 +0700, Hari Saptoadi
<ha...@indonesian-aerospace.com> wrote:
> Hi all,
> first i'd like to say sorry if someone already asked this question before, i'm develop web app with struts and tomcat as web server + securityfilter(securityfilter.sourceforge.net) , my problem is if someone already login , and that user open new window browser securityfilter can't blocked this request (i mean user does not have to face login page again ) as far as i know this problem occure because user have same session , and my question is how can i fix it ? (i want every user have to face login page before using app )
>
> thank you for you answer ....
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org