Applet -> Servlet Communication Losing Session ID Crossing Firewall

[Rick Strong <ri...@med.nyu.edu>]

RE Tomcat 5, applet, servlet, firewall, other security.

Hi All,

Somewhat new to Applet/Servlet work, and in need of some assistance.

My app has an applet front end and a servlet back end. The user first 
contacts the servlet, which writes an HTTP response back including an 
APPLET tag, passing the JSESSIONID gotten from the session as a PARAM 
tag for the applet. In the applet, I rewrite the server's URL and append 
";jsessionid=[the session id]" before using the URL to communicate via a 
URLConnection, so that the server knows that this is still the same 
session.

This works fine as long as everyone is on one side or the other of the 
firewall, but when I put the server behind the firewall, trying to talk 
to it from outside the firewall fails (HTTP error 500) Upon debugging 
this setup, I noticed that the requestedSessionID is consistently null, 
where it normally picks up the session id I supply in the APPLET tag.

My network keepers assure me that the firewall is not blocking cookies, 
there are no proxies or NATs or anything in the way, but I'm losing the 
requested session id and as a result the server thinks that the reply 
from the applet is a request for a new session...which kills the app. Argh.

Any ideas as to how I can figure out what is mangling my applet's 
requests across the firewall? Any information very much appreciated!

Rick Strong


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Applet -> Servlet Communication Losing Session ID Crossing Firewall

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rainer and Rick,

Rainer Jung wrote:
> This way you can make sure, your problem really comes from the missing
> URL part, if your applet really tried to send it and if it gets stripped
> from any kind of request.

It is possible that Rick is getting his ";jsessionid=" URL-encoded
accidentally? If you accidentally got a URL that looked like

http://server/my/path%0djsessionid%f2ABCDEF123...

(i'm sure those aren't the right codes for those characters, but you get
the idea).

... then your URL would be all messed up.

Oh, and Mike, since you are encoding the sessionid in the URL, you
aren't using cookies, so that shouldn't be a problem.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFXk5F9CaO5/Lv0PARAiP1AJ9j8ihU6sdJoLj18iGzwDvtuH5H0ACgqLFU
A7m8sFz4XTNVqxTpxlgRq64=
=6cvR
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Applet -> Servlet Communication Losing Session ID Crossing Firewall

[Rainer Jung <ra...@kippdata.de>]

No solution, but:

1) Enable Tomcats access log to check, whether the request contains the
path parameter (validate your hypotheses)

2) Send a request like it should look like from the same browser, but
not via the applet, instead directly via the address bar and check the
access log again.

3) Could your applet show the request URL it sends in the window, before
it sends it?

This way you can make sure, your problem really comes from the missing
URL part, if your applet really tried to send it and if it gets stripped
from any kind of request. If so, and if there is no other component
between your client and tomcat apart from the firewall you need to blame
the firewall admins. No Proxy involved?

Regards,

Rainer


Rick Strong schrieb:
> RE Tomcat 5, applet, servlet, firewall, other security.
> 
> Hi All,
> 
> Somewhat new to Applet/Servlet work, and in need of some assistance.
> 
> My app has an applet front end and a servlet back end. The user first
> contacts the servlet, which writes an HTTP response back including an
> APPLET tag, passing the JSESSIONID gotten from the session as a PARAM
> tag for the applet. In the applet, I rewrite the server's URL and append
> ";jsessionid=[the session id]" before using the URL to communicate via a
> URLConnection, so that the server knows that this is still the same
> session.
> 
> This works fine as long as everyone is on one side or the other of the
> firewall, but when I put the server behind the firewall, trying to talk
> to it from outside the firewall fails (HTTP error 500) Upon debugging
> this setup, I noticed that the requestedSessionID is consistently null,
> where it normally picks up the session id I supply in the APPLET tag.
> 
> My network keepers assure me that the firewall is not blocking cookies,
> there are no proxies or NATs or anything in the way, but I'm losing the
> requested session id and as a result the server thinks that the reply
> from the applet is a request for a new session...which kills the app. Argh.
> 
> Any ideas as to how I can figure out what is mangling my applet's
> requests across the firewall? Any information very much appreciated!
> 
> Rick Strong
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org