From: Erik F. <for...@ly...> - 2002-10-09 13:21:22
|
Hi! I'd like to build a Webware application that works like this: 1) User provides a username and a password. 2) Application binds to LDAP using the username and password 3) Application keeps the bound LDAP object through the users session, and destroys it only when the users logs out, or after a timeout. I could store the users' password in the session, but that feels so very wrong - from a security point of view, I dont' want to store the password anywhere if an attacker gains access to the session store. Is this possible using the current sessions? I haven't tested it, I just thought I should ask before putting a lot of time into it :). It just feels like open network connections are hard to pickle, but I can be wrong. If not possible, an alternate solution would be to store the LDAP connection in some kind of pool that's shared between all Servlets in a Context, and then get the right connection using information in the session (it's no problem to store the username, for example, and use that as a key - or some other session id). Any hints on how to implement this? \EF -- Erik Forsberg http://www.lysator.liu.se/~forsberg/ GPG/PGP Key: 1024D/0BAC89D9 |
From: Ian B. <ia...@co...> - 2002-10-09 18:12:59
|
On Wed, 2002-10-09 at 08:20, Erik Forsberg wrote: > I could store the users' password in the session, but that feels so > very wrong - from a security point of view, I dont' want to store the > password anywhere if an attacker gains access to the session store. I'd put this sort of information in a module global -- i.e., in memory. It's fairly secure there (especially compared to something that might get pickled to disk). Treat it like a cache, and then recreate connections or such as necessary. Ian |
From: Matthias O. <mat...@gm...> - 2002-10-10 07:58:25
|
Hi! I have a similar problem like Erik before ( [Webware-discuss] Storing LDAP connections in Sessions?). Instead of LDAP connection I have an object of class "TradingSystem". This class includes several other objects like indicators, prices and settings. Also all the calculations are done here. The user can load and save settings to the database using MiddleKit. My problem is that I don' know where to put an object like this. I tryed to add it as a session value: System crashed. It seems only values like string or numbers can be stored here. I also tried to put it in the __init__ of the transaction but I could not figure out how to prevent it from being overwritten by the awake statement all the time. I could store all important information like memberId, settingId and recreate the TradingSystem for every new page based on this sessison variables but that doesn't seem to be a good idea from performance point of view. Erik gave me an idea with pickling. Isn't that like dumping and recreating an object to a file / session? Could that be a solution? Also an independend TradingSystem pool would be nice. Has anyone done something like that before? Thanks in advance, Matthias |
From: Huy D. <hu...@tr...> - 2002-10-10 08:02:28
|
Hi, I was just wondering if there is a way to set a default action if no action was specified. Many Thanks Huy |
From: Ian B. <ia...@co...> - 2002-10-10 19:04:21
|
On Thu, 2002-10-10 at 03:02, Huy Do wrote: > I was just wondering if there is a way to set a default action if no > action was specified. We were just talking about this on the webware-devel list, actually. If you have a form and you want a default action, you might try adding a hidden field like <input type="hidden" name="_action_defaultAction">, and then having your .action() method return a list with "defaultAction" at the end. Then if no other action is found (and only if no other action is found) the "defaultAction" will be run. Ian |
From: Ian B. <ia...@co...> - 2002-10-10 19:01:44
|
On Thu, 2002-10-10 at 02:58, Matthias Opitz wrote: > Erik gave me an idea with pickling. Isn't that like dumping and recreating > an object to a file / session? Could that be a solution? Also an independend > TradingSystem pool would be nice. Has anyone done something like that before? The session is already pickling your data. If you're getting a crash, it's probably because there's something unpickleable in the data -- things like network connections and file handles can't be pickled. If you are pickling a class, generally you have to be sure that all its instance variables are pickleable. There are ways you can write your class to be pickleable, though -- the pickle documentation mentions some of these. Ian |
From: Michael E. <men...@ka...> - 2002-10-11 16:47:46
|
For the poster of the LDAP connection question about storing in a session, you can't do it because LDAP connections aren't pickleable. BTW, what is the logic for forcing everything that gets stored in a session be pickled? I have built a lot of web applications and rarely do I want that functionality. SHouldn't it be an optional flag? Mike On Thursday, October 10, 2002, at 03:02 PM, Ian Bicking wrote: > On Thu, 2002-10-10 at 02:58, Matthias Opitz wrote: >> Erik gave me an idea with pickling. Isn't that like dumping and >> recreating >> an object to a file / session? Could that be a solution? Also an >> independend >> TradingSystem pool would be nice. Has anyone done something like that >> before? > > The session is already pickling your data. If you're getting a crash, > it's probably because there's something unpickleable in the data -- > things like network connections and file handles can't be pickled. If > you are pickling a class, generally you have to be sure that all its > instance variables are pickleable. There are ways you can write your > class to be pickleable, though -- the pickle documentation mentions > some > of these. > > Ian > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Webware-discuss mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/webware-discuss > |