Currently the sslext library will copy request attributes
into the session in the advent it detects a scheme
change is needed, i.e. moving in and out of https. When
the request comes back to the server it detects that
there is a special session attribute containing the
request data and it moves it back to the request. This
can be a very dangerous operation and is not always
desired. I would like for this be made configurable.
Reason: If you have some objects in your request that
are dependant on the request state then that state
could change after the redirect and you may have stale
data in the request. Also, if by chance some object in
the request through the object graph had reference to
the request then after the redirect this would return
null. The assumption of the developer is that the data in
the request is only valid for a request and would not be
present of there were a redirect. This "feature" of
copying the data from request to session and back
again breaks that contract and can/has created side
affects. One last point is that a lot of session
mechanisms require that the session objects be
serializable. However, objects in the request need not
be. Putting non-serializable objects in the session can
cause major problems for these session persistance
mechanisms.
Since I am not a developer on this project I can not
submit the changes I made back to the project as a cvs
commit. Essentially I just added a configuration option
to the plugin that allows you to specify
preserveRequestAttributes (true/false). Now the
SecureRequestUtils checks for this before attempting to
copy the attributes to and from the session. It may be
desirable to have this option on a per/action basis.
Another possibility would be to refactor the static library
for SecureRequestUtils so that developers can extend it
to enhance the functionality as needed.
Logged In: YES
user_id=593637
I realize it's been a while, but I would be interested in
seeing the code change you made. Assuming it is brilliant in
concept and execution, I will incorporate it into sslext.
Thanks.