users@glassfish.java.net

Re: Multiple web-apps, Domains

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Fri, 05 Jun 2009 09:55:03 -0700

Dave,

On 06/ 4/09 09:39 PM, glassfish_at_javadesktop.org wrote:
> Hi,
>
> thanks for your answer.
>
> I did not say, that GlassFish has a security vulnerability. I meant, that for security issues we do not want to have the application produced cookies and make session tracking with them.
>
> This is to the browser has a security vulnerability (missing updates, what we can not check on the user's side) and someone steals the cookie and conducts a session highjacking.
>
> The problem is:
>
> A wep-app is deployed and associated to a particular virtual host, and in sun-web.xml are the following values:
>
> <property name="enableCookies" value="false"/>
> <property name="enableURLRewriting" value="true"/>
>
> GlassFish V2.1 tells you on startup, that urlRewriting is not yet implemented.
>

This has been fixed in the meantime, see

  https://glassfish.dev.java.net/issues/show_bug.cgi?id=4394
  ("server log message says enableURLRewriting is not supported")

for details.

> Even if enable Cookies is set to false, the URL won't be appended as long you really switch off using cookies in the browser. We would like to ensure, that the jsessionid is ALWAYS appended to the url.
>
> It should be possible anyway, to start a deployed web-app from its deployment directory: $GF-ROOT/applications/j2ee-modules/myapp
>
> if you enter this to the docroot, it is not considered in GF V2.1 and V3
>
> The context root obviously points always to $GF-ROOT/docroot/$context-root, not to the directory where the app is deployed to.
>

There is a difference between "docroot" and "context root":
"docroot" points to the physical location where your webapp and its
resources are located,
and is never reflected in its "context root", which is a component of
the URI used to access
its resources over HTTP.


Jan

> Regards,
> Dave
> [Message sent by forum member 'seagate' (seagate)]
>
> http://forums.java.net/jive/thread.jspa?messageID=349235
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>