One more question about this. I understand that this is probably happening on a single Glassfish instance. What happens if I have two servers (one for web, one for remote ejbs)? Would I be able to pass a HttpServletRequest object to a remote ejb and have success with the login and SessionID? Example:
@Remote
public class SomeRemoteInterface
{
...
public void login(HttpServletRequest obj, String username, String password);
...
}
@Stateless
public class SomeRemoteEJB implements SomeRemoteInterface, java.io.Serializable
{
...
public void login(HttpServletRequest obj, String username, String password)
{
obj.login(username, password);
}
...
}
The reasoning is that I could keep the Business Logic server and database behind a firewall, while the Web Server is forward facing outside. Please let me know if that is possible.
Russell Collins
Sr. Software Engineer
CoreLogic Spatial Solutions
"Do or do not, there is no try." - Yoda
From: Collins, Russell [mailto:rcollins_at_corelogic.com]
Sent: Tuesday, February 01, 2011 1:23 PM
To: users_at_glassfish.java.net
Subject: RE: Glassfish 3.0.1 - Session Reset
Thank you Shing and Ryan. You have been very helpful.
Russell Collins
Sr. Software Engineer
CoreLogic Spatial Solutions
"Do or do not, there is no try." - Yoda
From: Shing Wai Chan [mailto:shing.wai.chan_at_oracle.com]
Sent: Tuesday, February 01, 2011 1:09 PM
To: users_at_glassfish.java.net
Subject: Re: Glassfish 3.0.1 - Session Reset
In 3.1, by default, the changeSessionIdAuthentication is on.
In 3.0.1, one need to turn on the feature explicitly.
See
http://blogs.sun.com/swchan/entry/change_session_id_on_authentication
Shing Wai Chan
On 2/1/11 9:33 AM, Ryan Lubke wrote:
Actually, I believe GlassFish by default will assign a new session ID after authentication to help prevent this type of attack.
From AuthenticatorBase in the web-core module:
/**
* Should the session ID, if any, be changed upon a successful
* authentication to prevent a session fixation attack?
*/
protected boolean changeSessionIdOnAuthentication = true;
On 2/1/11 9:06 AM, Collins, Russell wrote:
Maybe the proper way of asking what I need is by saying that I was wondering if Glassfish provided a mechanism to prevent Session Fixation attacks.
Russell Collins
Sr. Software Engineer
"Do or do not, there is no try." - Yoda
From: Collins, Russell [mailto:rcollins_at_corelogic.com]
Sent: Tuesday, February 01, 2011 8:17 AM
To: 'users_at_glassfish.java.net<mailto:users_at_glassfish.java.net>'
Subject: Glassfish 3.0.1 - Session Reset
I have been given a task to research and come up with a solution regarding a security issue. When a user logs into our application, we are looking to reset the session to prevent an old session from being compromised. I am told that there is a facility in BEA Weblogic that does this. Is there a facility in Glassfish 3.0.1 that I can use that will do this operation or is this something that I am going to have to create from scratch? Any help and direction you can give me will be greatly appreciated.
Russell Collins
Sr. Software Engineer
________________________________
***************************
This message may contain confidential or proprietary information intended only
for the use of the addressee(s) named above or may contain information that is
legally privileged. If you are not the intended addressee, or the person
responsible for delivering it to the intended addressee, you are hereby
notified that reading, disseminating, distributing or copying this message is
strictly prohibited. If you have received this message by mistake, please
immediately notify us by replying to the message and delete the original
message and any copies immediately thereafter.
Thank you.
****************************
________________________________
***************************
This message may contain confidential or proprietary information intended only
for the use of the addressee(s) named above or may contain information that is
legally privileged. If you are not the intended addressee, or the person
responsible for delivering it to the intended addressee, you are hereby
notified that reading, disseminating, distributing or copying this message is
strictly prohibited. If you have received this message by mistake, please
immediately notify us by replying to the message and delete the original
message and any copies immediately thereafter.
Thank you.
****************************
________________________________
***************************
This message may contain confidential or proprietary information intended only
for the use of the addressee(s) named above or may contain information that is
legally privileged. If you are not the intended addressee, or the person
responsible for delivering it to the intended addressee, you are hereby
notified that reading, disseminating, distributing or copying this message is
strictly prohibited. If you have received this message by mistake, please
immediately notify us by replying to the message and delete the original
message and any copies immediately thereafter.
Thank you.
****************************
________________________________
***************************
This message may contain confidential or proprietary information intended only
for the use of the addressee(s) named above or may contain information that is
legally privileged. If you are not the intended addressee, or the person
responsible for delivering it to the intended addressee, you are hereby
notified that reading, disseminating, distributing or copying this message is
strictly prohibited. If you have received this message by mistake, please
immediately notify us by replying to the message and delete the original
message and any copies immediately thereafter.
Thank you.
****************************