No, as the parameter in remote ejb need to be Serializable or primitive.
Shing Wai Chan
On 2/1/11 12:00 PM, Collins, Russell wrote:
>
> One more question about this. I understand that this is probably
> happening on a single Glassfish instance. What happens if I have two
> servers (one for web, one for remote ejbs)? Would I be able to pass a
> HttpServletRequest object to a remote ejb and have success with the
> login and SessionID? Example:
>
> @Remote
>
> public class SomeRemoteInterface
>
> {
>
> ...
>
> public void login(HttpServletRequest obj, String username,
> String password);
>
> ...
>
> }
>
> @Stateless
>
> public class SomeRemoteEJB implements SomeRemoteInterface,
> java.io.Serializable
>
> {
>
> ...
>
> public void login(HttpServletRequest obj, String username,
> String password)
>
> {
>
> obj.login(username, password);
>
> }
>
> ...
>
> }
>
> The reasoning is that I could keep the Business Logic server and
> database behind a firewall, while the Web Server is forward facing
> outside. Please let me know if that is possible.
>
> * *
>
> *Russell Collins*
>
> Sr. Software Engineer
>
> CoreLogic Spatial Solutions
>
> "Do or do not, there is no try." - Yoda
>
> *From:* Collins, Russell [mailto:rcollins_at_corelogic.com]
> *Sent:* Tuesday, February 01, 2011 1:23 PM
> *To:* users_at_glassfish.java.net
> *Subject:* RE: Glassfish 3.0.1 - Session Reset
>
> Thank you Shing and Ryan. You have been very helpful.
>
> * *
>
> *Russell Collins*
>
> Sr. Software Engineer
>
> CoreLogic Spatial Solutions
>
> "Do or do not, there is no try." - Yoda
>
> *From:* Shing Wai Chan [mailto:shing.wai.chan_at_oracle.com]
> *Sent:* Tuesday, February 01, 2011 1:09 PM
> *To:* users_at_glassfish.java.net
> *Subject:* Re: Glassfish 3.0.1 - Session Reset
>
> In 3.1, by default, the changeSessionIdAuthentication is on.
> In 3.0.1, one need to turn on the feature explicitly.
> See http://blogs.sun.com/swchan/entry/change_session_id_on_authentication
>
> Shing Wai Chan
>
> On 2/1/11 9:33 AM, Ryan Lubke wrote:
>
> Actually, I believe GlassFish by default will assign a new session ID
> after authentication to help prevent this type of attack.
>
> From AuthenticatorBase in the web-core module:
>
> /**
> * Should the session ID, if any, be changed upon a successful
> * authentication to prevent a session fixation attack?
> */
> protected boolean changeSessionIdOnAuthentication = true;
>
> On 2/1/11 9:06 AM, Collins, Russell wrote:
>
> Maybe the proper way of asking what I need is by saying that I was
> wondering if Glassfish provided a mechanism to prevent Session
> Fixation attacks.
>
> * *
>
> *Russell Collins*
>
> Sr. Software Engineer
>
> "Do or do not, there is no try." - Yoda
>
> *From:* Collins, Russell [mailto:rcollins_at_corelogic.com]
> *Sent:* Tuesday, February 01, 2011 8:17 AM
> *To:* 'users_at_glassfish.java.net <mailto:users_at_glassfish.java.net>'
> *Subject:* Glassfish 3.0.1 - Session Reset
>
> I have been given a task to research and come up with a solution
> regarding a security issue. When a user logs into our application, we
> are looking to reset the session to prevent an old session from being
> compromised. I am told that there is a facility in BEA Weblogic that
> does this. Is there a facility in Glassfish 3.0.1 that I can use that
> will do this operation or is this something that I am going to have to
> create from scratch? Any help and direction you can give me will be
> greatly appreciated.
>
> *Russell Collins*
>
> Sr. Software Engineer
>
> ------------------------------------------------------------------------
>
> ***************************
> This message may contain confidential or proprietary information
> intended only
> for the use of the addressee(s) named above or may contain information
> that is
> legally privileged. If you are not the intended addressee, or the person
> responsible for delivering it to the intended addressee, you are hereby
> notified that reading, disseminating, distributing or copying this
> message is
> strictly prohibited. If you have received this message by mistake, please
> immediately notify us by replying to the message and delete the original
> message and any copies immediately thereafter.
>
> Thank you.
> ****************************
>
> ------------------------------------------------------------------------
>
> ***************************
> This message may contain confidential or proprietary information
> intended only
> for the use of the addressee(s) named above or may contain information
> that is
> legally privileged. If you are not the intended addressee, or the person
> responsible for delivering it to the intended addressee, you are hereby
> notified that reading, disseminating, distributing or copying this
> message is
> strictly prohibited. If you have received this message by mistake, please
> immediately notify us by replying to the message and delete the original
> message and any copies immediately thereafter.
>
> Thank you.
> ****************************
>
> ------------------------------------------------------------------------
>
> ***************************
> This message may contain confidential or proprietary information
> intended only
> for the use of the addressee(s) named above or may contain information
> that is
> legally privileged. If you are not the intended addressee, or the person
> responsible for delivering it to the intended addressee, you are hereby
> notified that reading, disseminating, distributing or copying this
> message is
> strictly prohibited. If you have received this message by mistake, please
> immediately notify us by replying to the message and delete the original
> message and any copies immediately thereafter.
>
> Thank you.
> ****************************
>
>
> ------------------------------------------------------------------------
> ***************************
> This message may contain confidential or proprietary information
> intended only
> for the use of the addressee(s) named above or may contain information
> that is
> legally privileged. If you are not the intended addressee, or the person
> responsible for delivering it to the intended addressee, you are hereby
> notified that reading, disseminating, distributing or copying this
> message is
> strictly prohibited. If you have received this message by mistake, please
> immediately notify us by replying to the message and delete the original
> message and any copies immediately thereafter.
>
> Thank you.
> ****************************