cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 31676] New: - [PATCH] HolderAwareContinuationsManagerImpl
Date Tue, 12 Oct 2004 19:44:08 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31676>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31676

[PATCH] HolderAwareContinuationsManagerImpl

           Summary: [PATCH] HolderAwareContinuationsManagerImpl
           Product: Cocoon 2
           Version: Current CVS 2.1
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: core
        AssignedTo: dev@cocoon.apache.org
        ReportedBy: ouzo@wlkp.org


This is a continuations manager that stores continuations in session. This is 
very useful for secure web applications. I already had complaints from clients 
that they are able to invoke a continuation even after logging out and 
invalidating the session. This might be a big security risk. There might be 
different solutions to this problem (aspects in flow for example) but this one 
is the simplest. I had most of these problems using Firefox which aggresively 
caches content disregarding caching headers.

The solution is simple: store continuations in session. This way user can 
access only own continuations. Session invalidation effectively removes all 
continuations associated with that session. 

Please review my code.

Implementation comments: 
- I have not implemented instrumentation yet.
- the manager does not log anything right now (yet)
- I provided a little patch for WebContinuation (add a helper method 
detachFromParent)
- continuations are stored in WebContinuationsHolder
- WebContinuation had to be extended with the knowledge of it's holder - 
HolderAwareWebContinuation. This is needed for automatic kont expiration 
(manager has to know which holder to remove kont from)
- the continuation ids are not securely generated yet. These are just long 
integers being incremented for each continuation. To be honest there is no need 
for such strong continuation id hashing as they are secured by session id now. 
Maybe it is good to generate user unreadable continuation ids so users do not 
play with it :) 

To use new continuations manager please edit your cocoon.roles file for now and 
change the role for o.a.c.components.flow.ContinuationsManager

Is there a possibility to put this code into official release and provide a way 
to choose a continuations manager from build.properties file? This way user 
could choose to use simple continuation management that allows continuation 
sharing or the secure one.

Mime
View raw message