Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 30035 invoked from network); 30 Jun 2009 14:40:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 30 Jun 2009 14:40:47 -0000 Received: (qmail 99592 invoked by uid 500); 30 Jun 2009 14:40:57 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 99519 invoked by uid 500); 30 Jun 2009 14:40:57 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 99510 invoked by uid 99); 30 Jun 2009 14:40:57 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jun 2009 14:40:57 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of kevan.miller@gmail.com designates 209.85.217.210 as permitted sender) Received: from [209.85.217.210] (HELO mail-gx0-f210.google.com) (209.85.217.210) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jun 2009 14:40:46 +0000 Received: by gxk6 with SMTP id 6so214086gxk.19 for ; Tue, 30 Jun 2009 07:40:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=iE4VYUS0b0bd6GNAg3SNvJXh7Qeq19FyA07+LoreKpI=; b=Y88sIFhZjjc67Dv+2Iaalcq2lu1Cq84Z52biUI90yhAF0+ZhLSXMR0qAadXIM9/xVc gCcTvCgPnCQ4RhF5YdvbvHrnvCQ1rlkEXj78I/w9HeEKNIrDj1hvNJapCyDFGzSl+LHa TlWNXbZTbAL9wsuPeyEQIyWtfqXmogxSsfpvo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=cBMk6XqZk9rT8mpNgXb13xEZsN8ww2YA1N3QM5icZmcnvOYxcZTH49xy4HPO0xG0C2 jb+rxFvr/81G/N9gsMsMgPrKVDkWq15K7TZippFfNCofGQLJHJXZMPZxPOH3FHBpuHsH 3qAxlPP6n/VSsiSZec+OPakieeNi5HYTcpIlc= Received: by 10.90.81.11 with SMTP id e11mr7304186agb.119.1246372825279; Tue, 30 Jun 2009 07:40:25 -0700 (PDT) Received: from ?10.0.1.7? (cpe-076-182-095-055.nc.res.rr.com [76.182.95.55]) by mx.google.com with ESMTPS id 8sm219369agd.37.2009.06.30.07.40.23 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 30 Jun 2009 07:40:24 -0700 (PDT) Message-Id: From: Kevan Miller To: dev@geronimo.apache.org In-Reply-To: <4A4A1CB6.2030503@apache.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: Session creation triggered by XSS/XSRF filter Date: Tue, 30 Jun 2009 10:40:22 -0400 References: <19C49411-7FD5-4D95-BCA9-20369A4AAAD7@gmail.com> <4A4A1CB6.2030503@apache.org> X-Mailer: Apple Mail (2.935.3) X-Virus-Checked: Checked by ClamAV on apache.org On Jun 30, 2009, at 10:09 AM, Donald Woods wrote: > To catch XSS/XSRF attacks, the code is run as the first item in the > filter chain before the web app's servlet is ever reached. The > session has to be created before the request gets to the webapp, so > we can register the session id and a unique value before a response > is created to protect against the XSRF attacks. Right. I don't have a problem with this... > > Not sure why you are seeing a session get created for a non-existent > URI, given the filter is registered in the web.xml and should have > the same mappings applied to it. But, for the console, anything > under the root context is accepted, as there could be any number of > portlets registered (is this your scenario?) If so, I don't know if > there is an easy way to change this behavior without major changes > to how we use Pluto (like integrating the protection into Pluto) and > we would still need the filter for the stand-alone webapps.... I don't know why we're creating a session either. But we're definitely running the XSSXSRFFilter for the following url -- localhost:8080/ nonexistenturl Anybody interested in taking a look at this? --kevan