struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nicolas De Loof" <nicolas.del...@cgey.com>
Subject Re: Configuring Struts NOT to create (unauthentified) sessions
Date Thu, 08 Jan 2004 16:36:42 GMT
I would like to set my login JSP to have this directive (<%@ page session="false" %>)
and others ones to be in WEB-INF (not visible to users)

I use an application specific authentification.

I would like any user (friend or hacker) to get access to the (internationalized) login page,
be able commit login form
to "/login.do", and use struts-validator to validate required inputs. For all this no session
should be created. When
user is authentified, access to other URIs of the applicaton are granted by a custom processRole.

Nico.



> How are you performing authentication? Depending on the process you're using, it
> may be possible to avoid hitting any of those conditions until after it's
> successful.
>
> P.S.
> By default, a JSP will create a session if one doesn't already exist (nothing to
> do with Struts), so any pages that can be hit by unauthenticated users should do:
>
> <%@ page session="false" %>
>
> Quoting Nicolas De Loof <nicolas.deloof@cgey.com>:
>
> > I've made a grep on Struts 1.1 sources. I noticed some case where a session
> > is created that seems to me 'uncontroled' :
> >
> >
> > RequestProcessor uses request.getSession() :
> > - in processLocale if controller is configured to use Locale (default =
> > true)
> >
> > HTMLTag uses request.getSession() :
> > - in currentLocale() : if any JSP uses <html:html> a session is created !
> >
> > o.a.s.validator.Ressouces uses request.getSession() :
> > - in getLocale(request) : If validator is used (for example to validate login
> > page) a session will allways be created
> >
> >
> > Isn't they're any way NOT to create a session for a user that hasn't been
> > authentified ?
> >
> > Nico.
> >
> >
> >
> >
> >
> > >
> > > This is exactly what I'm looking for.
> > >
> > > For some of the applications I'm working on, my customers are paranoiac
> > about security. I think that if a
> > unauthentified
> > > user is able to create a session on the server, it can expose the server to
> > DOS attack, because every created session
> > > will use some memory.
> > >
> > > It is realy simple to write a client that sends hundred of request to the
> > server. If a session is created on each
> > > request, server will quickly be out of memory (Session object + stored
> > objects (Locale) size).
> > >
> > > If a session is created only for authentified users, server will survive
> > such (simple) attack.
> > >
> > > Perhaps I'm wrong about this, if this scenario is stupid please tell me.
> > >
> > > For example, I've seen that RequestUtils.retrieveUserLocale() uses request
> > scope if no session exists. This way, no
> > > session is created when displaying a login JSP that uses i18n.
> > >
> > > With locale="true" (default) a new session is created when ActionServlet
> > process a request. We need to set it to false
> > > to control session creation. I want to know if they're is other Struts
> > properties to set to avoid creating new session
> > > for non-authentified user.
> > >
> > >
> > > Nico.
> > >
> > >
> > >
> > > > Hi Manfred
> > > >
> > > > I think Nicolas is trying to find all places where Struts manipulates
> > the
> > > > session in some way..
> > > >
> > > > Locale=True does indeed manipulate the session..thus resulting in the
> > > > session being created, if not already there.
> > > >
> > > > When no one (action, object, tag, whatever) has requested attributes to
> > be
> > > > stored in the session, no session object will exist..Session info
> > (cookie,
> > > > URL rewriting, etc) is only created if there are attributes on the
> > Session
> > > > object. Am I correct on this one??
> > > >
> > > > I don't understand WHY Nicolas does not want the session to be
> > created...Is
> > > > it because of memory usage...denial of service attacks...?
> > > >
> > > > Maybe, I don't understand, Nicolas, too...but it did gave my few
> > pennies
> > > > away :-)
> > > >
> > > > Regards
> > > >
> > > > Henrik
> > > >
> > > > ----- Original Message ----- 
> > > > From: "Manfred Wolff" <mail@manfred-wolff.de>
> > > > To: "Struts Users Mailing List" <struts-user@jakarta.apache.org>
> > > > Sent: Thursday, January 08, 2004 3:22 PM
> > > > Subject: Re: Configuring Struts NOT to create (unauthentified) sessions
> > > >
> > > >
> > > > > Nicolas.
> > > > >
> > > > > I perhaps don't understand you. but (!) The locale attribut has
> > nothing
> > > > > to do with creating sessions! The locale attribute tells struts to
> > save
> > > > > a Locale-Object in the session, if there is nothing stored.
> > > > >
> > > > > Manfred
> > > > >
> > > > > Nicolas De Loof wrote:
> > > > >
> > > > > >Hy all,
> > > > > >
> > > > > >I would like Struts NOT to create a session for an unauthentified
> > user.
> > > > As far as I understand Struts code, I need to
> > > > > >set locale="false" in struts-config.xml <controller>.
> > > > > >
> > > > > >Is they're any ohter Struts mecanism that can create a session
> > (excluding
> > > > action-mapping declared as scope="session") ?
> > > > > >
> > > > > >Doesn't the "locale" default value (true) expose lot's of struts
> > > > application to attack ? (server Out of Memory because
> > > > > >to much sessions have been created - isn't this what is called
"Deny
> > Of
> > > > Service" ?)
> > > > > >
> > > > > >Nico.
> > > > > >
> > > > > >
> > > > >
> > >---------------------------------------------------------------------
> > > > > >To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > > > > >For additional commands, e-mail: struts-user-help@jakarta.apache.org
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > -- 
> > > > > ===========================================
> > > > > Dipl.-Inf. Manfred Wolff
> > > > > -------------------------------------------
> > > > > phone neusta  : +49 421 20696-27
> > > > > phone         : +49 421 534522
> > > > > mobil         : +49 178 49 18 434
> > > > > eFax          : +49 1212 6 626 63 965 33
> > > > > -------------------------------------------
>
> -- 
> Kris Schneider <mailto:kris@dotech.com>
> D.O.Tech       <http://www.dotech.com/>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message