- Posted by: ShriKant Vashishtha
- Posted on: October 03 2002 00:23 EDT
I need to post the data from one web-portal (WEB1) to another one (WEB2). These web portals are entirely different to each other and are on secured connection. When WEB1 user posts the data, WEB2 first checks whether a valid WEB2 session exist or not. If not, it prompts for login. Only in case when WEB1 user establishes a valid session with WEB2, the data will be transferred to WEB2.
To transfer the data, WEB1 user clicks on a WEB2 link, and a WEB2 window opens and the concerned screen gets displayed (if a valid WEB2 session exist) and the data transferred from WEB1 also gets displyed in this WEB2 screen.
User of WEB1(user id = USER1) has already established a valid session with WEB1 and he does a ctrl-n from the WEB1 browser window. ----> A new browser window (say WIN2) with WEB1 session opens. ----> Now he logs on as a different WEB1 user (user id=USER2) in this WIN2 and then tries to post the data to WEB2 for the concerned screen. ----->
He succeeds!!!!! As WEB2 session is already established and that is a security breach in my view. My expectations are that if WEB2 session is established through USER1 of WEB1, USER2 in the next window should not be able to post the data in this WEB2 session. Even if I send some user information along with the request, that does not help as that can be hacked and can be modified.
Request parameters hacking ---> At the moment I am posting the data from a HTML form(from WEB1) to the WEB2. In case, WEB2 needs to know for which user the request is coming, I need to add some more request parameters in the form. And these parameters can be modified after taking the view source of the JSP, modifying the parameters and resubmitted to the same URL for that session.
Is there any other solution to the problem.
Another possible solution for this scenario would be to use a combination of Filters (if you Application Server is Servlet 2.3 compliant) and Tangosol's Coherence product.
Filters would allow you to verify authenticity of the user before allowing that user to post to either Web1 or Web2.
Coherence allows you to share data between applications, JVMs, or cluster nodes using a simple java.util.Map interface. Coherence also implements a locking mechanism and the JavaBean event model. It also has two "flavors" of Caching Services, Replicated and Distributed to give you a multitude of solutions for sharing data.
Thanks for your kind response. I am sorry, but I am not in a position to use these options. My Web-Application is on Servlet 2.2 at the moment. So I am not able to use the virtues of filters for the time being. Secondly, we don't want to use any third party software or classes which are not freely downloadble.
With currently available resources, is there any other solution using Servlet 2.2 APIs.