Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » Understanding the RWT SettingStore
Understanding the RWT SettingStore [message #653216] Tue, 08 February 2011 21:11 Go to next message
Benjamin Wolff is currently offline Benjamin WolffFriend
Messages: 115
Registered: July 2009
Senior Member
Hi,

i have some questions about the default SettingStore implementation that is used when RWT#getSettingStore() is called.
The difference between the SessionStore and the SettingStore, as i understand it, lies in the "lifetime" of the store. The SessionStore is bound to a (HTTP)Session, the SettingStore is not bound to the session lifetime, it is persistent over several sessions.

I always thought, that the values in the SettingStore are stored in the Cookie (as strings of basic types?!). However by looking into the implementation and the cookie, it seems that the cookie only identifies a persistent store on the (RAP) server-side. So when i put something in the SettingStore, it is locally stored and the store is idenfitied by the unique ID in the cookie? In this case, how long do the stored values or objects live in this store (when are they garbace collected)? I'm aware of the removeAttribute() methods for the SettingStore, but assuming the user has cleared his cookies and a new SettingStore is assigned...

I'm using a cookie (the SettingStore) to store a login so the user does not have to re-authenticate manually each time when he wants to login. From a security standpoint, is it possible for another user to fake a cookie by guessing a valid store ID and thus 'stealing' the login session? Moreover, is it ok to store semi-sensitive data in the SettingStore, because these values are stored on the server and not in the cookie?

Just want to be sure ;).

Greetings,
-Ben
Re: Understanding the RWT SettingStore [message #653233 is a reply to message #653216] Tue, 08 February 2011 22:04 Go to previous messageGo to next message
Ralf Sternberg is currently offline Ralf SternbergFriend
Messages: 1313
Registered: July 2009
Senior Member

Hi Ben,

your understanding is right, in contrast to the session store, the
setting store is persistent. It's an extensible mechanism, i.e. you can
register your own implementation of the ISettingStore interface.

The default implementation in RWT is the FileSettingStore, which simply
stores settings in the filesystem on the server and never cleans up (you
could use a cron job to do so).

It's right, every setting store has an id which is stored in a cookie, so
settings can be hijacked by guessing the session store id and faking a
cookie. The system is only as secure as the id generation is, but that's
again up to the setting store implementation.

Does that answer your questions?

Best regards, Ralf

--
Ralf Sternberg

Twitter: @ralfstx
Blog: http://eclipsesource.com/blogs/

Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
Re: Understanding the RWT SettingStore [message #653244 is a reply to message #653233] Wed, 09 February 2011 00:32 Go to previous messageGo to next message
Benjamin Wolff is currently offline Benjamin WolffFriend
Messages: 115
Registered: July 2009
Senior Member
Hi Ralf,

yes, that answers my question. Thank you!

I decided to switch to a real cookie solution for my use case.
I'm going to use generated (combined, salted, hashed, etc.) values
stored in Cookie objects and then added via RWT#getResponse()#addCookie().
HTTPS and secure cookies will improve automatic login security
substantially. That should suffice for now ;).

Good thing, that you clarified the behaviour of the SettingStore.

Greetings,
-Ben


Am 08.02.2011 23:04, schrieb Ralf Sternberg:
> Hi Ben,
>
> your understanding is right, in contrast to the session store, the
> setting store is persistent. It's an extensible mechanism, i.e. you can
> register your own implementation of the ISettingStore interface.
>
> The default implementation in RWT is the FileSettingStore, which simply
> stores settings in the filesystem on the server and never cleans up (you
> could use a cron job to do so).
>
> It's right, every setting store has an id which is stored in a cookie, so
> settings can be hijacked by guessing the session store id and faking a
> cookie. The system is only as secure as the id generation is, but that's
> again up to the setting store implementation.
>
> Does that answer your questions?
>
> Best regards, Ralf
>
Re: Understanding the RWT SettingStore [message #731266 is a reply to message #653244] Fri, 30 September 2011 13:00 Go to previous message
vlad crc is currently offline vlad crcFriend
Messages: 7
Registered: August 2010
Junior Member
Hi,

I'm experiencing an issue when using ISettingStore.

I have a RAP application which at some point stores some data with the default ISettingStore. I package the application in a WAR and deploy it to a JBoss. I use the application and on the server side I can see the file created by ISettingStore here:

d:\projects\jboss-server\1\server\dorun\work\jboss.web\localhost\pisgui-2.0.0\eclipse\workspace\.metadata\.plugins\org.eclipse.rap.ui\org.eclipse.rwt.service.FileSettingStore\1307519451218_0

All good, but if I stop JBoss the whole folder "d:\projects\jboss-server\1\server\dorun\work\jboss.web\localhost\pisgui-2.0.0\eclipse\workspace" is deleted, which is bad because the setting store file is deleted so the aim of persisting settings is vanished.

Perhaps there's something I'm missing ? Or it's a bug ?

Best regards,
Vlad Crc

[Updated on: Fri, 30 September 2011 13:52]

Report message to a moderator

Previous Topic:Problems with default i18n bundle
Next Topic:PhaseListener after phase 'PROCESS_ACTION'
Goto Forum:
  


Current Time: Wed Oct 20 02:00:26 GMT 2021

Powered by FUDForum. Page generated in 0.01439 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top