Home » Eclipse Projects » Remote Application Platform (RAP) » Understanding the RWT SettingStore
| Understanding the RWT SettingStore [message #653216] |
Tue, 08 February 2011 21:11  |
 Benjamin Wolff
Messages: 136
Registered: July 2009 |
Senior Member |
|
|
Hi,
i have some questions about the default SettingStore implementation that is used when RWT#getSettingStore() is called.
The difference between the SessionStore and the SettingStore, as i understand it, lies in the "lifetime" of the store. The SessionStore is bound to a (HTTP)Session, the SettingStore is not bound to the session lifetime, it is persistent over several sessions.
I always thought, that the values in the SettingStore are stored in the Cookie (as strings of basic types?!). However by looking into the implementation and the cookie, it seems that the cookie only identifies a persistent store on the (RAP) server-side. So when i put something in the SettingStore, it is locally stored and the store is idenfitied by the unique ID in the cookie? In this case, how long do the stored values or objects live in this store (when are they garbace collected)? I'm aware of the removeAttribute() methods for the SettingStore, but assuming the user has cleared his cookies and a new SettingStore is assigned...
I'm using a cookie (the SettingStore) to store a login so the user does not have to re-authenticate manually each time when he wants to login. From a security standpoint, is it possible for another user to fake a cookie by guessing a valid store ID and thus 'stealing' the login session? Moreover, is it ok to store semi-sensitive data in the SettingStore, because these values are stored on the server and not in the cookie?
Just want to be sure ;).
Greetings,
-Ben
|
|
|
| Re: Understanding the RWT SettingStore [message #653233 is a reply to message #653216] |
Tue, 08 February 2011 22:04  |
|
Hi Ben,
your understanding is right, in contrast to the session store, the
setting store is persistent. It's an extensible mechanism, i.e. you can
register your own implementation of the ISettingStore interface.
The default implementation in RWT is the FileSettingStore, which simply
stores settings in the filesystem on the server and never cleans up (you
could use a cron job to do so).
It's right, every setting store has an id which is stored in a cookie, so
settings can be hijacked by guessing the session store id and faking a
cookie. The system is only as secure as the id generation is, but that's
again up to the setting store implementation.
Does that answer your questions?
Best regards, Ralf
--
Ralf Sternberg
Twitter: @ralfstx
Blog: http://eclipsesource.com/blogs/
Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
|
|
|
| Re: Understanding the RWT SettingStore [message #653244 is a reply to message #653233] |
Wed, 09 February 2011 00:32 |
Benjamin Wolff
Messages: 136
Registered: July 2009 |
Senior Member |
|
|
Hi Ralf,
yes, that answers my question. Thank you!
I decided to switch to a real cookie solution for my use case.
I'm going to use generated (combined, salted, hashed, etc.) values
stored in Cookie objects and then added via RWT#getResponse()#addCookie().
HTTPS and secure cookies will improve automatic login security
substantially. That should suffice for now ;).
Good thing, that you clarified the behaviour of the SettingStore.
Greetings,
-Ben
Am 08.02.2011 23:04, schrieb Ralf Sternberg:
> Hi Ben,
>
> your understanding is right, in contrast to the session store, the
> setting store is persistent. It's an extensible mechanism, i.e. you can
> register your own implementation of the ISettingStore interface.
>
> The default implementation in RWT is the FileSettingStore, which simply
> stores settings in the filesystem on the server and never cleans up (you
> could use a cron job to do so).
>
> It's right, every setting store has an id which is stored in a cookie, so
> settings can be hijacked by guessing the session store id and faking a
> cookie. The system is only as secure as the id generation is, but that's
> again up to the setting store implementation.
>
> Does that answer your questions?
>
> Best regards, Ralf
>
|
|
|
| Re: Understanding the RWT SettingStore [message #731266 is a reply to message #653244] |
Fri, 30 September 2011 13:00 |
vlad crc
Messages: 7
Registered: August 2010 |
Junior Member |
|
|
Hi,
I'm experiencing an issue when using ISettingStore.
I have a RAP application which at some point stores some data with the default ISettingStore. I package the application in a WAR and deploy it to a JBoss. I use the application and on the server side I can see the file created by ISettingStore here:
d:\projects\jboss-server\1\server\dorun\work\jboss.web\localhost\pisgui-2.0.0\eclipse\workspace\.metadata\.plugins\org.eclipse.rap.ui\org.eclipse.rwt.service.FileSettingStore\1307519451218_0
All good, but if I stop JBoss the whole folder "d:\projects\jboss-server\1\server\dorun\work\jboss.web\localhost\pisgui-2.0.0\eclipse\workspace" is deleted, which is bad because the setting store file is deleted so the aim of persisting settings is vanished.
Perhaps there's something I'm missing ? Or it's a bug ?
Best regards,
Vlad Crc
[Updated on: Fri, 30 September 2011 13:52] Report message to a moderator |
|
|
Goto Forum:
Current Time: Thu Apr 25 22:50:32 GMT 2024
Powered by FUDForum. Page generated in 0.03525 seconds |
] 
Search
Help
Register
Login
Home
