The site Im currently working on is using session tracking for security. Basically if no session is found the servlet kicks out an error page to the potential invader. Works just fine but one thing just bit me in the you-know-what. Im installing a copy of infopop's Utimate Bulletin Board (same as this one) in the site. The problem is by using session tracking for the site I've eliminated normal security measures (ala .htaccess). I dont want anyone the be able to just drop the url of the BB into their browser & get to it as it is in a members only area. I was thinking of adding a quick session validation servlet with a redirect for all of the links on the site but that realy doesnt solve the problem of an outside person getting the url & coming in at will. I spoke to infopop & they said it may be possible to pick up the session from cgi but they don't have a clue how to do anything in servlets (all perl folks). Anyone here have a clue if this is possible & if so how to do it.....Anybody here fluent in perl & Java? I semi understand perl but not enough to do this.
If I understand you correctly, you want both to support sessions, JSP style, and have the UBB as the content. In principle, it is not a big deal; as soon as you have a session, the session id is in the cookie, and you can retrieve the session object in your servlet; nobody can prevent you from redirecting the user to the page he/she is supposed to read. I think, though, there is a different problem: when a user logs in, it is into UBB; your servlet does not, generally speaking, know whether the user is logged in or not. On the other hand, UBB is not such a mystery; what can be done in Perl, can be done in Java (with code 20 times as long). But your servlet has to have access to UBB session "objects", to synchronize its own session objects.
Joined: May 28, 2001
Sorry for taking so long to get back here.....been one of those weeks. I think your confusing my point here somwhat. The ubb software is a stand alone product written in perl. The rest of the site is Servlets. What Im curious about is if anyone knows if perl can retrieve Java session objects & parse their values to then check against the db. Or if no session exists they have to be directed to an illegal entry page that shuts them out of the ubb completely. Im doing this in the rest of the site very effectively but using req.getSession(false); & then checking if the session is null. If it is they are locked out of everything.
Exactly how Java server session info is stored and managed is server-specific, I believe. So what you're going to need to do is have the Perl code talk to the Java server. As a rough stab at it, I'd make a servlet that would return the session variables of interest (possibly encrypted) and secure it so that it could not be invoked from an external client, then have the Perl server invoke that app for validation purposes. Another possibility is Java Perl Lingo (JPL), which allows Perl to talk to Java. Finally, for a major-league system, you might investigate one of the commercial offerings for single-point securing of multiple systems and tie everything to that, instead.
Customer surveys are for companies who didn't pay proper attention to begin with.