GeeCON Prague 2014*
The moose likes Applets and the fly likes communicating between java applet and servlet Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Applets
Bookmark "communicating between java applet and servlet" Watch "communicating between java applet and servlet" New topic
Author

communicating between java applet and servlet

kourosh parsa
Ranch Hand

Joined: Jan 22, 2012
Posts: 35
    
    1
Hi.
I want to retrieve the list of user file names by sending a post request from my applet to my servlet.
In my servlet, I get the current user and make sure they are logged in like so:


The problem is that session is null when the post request arrives at the servlet.
In my applet I have used:


Does anyone know what is causing this and how to overcome it?
Thanks
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12791
    
    5
How does your applet communicate the session ID in the POST request?

Bill
kourosh parsa
Ranch Hand

Joined: Jan 22, 2012
Posts: 35
    
    1
Apparently, it does not.
The user logs in to my page so the session is created, then the user clicks a button to access the applet. Since the applet is opened in the same browser, I hoped that it can use the cached session, but it does not.
I know one approach is to generate a temporary session string and pass it to the applet and attach it to the post requests...but is there an easier way?
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12791
    
    5
Personally, I create my own user class with its own unique id system and serialize each user object to disk. That way I don't get tangled in the servlet session id system.

At its simplest that class can just hold a collection but naturally it can be much more complex.

Serializing and recovering an object to/from disk is surprisingly fast, or you can cache them.

Naturally you can keep the custom object ID in a user session, put it on forms as a hidden variable, etc etc.

Bill
kourosh parsa
Ranch Hand

Joined: Jan 22, 2012
Posts: 35
    
    1
Thank you William for the post. Below I reiterate the idea and please let me know if this sounds reasonable or if you think there is any security risk, please let me know as well.

on the client side:

-------
Inside the applet code, I send the access_id with the post method
-------
on the server side:


-----------
and my access_id is encrypted from something like this:
user_id+random_number

Note that this access_id is exposed in my html page and a legitimate user could attempt to reverse engineer it to make a decryption which then if the id of other users are known, this hacker can wipe out all the data of other users.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12791
    
    5
You can always concoct a security risk scenario if the bad guy has access to your client's machine and can see the clear HTML.

Using HTTPS for critical requests will protect the critical information in transit.

What good do you think this:

will do?

I would keep the user_id unaltered and use a separate random session key so that having a particular user_id would do no good.

Bill
(ps we have a lot more experienced security experts than me hanging out on the ranch)
kourosh parsa
Ranch Hand

Joined: Jan 22, 2012
Posts: 35
    
    1
Thanks. I like your idea (using a separate session key). I made a session listener class which monitors the available sessions, but I also have to keep track of which session is a logged-in session...
so I have an ArrayList of the logged-in sessions.

Do you think this will work if in the future when I deploy my app on multiple servers on the cloud?
My concern is that if I have an array of 2 servers and 4 users, I get:
server1: live_sessions: {"ABC", "DEF}
server2: live_sessions: {"GHI","JKL"}

and server1 receives a validation request for id="GHI" which fails to work because user "GHI" was monitored on the other server.
or maybe I'm wrong and servers share memory.

Sorry, this discussion is all over the place, from security to memory sharing on the cloud.

kourosh parsa
Ranch Hand

Joined: Jan 22, 2012
Posts: 35
    
    1
I've realized that using a session specific password (although safer) is far more complicated on a distributed system and for that reason I'll just use a decryption system with a static key and a random seed.
It's unfortunate that there is no standard method of communication between a servlet and an applet on the same domain.
Thanks for the discussions
 
GeeCON Prague 2014
 
subject: communicating between java applet and servlet