• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

communicating between java applet and servlet

 
Ranch Hand
Posts: 35
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi.
I want to retrieve the list of user file names by sending a post request from my applet to my servlet.
In my servlet, I get the current user and make sure they are logged in like so:


The problem is that session is null when the post request arrives at the servlet.
In my applet I have used:


Does anyone know what is causing this and how to overcome it?
Thanks
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How does your applet communicate the session ID in the POST request?

Bill
 
kourosh parsa
Ranch Hand
Posts: 35
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Apparently, it does not.
The user logs in to my page so the session is created, then the user clicks a button to access the applet. Since the applet is opened in the same browser, I hoped that it can use the cached session, but it does not.
I know one approach is to generate a temporary session string and pass it to the applet and attach it to the post requests...but is there an easier way?
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Personally, I create my own user class with its own unique id system and serialize each user object to disk. That way I don't get tangled in the servlet session id system.

At its simplest that class can just hold a collection but naturally it can be much more complex.

Serializing and recovering an object to/from disk is surprisingly fast, or you can cache them.

Naturally you can keep the custom object ID in a user session, put it on forms as a hidden variable, etc etc.

Bill
 
kourosh parsa
Ranch Hand
Posts: 35
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you William for the post. Below I reiterate the idea and please let me know if this sounds reasonable or if you think there is any security risk, please let me know as well.

on the client side:

-------
Inside the applet code, I send the access_id with the post method
-------
on the server side:


-----------
and my access_id is encrypted from something like this:
user_id+random_number

Note that this access_id is exposed in my html page and a legitimate user could attempt to reverse engineer it to make a decryption which then if the id of other users are known, this hacker can wipe out all the data of other users.
 
William Brogden
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can always concoct a security risk scenario if the bad guy has access to your client's machine and can see the clear HTML.

Using HTTPS for critical requests will protect the critical information in transit.

What good do you think this:

will do?

I would keep the user_id unaltered and use a separate random session key so that having a particular user_id would do no good.

Bill
(ps we have a lot more experienced security experts than me hanging out on the ranch)
 
kourosh parsa
Ranch Hand
Posts: 35
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks. I like your idea (using a separate session key). I made a session listener class which monitors the available sessions, but I also have to keep track of which session is a logged-in session...
so I have an ArrayList of the logged-in sessions.

Do you think this will work if in the future when I deploy my app on multiple servers on the cloud?
My concern is that if I have an array of 2 servers and 4 users, I get:
server1: live_sessions: {"ABC", "DEF}
server2: live_sessions: {"GHI","JKL"}

and server1 receives a validation request for id="GHI" which fails to work because user "GHI" was monitored on the other server.
or maybe I'm wrong and servers share memory.

Sorry, this discussion is all over the place, from security to memory sharing on the cloud.

 
kourosh parsa
Ranch Hand
Posts: 35
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've realized that using a session specific password (although safer) is far more complicated on a distributed system and for that reason I'll just use a decryption system with a static key and a random seed.
It's unfortunate that there is no standard method of communication between a servlet and an applet on the same domain.
Thanks for the discussions
 
Any sufficiently advanced technology will be used as a cat toy. And this tiny ad contains a very small cat:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic