• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Jeanne Boyarsky
  • Junilu Lacar
  • Henry Wong
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Frits Walraven
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • salvin francis
  • fred rosenberger

Security issue with AJAX call

 
Bartender
Posts: 9612
16
Mac OS X Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have an application deployed on Tomcat 9.0.8 that displays several pages with select fields that contain a large number of items.  To expedite displaying these pages, I load the select boxes via an AJAX call.  In my latest build, the AJAX call is not working.  It appears that the logged-in user's session is not being carried over in the AJAX call.  If I debug the script, the result of the call doesn't contain the expected XML, it contains the login page.  If I exempt the XML source from the security constraints, the XML loads as expected.  Am I missing something on how AJAX and authentication are supposed to work?
I tried to simplify the code as much as possible:
demoPage.jsp


testData.xml


The security section of web.xml:

Note that if the data web resource is commented out, the data loads fine.  If it is uncommented, the data does not load.
Note that for testing purposes, I'm using the built-in Tomcat user database.  You should have an entry for the role and a user in $TOMCAT_HOME/conf/tomcat-users.xml like the following:

Filename: AjaxDemo.zip
Description: Application source that demonstrates the above issue
File size: 21 Kbytes
 
Joe Ess
Bartender
Posts: 9612
16
Mac OS X Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I had tried experimenting with the various security options available in Tomcat last month, so I figured something was configured wrong.  I installed Tomcat fresh and the demo app works fine with full constraints.  
I went back to my security notes and the first step is to change session-config setting in the $TOMCAT_HOME/conf/web.xml  file to the following:


With the cookie-config set up this way, the app does not work.  I commented out the "secure" tag and the app works fine.  ¯\_(ツ)_/¯
Since this application is an internal network app, I can safely leave these options out.  

 
Joe Ess
Bartender
Posts: 9612
16
Mac OS X Linux Windows
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think I've gotten to the bottom of this.  It turns out that secure cookies are not sent to the server with an HTTP request see here and here.  
I tried the demo with HTTPS and it works fine with secure cookies.  
 
Does this tiny ad smell okay to you?
Devious Experiments for a Truly Passive Greenhouse!
https://www.kickstarter.com/projects/paulwheaton/greenhouse-1
    Bookmark Topic Watch Topic
  • New Topic