This week's book giveaway is in the Beginning Java forum.
We're giving away four copies of Learn Java with Math: Using Fun Projects and Games and have Ron Dai on-line!
See this thread for details.
Win a copy of Learn Java with Math: Using Fun Projects and Games this week in the Beginning Java forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Junilu Lacar
  • Martin Vashko
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Scott Selikoff
  • salvin francis
  • Piet Souris

Security issue with AJAX call

 
Bartender
Posts: 9589
13
Mac OS X Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have an application deployed on Tomcat 9.0.8 that displays several pages with select fields that contain a large number of items.  To expedite displaying these pages, I load the select boxes via an AJAX call.  In my latest build, the AJAX call is not working.  It appears that the logged-in user's session is not being carried over in the AJAX call.  If I debug the script, the result of the call doesn't contain the expected XML, it contains the login page.  If I exempt the XML source from the security constraints, the XML loads as expected.  Am I missing something on how AJAX and authentication are supposed to work?
I tried to simplify the code as much as possible:
demoPage.jsp


testData.xml


The security section of web.xml:

Note that if the data web resource is commented out, the data loads fine.  If it is uncommented, the data does not load.
Note that for testing purposes, I'm using the built-in Tomcat user database.  You should have an entry for the role and a user in $TOMCAT_HOME/conf/tomcat-users.xml like the following:

Filename: AjaxDemo.zip
Description: Application source that demonstrates the above issue
File size: 21 Kbytes
 
Joe Ess
Bartender
Posts: 9589
13
Mac OS X Linux Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I had tried experimenting with the various security options available in Tomcat last month, so I figured something was configured wrong.  I installed Tomcat fresh and the demo app works fine with full constraints.  
I went back to my security notes and the first step is to change session-config setting in the $TOMCAT_HOME/conf/web.xml  file to the following:


With the cookie-config set up this way, the app does not work.  I commented out the "secure" tag and the app works fine.  ¯\_(ツ)_/¯
Since this application is an internal network app, I can safely leave these options out.  

 
Joe Ess
Bartender
Posts: 9589
13
Mac OS X Linux Windows
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think I've gotten to the bottom of this.  It turns out that secure cookies are not sent to the server with an HTTP request see here and here.  
I tried the demo with HTTPS and it works fine with secure cookies.  
 
Run away! Run away! Here, take this tiny ad with you:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!