David Balažic

Found it.

For applets, this syntax must be used:
<property name="jnlp.secure.parameter.<param-name or *>" value="true"/>

Hi!

If a param value in the JNLP file is changed, it asks on each start "Do you want to run this application ?".
Even if "Do not show this again for this app from the publisher above" is checked, it asks this each time.

I read Signing JNLP file with dynamic arguments and JDK-8199731 "Checkbox "do not show this again for apps from the publisher and location above" not working" but can not make it to work.

It seems the jnlp.secure.argument thing only works for changes in <argument> elements, but not in <param> elements that are used for <applet-desc>.

So, does anyone know how to pass a dynamic parameter to an applet started by JNLP file, without asking the user each time for approval?

I should work on Java 8u171 (or later).

Regards,
David

Tim Holloway wrote:
You should never mess around with the jsessionID cookie.

I don't.

If you want to invalidate a session, use the session.invalidate() method.

Yes, that is what my code does.

If you have a cluster, you should make sure that the cluster has been configured to broadcast that invalidation to all nodes in the cluster.

No cluster.

Likewise, if the session is being shared by multiple webapps (which isn't something I really recommend, incidentally).

It isn't shared.

If anyone is reading...

I did another test on another system (same software versions) and now the cookie contains the full value: wG...8vB!-1537443802!168028721

After invalidating the session, the cookie value changes (the two numbers at the end change value, the alphanumeric code in the front stays the same).

I guess only a WL wizard clould explain it...

Additional details:

after calling session.invalidate() the request.getSession().getId() returns a different value, but the cookie value stays the same.

Example (the values are shortened by few characters for clarity):

getId() before:
lv2sZprhrVD7Tmc3hx!-14701!421089720

calling invalidate() , then getSession(true)

getId() after:
lv2sZprhrVD7Tmc3hx!-14701!421253573


cookie value before and after:

lv2sZprhrVD7Tmc3hx!-14701

So:
- the session id changes after invalidate();getSession(true); but only in the last few characters
- the cookie value lacks the last item and remains the same

Jeanne Boyarsky wrote:You shouldn't be updating that cookie directly. It is getting the path from a server configuration.

FYI, that is done in WEB-INF/weblogic.xml :
<session-descriptor> <cookie-path>/myApp</cookie-path> </session-descriptor>

I run into this recently with WebLogic 10.3.5 deploying two apps.
But instead of one app invalidating the session also for the other app, I experienced that invalidating the session in one app does not do (almost) anything, if there is an active session on the other.

Details:
- user only opens app1, he gets a JSESSIONID cookie
- user clicks a link that calls session.invalidate()
- when user loads a page from app1 that uses a session, he gets a new value in the JSESSIONID cookie

But in this case:
- user opens app1, he gets a JSESSIONID cookie
- user opens app2, the JSESSIONID cookie remains the same
- user clicks a link in app1 that calls session.invalidate()
in this case the OP reported that both sessions are lost, but in my case not. The JSESSIONID value remained the same and app2 continued to work with the old session (this is good). But app1 still also used the same JSESSIONID value (the session itself was destroyed and later replaced with a new one).

Maybe this was a fix added in WebLogic 10.3.5 (or a bit earlier)?

Now the problem and the reason I am writing: The described fact that the JSESSIONID value remains the same even if the app invalidates the session leaves the doors open for a "session fixation" attack (see description links below).

JBoss (at least 7.1.1) and tomcat (8.0.x) behave differently. They send a different cookie for each app, having path=/app1 and path=/app2
Is WebLogic deviating from the specs? The behavior is sure surprising.

Links:
Session fixation description at wikipedia
Session fixation description at OWASP

It was introduced somewhere in v10 ... I'll post the blog where I read about it, when I find it.
(or someone can check the docs)

I probably confused it with the introduction of prefer-application-packages tag in weblogic.xml

Hi!

Is the file META-INF/weblogic-application.xml file supported in WAR files?

It is normally for EARs, but I "think" I saw some articles claiming 10.3.x versions of WebLogic support them also in WAR files.

Can someone please clear this up?

Thanks,
David

Stefan Evans wrote:I suppose you could always use the <c:out> tag

The value is <c:out value="${object1.property1}" default="null"/>

That's great (and kind of obvious now...)!

Thanks!

Here they suggest there is now way, except a custom function. :-(

http://stackoverflow.com/questions/12375029/jsf-el-replace-null-with-default-value

The value is: ${object1.property1}

If the value of the property is null, I want "null" to be printed, like this:
The value is: null

But I get an empty string, like:
The value is:

I know I can use a ternary operator, but isn't there a simpler/shorter solution? A function (like NVL() in SQL)?

The value is: ${empty object1.property1 ? "null" : object1.property1 }
Not only is this long, but the value expression is typed twice, which is a magnet for bugs.

Regards,
David

No, I'm talking .... http://www.example.com/foo?bar=about_this_here

The encoding of URI/URL parameters is not mentioned in the specs.

If webapp.encoding.default is not defined in weblogic-application.xml, what encoding is used by default?

I am interested in the encoding of URI/URL parameters, as explained here: http://www.lucamasini.net/Home/java-enterprise/non-ascii-char-and-http-requests-with-tomcat-weblogic
(also see the WebLogic docs at http://docs.oracle.com/cd/E21764_01/web.1111/e13706/app_xml.htm#r6c1-t2 )


Thanks,
David