David Balažic

Ranch Hand
+ Follow
since May 15, 2008
Merit badge: grant badges
For More
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by David Balažic

Found it.

For applets, this syntax must be used:
5 years ago

If a param value in the JNLP file is changed, it asks on each start "Do you want to run this application ?".
Even if "Do not show this again for this app from the publisher above" is checked, it asks this each time.

I read Signing JNLP file with dynamic arguments and JDK-8199731 "Checkbox "do not show this again for apps from the publisher and location above" not working" but can not make it to work.

It seems the jnlp.secure.argument thing only works for changes in <argument> elements, but not in <param> elements that are used for <applet-desc>.

So, does anyone know how to pass a dynamic parameter to an applet started by JNLP file, without asking the user each time for approval?

I should work on Java 8u171 (or later).

5 years ago

Tim Holloway wrote:
You should never mess around with the jsessionID cookie.

I don't.

If you want to invalidate a session, use the session.invalidate() method.

Yes, that is what my code does.

If you have a cluster, you should make sure that the cluster has been configured to broadcast that invalidation to all nodes in the cluster.

No cluster.

Likewise, if the session is being shared by multiple webapps (which isn't something I really recommend, incidentally).

It isn't shared.
8 years ago
If anyone is reading...

I did another test on another system (same software versions) and now the cookie contains the full value: wG...8vB!-1537443802!168028721

After invalidating the session, the cookie value changes (the two numbers at the end change value, the alphanumeric code in the front stays the same).

I guess only a WL wizard clould explain it...
8 years ago
Additional details:

after calling session.invalidate() the request.getSession().getId() returns a different value, but the cookie value stays the same.

Example (the values are shortened by few characters for clarity):

getId() before:

calling invalidate() , then getSession(true)

getId() after:

cookie value before and after:


- the session id changes after invalidate();getSession(true); but only in the last few characters
- the cookie value lacks the last item and remains the same
8 years ago

Jeanne Boyarsky wrote:You shouldn't be updating that cookie directly. It is getting the path from a server configuration.

FYI, that is done in WEB-INF/weblogic.xml :

I run into this recently with WebLogic 10.3.5 deploying two apps.
But instead of one app invalidating the session also for the other app, I experienced that invalidating the session in one app does not do (almost) anything, if there is an active session on the other.

- user only opens app1, he gets a JSESSIONID cookie
- user clicks a link that calls session.invalidate()
- when user loads a page from app1 that uses a session, he gets a new value in the JSESSIONID cookie

But in this case:
- user opens app1, he gets a JSESSIONID cookie
- user opens app2, the JSESSIONID cookie remains the same
- user clicks a link in app1 that calls session.invalidate()
in this case the OP reported that both sessions are lost, but in my case not. The JSESSIONID value remained the same and app2 continued to work with the old session (this is good). But app1 still also used the same JSESSIONID value (the session itself was destroyed and later replaced with a new one).

Maybe this was a fix added in WebLogic 10.3.5 (or a bit earlier)?

Now the problem and the reason I am writing: The described fact that the JSESSIONID value remains the same even if the app invalidates the session leaves the doors open for a "session fixation" attack (see description links below).

JBoss (at least 7.1.1) and tomcat (8.0.x) behave differently. They send a different cookie for each app, having path=/app1 and path=/app2
Is WebLogic deviating from the specs? The behavior is sure surprising.

Session fixation description at wikipedia
Session fixation description at OWASP
8 years ago
It was introduced somewhere in v10 ... I'll post the blog where I read about it, when I find it.
(or someone can check the docs)
8 years ago
I probably confused it with the introduction of prefer-application-packages tag in weblogic.xml
8 years ago

Is the file META-INF/weblogic-application.xml file supported in WAR files?

It is normally for EARs, but I "think" I saw some articles claiming 10.3.x versions of WebLogic support them also in WAR files.

Can someone please clear this up?

8 years ago

Stefan Evans wrote:I suppose you could always use the <c:out> tag

That's great (and kind of obvious now...)!

8 years ago

If the value of the property is null, I want "null" to be printed, like this:

But I get an empty string, like:

I know I can use a ternary operator, but isn't there a simpler/shorter solution? A function (like NVL() in SQL)?

Not only is this long, but the value expression is typed twice, which is a magnet for bugs.

8 years ago
No, I'm talking .... http://www.example.com/foo?bar=about_this_here
10 years ago
The encoding of URI/URL parameters is not mentioned in the specs.
10 years ago
If webapp.encoding.default is not defined in weblogic-application.xml, what encoding is used by default?

I am interested in the encoding of URI/URL parameters, as explained here: http://www.lucamasini.net/Home/java-enterprise/non-ascii-char-and-http-requests-with-tomcat-weblogic
(also see the WebLogic docs at http://docs.oracle.com/cd/E21764_01/web.1111/e13706/app_xml.htm#r6c1-t2 )

10 years ago