Another programmer told me about a problem, that one user sometimes sees the data of another logged-in user. Probably they are requesting the same context at the same time. I thought, that is impossible to happen? Since Garbage Collection, Container-managed Transactions and JSessionID
Without looking at the code, it is hard to guess. But maybe you have hint.
He is using this structure:
JavaEE 6 coded Web Application, using EJB and Web Container seperatly on a Glassfish v3
JSF + PrimeFaces Framework
Thanks in advance
The good news is that the EJB architecture is absolutely capable of isolating data, so this will be a bug in your code.
One thing to look for is the kind of beans you're using:
If you have stateful beans, the container will make sure each client gets the right instance.
If you use stateless beans, these are shared between clients. If you're storing any client-specific state in these, this could easily get shared across sessions.
If you use singletons, you need to make sure that no session-specific state is stored, and that any shared state uses appropriate locks.
It's also worth checking your application logic - if it appears data is being shared across sessions, is it possible it's just the wrong data?
Finally, the big thing you're going to need is appropriate debug logging. You'll need to get enough information about what's going on from the log to identify where the problem is going wrong. Unfortunately these kind of contention issues can be fiddly and hard to catch, especially with a debugger, but appropriate logging will make your life much better in any case.
Of course, this is all quite vague and generic, but without more detail on the system that's inevitable. I would suggest looking for state stored on stateless beans as a first step though!
Related
Very closely related: How to protect strings without SecureString?
Also closely related: When would I need a SecureString in .NET?
Extremely closely related (OP there is trying to achieve something very similar): C# & WPF - Using SecureString for a client-side HTTP API password
The .NET Framework has class called SecureString. However, even Microsoft no longer recommends its use for new development. According to the first linked Q&A, at least one reason for that is that the string will be in memory in plaintext anyway for at least some amount of time (even if it's a very short amount of time). At least one answer also extended the argument that, if they have access to the server's memory anyway, in practice security's probably shot anyway, so it won't help you. (The second linked Q&A implies that there was even discussion of dropping this from .NET Core entirely).
That being said, Microsoft's documentation on SecureString does not recommend a replacement, and the consensus on the linked Q&A seems to be that that kind of a measure wouldn't be all that useful anyway.
My application, which is an ASP.NET Core application, makes extensive use of API Calls to an external vendor using the HttpClient class. The generally-recommended best practice for HttpClient is to use a single instance rather than creating a new instance for each call.
However, our vendor requires that all API Calls include our API Key as a header with a specific name. I currently store the key securely, retrieve it in Startup.cs, and add it to our HttpClient instance's headers.
Unfortunately, this means that my API Key will be kept in plaintext in memory for the entire lifecycle of the application. I find this especially troubling for a web application on a server; even though the server is maintained by corporate IT, I've always been taught to treat even corporate networks as semi-hostile environments and not to rely purely on corporate firewalls for application security in such cases.
Does Microsoft have a recommended best practice for cases like this? Is this a potential exception to their recommendation against using SecureString? (Exactly how that would work is a separate question). Or is the answer on the other Q&A really correct in saying that I shouldn't be worried about plaintext strings living in memory like this?
Note: Depending on responses to this question, I may post a follow-up question about whether it's even possible to use something like SecureString as part of HttpClient headers. Or would I have to do something tricky like populate the header right before using it and then remove it from memory right afterwards? (That would create an absolute nightmare for concurrent calls though). If people think that I should do something like this, I would be glad to create a new question for that.
You are being WAY too paranoid.
Firstly, if a hacker gets root access to your web server, you have WAY bigger problems than your super-secret web app credentials being stolen. Way, way, way bigger problems. Once the hackers are on your side of the airtight hatchway, it is game over.
Secondly, once your infosec team detects the intrusion (if they don't, again, you've got WAY bigger problems) they're going to tell you and the first thing you're going to do is change every key and password you know of.
Thirdly, if a hacker does get root access to your webserver, their first thought isn't going to be "let's take a memory dump for later analysis". A dumpfile is rather large (will take time to transfer over the wire, and the network traffic might well be noticed) and (at least on Windows) hangs the process until it's complete (so you'd notice your web app was unresponsive) - both of which are likely to raise some red flags.
No, hackers are there to grab as much valuable information in the least amount of time, because they know their access could be discovered at any second. So they're going to go for the low-hanging fruit first - usernames and passwords. Then they'll move on to trying to find out what's connected to that server, and since your DB credentials are likely in a config file on that server, they will almost certainly switch their attentions to that far more interesting target.
So all things considered, your API key is pretty darn unlikely to be compromised - and even if it is, it won't be because of something you did or didn't do. There are far more productive ways of focusing your time than trying to secure something that already is (or should be) incredibly secure. And, at the end of the day, no matter how many layers of security you put in place... that API or SSL key is going to be raw, in memory, at some stage.
Using a node-redux stack. We have action creators on the client side and reducers + redux state on the back end.
I have the following proposal to implement permissions:
Actions are created client side, these may be malicious, even from authenticated users.
Actions are sent to the server.
The request is authenticated server-side and the users permissions ascertained.
The actions pass through the redux middleware which lives inside the node server.
Middleware checks the users permissions against permission specified for the action type.
If the user has the correct permissions for the action then the reducers create a new redux state (which also lives on the server).
Problem:
Each action type is coupled to a set of permissions, this means that we need to take great care creating our reducers so that we never allow an action to do more than it should. With multiple devs on the team and a large application I am not convinced this is sufficient.
Questions:
Is there a good resource/link with a good discussion on handling permissions with redux.
Is redux sufficient for handling complex permissions?
If we check permissions as outlined above are there any problems that I have not mentioned and is there a better way of approaching this while still using redux?
Redux is "permission agnostic". Redux is just a framework for coordinating actions that update the application state; it contains no opinions or recommendations on how to approach permitting those actions.
Answers
Is there a good resource/link with a good discussion on handling permissions with
redux.
Here is one.
Authorization is a very difficult thing to make general proclamations about, since it very much depends on the business needs. Are you using roles? Are you just requiring authentication? Can users have multiple roles, or just one? How do multiple roles interact? These are not questions with one answer.
Is redux sufficient for handling complex permissions?
This is like asking if JavaScript is sufficient for handling complex permissions. It doesn't really make sense.
From one perspective, is it "possible" to handle complex permissions: yes. Redux will not restrict any permissions scheme you wish to implement at the action level, since actions are just functions that call dispatch (another function). You can use actions to stop the dispatch call for any reason.
From another perspetive, does redux provide an out-of-the-box mechanism that can handle complex permissions without any additional patterns or tools: no. Redux does not even attempt to address this concern, it is entirely up to you.
If we check permissions as outlined above are there any problems that I have not mentioned and is there a better way of approaching this while still using redux?
There are most certainly problems you have not mentioned, since you have not completely outlined your implementation. As they say, the devil is in the details. How you accomplish what you have described will determine what other problems you encounter.
Is there a better way? "Better" is about as vague as you can get. What are your parameters for "better"? In a trade-off between development speed and run-time performance, which would you prefer? In a trade-off between number of server calls and permission granularity, which would you prefer?
All you have said is that you are checking actions on the server. Without knowing what your authorization model is, its impossible to say if a better way exists, even when you precisely define "better", because we don't know what you are doing.
However, given the information you have, and assuming that doing the check server side is both necessary and time-saving (another big assumption), I would say (as weakly as I possible can) yes, there will be additional problems. To name a few:
Latency. Redux expects the entire app state, including the value of input fields. Your model checks the server on each action, so developing in a stricly redux manner every keystroke will go to the server to ensure that it is allowed to update the input. This will make user interaction very slow, and very frustrating.
Bandwidth. This is going to consume a lot of bandwidth, for the reason as above.
CPU. This is going to be very server CPU intensive, for the reason above.
A big win in client-side applications is that the server only does the work it absolutely has to: serving data (in a minimal format like json), and verifying requests to update data. You are going to be taking on the additional work of running all of your clients. This is a questionable tradeoff to reducing the boiler-plate of writing a REST api.
This will also lock you into your action api, and redux. A REST api has the advantage of being client-agnostic. If you change from redux, or just reorganize your actions, the REST api on the server wont need to change (or at least, wont need to change as much). This is going to make refactoring, even if you stick with redux, painful. Whether or not this overcomes the pain of writing a REST api is impossible to say, but its something to consider.
I'm afraid this question will be a bit vague but here goes...
We're noticing some very strange, occasional behaviour in our JEE7 web application. Sometimes a user's page will suddenly start displaying data from an entirely different user's session! So far I haven't been able to replicate this phenomenon nor find any indication of the problem in the logs, however it seems like one user's page starts displaying data that is stored in a #SessionScoped CDI bean that should belong to a different user's session.
Does this behaviour ring any bells for anyone? Any ideas about where to start looking, logging, or researching?
Our app is using Glassfish 4's SSO system. We're using JSF facelets, CDI backing beans, JPA entities. All reference implementations. All pretty close to latest versions.
We've also recently introduced a couple of simple SOAP based web services. Not closely linked to the areas we're having troubles with but maybe worth mentioning.
Any pointers or ideas greatly appreciated.
I'm afraid not to be able to yield an answer to your problem, but I am not allowed to comment on your question.
We are experiencing the exact behaviour you describe in our JEE7 web application on Glassfish 4 as well. In my SO post I am describing how we tracked down the problem and found a way to bypass it. Did you meanwhile find a trace or maybe even a solution on this matter?
During the rather larges xPages application development a realized the fact that Domino deletes alls sessionScope, viewScope, applicationScope variables in application after any change in application design(that causes some internal application reload on server). I understand this for development process, but its realy unacceptable in production because it makes inconsistences for connected users. Even simple typo correction in code or on xpage(on any xpage, not the one the user is working on) and applying changes to production application causes this deletes. Is there a way how to overcome this behaviour? (I know I can update application outside of business hours or something but its problem for new application when you need to deliver changes quickly e.g. typo fixes ...)
This has to be done because any changes in your application could cause the scoped variables ( and its contents) to invalidate. Updating an application ( any not only xpage apps ) should be done in a specified trimeframe at which there are none / limited amount of users.
This answer to a previous question might provide an option for you. In the context of the original question, the suggestion for defining listeners was just to provide an opportunity to do some cleanup prior to the scopes being destroyed. These types of listeners, however, could also be used to save and restore the state of these scopes. I'd urge caution for the reasons JJTB mentions, but certainly in situations where you're making completely unrelated changes (e.g. structural, not logical), this would give you a way to prevent users from being impacted by frequent scope clearing.
jjtbsomhorst explained the reason. I want to add: don't rely on scoped variables and use beans. Beans contain "formula for cooking a fresh one" what is much safer for application. Any scoped variable computed on specific event (on load typically) will be lost forever, if you make update to application as mentioned in your question. But if you used bean - its values will be recreated whenever needed again.
I'm working on a JSF 1.2 project which has AJAX functionality on it's pages (using RichFaces).
My bean builds a list of objects to be edited and then has methods to support the editing and the bean is session-scoped. I will be using a a4j:queue so that only one AJAX call can happen at a time.
I'm curious if it is wise to use synchronization (locks on objects, or perhaps collections from java.util.concurrent) in the managed bean. Is the extra work needed to implement synchronization/thread safety really needed? The site I am working on has many users and needs to be reliable but it has a LOT of managed beans, and I'm curious how concerned I should be about the thread safety of managed beans overall.
Do you take extra steps in backing beans for thread-safety?
Thanks in advance.
a4j:queue won't prevent the user from reloading the page / clicking another link while the AJAX call is in progress.
Yes, we can probably trust the user not to click many different links right after each other, but what about requests not triggered by the user, for instance by a4j:poll?
Note that replacing all collections with their thread-safe equivalent might not be enough to make your application thread safe.
That said, depending on the degree of reliability your application needs to meet, this problem might or might not deserve your attention.
You need to keep scope in mind.
Request scope - thread safe, session scope - not thread safe
If you need to be able to open multiple browser windows or tabs, then you can use something like a Seam conversation to protect from editing the same object from two windows/tabs.
If it is SessionScoped you must take care to use some thread-safety mechanisms. If it is RequestScoped or ViewScope'd, then it is safe to share class variables between methods.