[OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization

Jim Manico jim.manico at owasp.org
Wed Mar 11 16:41:51 EDT 2009 

Thanks for participating, Neil!

> That way we can just toss the object into the session and pull it out when 
> we need the references instead of the approach taken in the Swingset 
> Application.

That worries me from a performance consideration. "Packing the session" with 
to much actual data is normally not recommended for scalability purposes. 
Even session mechanisms that are database driven still should avoid this 
anti-performance-pattern.You are better off going to the database which 
often uses app level caching mechanisms.

Just my 2 cents, I'm eager to hear what the others have to say.

- Jim


----- Original Message ----- 
From: "Neil Matatall" <nmatatal at uci.edu>
To: "Jim Manico" <jim.manico at owasp.org>
Cc: "John Melton" <jtmelton at gmail.com>; <owasp-esapi at lists.owasp.org>
Sent: Wednesday, March 11, 2009 10:37 AM
Subject: [OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization


> On the topic of changing things, should we submit feature requests to this 
> list directly?  I couldn't find anything on the OWASP page other than the 
> Google code bug tracker.  What does everyone think about making the 
> AccessReferenceMap extend Serializable?  That way we can just toss the 
> object into the session and pull it out when we need the references 
> instead of the approach taken in the Swingset Application.
>                session.setAttribute(ind0, directReference0);
>                session.setAttribute(ind1, directReference1);
>                session.setAttribute(ind2, directReference2);
>                session.setAttribute(ind3, directReference3);
>                session.setAttribute(ind4, directReference4);
>                session.setAttribute(ind5, directReference5);
>                session.setAttribute(ind6, directReference6);
>               session.setAttribute("ind0", ind0);
>                session.setAttribute("ind1", ind1);
>                session.setAttribute("ind2", ind2);
>                session.setAttribute("ind3", ind3);
>                session.setAttribute("ind4", ind4);
>                session.setAttribute("ind5", ind5);
>                session.setAttribute("ind6", ind6);
>
> Retrieving the reference from the session becomes somewhat clunky.  By 
> making the AccessReferenceMap Serializable, we can save it to the session 
> and write code like this:
>
> AccessReferenceMap refMap = (AccessReferenceMap) 
> request.getSession().getAttribute("refMap");
> String indirectRef = request.getParameter("indirectReference");
> Object resource = refMap.getDirectReference(indirectRef);
>
>
>
> Neil
>

More information about the OWASP-ESAPI mailing list