[OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization
me at alexsmolen.com
Wed Mar 11 18:53:20 EDT 2009
I'm with Neil on this one. If you don't store the AccessReferenceMap in the
session, then it basically becomes a random number generator - it only
creates indirect reference IDs, and you have to store the object and
references yourself between requests.
Besides, making it serializable doesn't force people to put it in the
session - it just makes it a lot more convenient to do so.
From: "Jim Manico" <jim.manico at owasp.org>
Sent: Wednesday, March 11, 2009 1:43 PM
To: "Neil Matatall" <nmatatal at uci.edu>
Subject: Re: [OWASP-ESAPI] Feature Request: AccessReferenceMap
Thanks for participating, Neil!
> That way we can just toss the object into the session and pull it out
> we need the references instead of the approach taken in the Swingset
That worries me from a performance consideration. "Packing the session"
to much actual data is normally not recommended for scalability purposes.
Even session mechanisms that are database driven still should avoid this
anti-performance-pattern.You are better off going to the database which
often uses app level caching mechanisms.
Just my 2 cents, I'm eager to hear what the others have to say.
----- Original Message -----
From: "Neil Matatall"
To: "Jim Manico"
Cc: "John Melton" ;
Sent: Wednesday, March 11, 2009 10:37 AM
Subject: [OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization
> On the topic of changing things, should we submit feature requests to
> list directly? I couldn't find anything on the OWASP page other than the
> Google code bug tracker. What does everyone think about making the
> AccessReferenceMap extend Serializable? That way we can just toss the
> object into the session and pull it out when we need the references
> instead of the approach taken in the Swingset Application.
> session.setAttribute(ind0, directReference0);
> session.setAttribute(ind1, directReference1);
> session.setAttribute(ind2, directReference2);
> session.setAttribute(ind3, directReference3);
> session.setAttribute(ind4, directReference4);
> session.setAttribute(ind5, directReference5);
> session.setAttribute(ind6, directReference6);
> session.setAttribute("ind0", ind0);
> session.setAttribute("ind1", ind1);
> session.setAttribute("ind2", ind2);
> session.setAttribute("ind3", ind3);
> session.setAttribute("ind4", ind4);
> session.setAttribute("ind5", ind5);
> session.setAttribute("ind6", ind6);
> Retrieving the reference from the session becomes somewhat clunky. By
> making the AccessReferenceMap Serializable, we can save it to the session
> and write code like this:
> AccessReferenceMap refMap = (AccessReferenceMap)
> String indirectRef = request.getParameter("indirectReference");
> Object resource = refMap.getDirectReference(indirectRef);
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI