[OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization

Alex Smolen me at alexsmolen.com
Wed Mar 11 18:53:20 EDT 2009

I'm with Neil on this one. If you don't store the AccessReferenceMap in the 
session, then it basically becomes a random number generator - it only 
creates indirect reference IDs, and you have to store the object and 
references yourself between requests.

Besides, making it serializable doesn't force people to put it in the 
session - it just makes it a lot more convenient to do so.


From: "Jim Manico" <jim.manico at owasp.org>
Sent: Wednesday, March 11, 2009 1:43 PM
To: "Neil Matatall" <nmatatal at uci.edu>
Subject: Re: [OWASP-ESAPI] Feature Request: AccessReferenceMap 

Thanks for participating, Neil!

> That way we can just toss the object into the session and pull it out 
> we need the references instead of the approach taken in the Swingset 
> Application.

That worries me from a performance consideration. "Packing the session" 
to much actual data is normally not recommended for scalability purposes. 
Even session mechanisms that are database driven still should avoid this 
anti-performance-pattern.You are better off going to the database which 
often uses app level caching mechanisms.

Just my 2 cents, I'm eager to hear what the others have to say.

- Jim

----- Original Message ----- 
From: "Neil Matatall" 
To: "Jim Manico" 
Cc: "John Melton" ; 
Sent: Wednesday, March 11, 2009 10:37 AM
Subject: [OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization

> On the topic of changing things, should we submit feature requests to 
> list directly?  I couldn't find anything on the OWASP page other than the 

> Google code bug tracker.  What does everyone think about making the 
> AccessReferenceMap extend Serializable?  That way we can just toss the 
> object into the session and pull it out when we need the references 
> instead of the approach taken in the Swingset Application.
>                session.setAttribute(ind0, directReference0);
>                session.setAttribute(ind1, directReference1);
>                session.setAttribute(ind2, directReference2);
>                session.setAttribute(ind3, directReference3);
>                session.setAttribute(ind4, directReference4);
>                session.setAttribute(ind5, directReference5);
>                session.setAttribute(ind6, directReference6);
>               session.setAttribute("ind0", ind0);
>                session.setAttribute("ind1", ind1);
>                session.setAttribute("ind2", ind2);
>                session.setAttribute("ind3", ind3);
>                session.setAttribute("ind4", ind4);
>                session.setAttribute("ind5", ind5);
>                session.setAttribute("ind6", ind6);
> Retrieving the reference from the session becomes somewhat clunky.  By 
> making the AccessReferenceMap Serializable, we can save it to the session 

> and write code like this:
> AccessReferenceMap refMap = (AccessReferenceMap) 
> request.getSession().getAttribute("refMap");
> String indirectRef = request.getParameter("indirectReference");
> Object resource = refMap.getDirectReference(indirectRef);
> Neil

OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090311/56cc259e/attachment-0001.html 

More information about the OWASP-ESAPI mailing list