[OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization

Neil Matatall nmatatal at uci.edu
Wed Mar 11 20:08:38 EDT 2009


Jim,

As your comments suggest, anyone working with a large amount of indirect 
references probably has some other mechanism in place, but for smaller 
instances I would think storing the AccessReferenceMap in the session 
should be fine.  My 10 second analysis tells me that putting both the 
indirect and direct references in the session doesn't save you much more 
than putting the entire AccessReferenceMap.  It seems that the impact on 
the session is more dependent on the size of the values being stored 
than the technique being used. 

Neil

Alex Smolen wrote:
> I'm with Neil on this one. If you don't store the AccessReferenceMap 
> in the session, then it basically becomes a random number generator - 
> it only creates indirect reference IDs, and you have to store the 
> object and references yourself between requests.
>
> Besides, making it serializable doesn't force people to put it in the 
> session - it just makes it a lot more convenient to do so.
>
> Thanks,
> Alex
> ------------------------------------------------------------------------
> *From*: "Jim Manico" <jim.manico at owasp.org>
> *Sent*: Wednesday, March 11, 2009 1:43 PM
> *To*: "Neil Matatall" <nmatatal at uci.edu>
> *Subject*: Re: [OWASP-ESAPI] Feature Request: AccessReferenceMap 
> Serialization
>
> Thanks for participating, Neil!
>
> > That way we can just toss the object into the session and pull it 
> out when
> > we need the references instead of the approach taken in the Swingset
> > Application.
>
> That worries me from a performance consideration. "Packing the 
> session" with
> to much actual data is normally not recommended for scalability purposes.
> Even session mechanisms that are database driven still should avoid this
> anti-performance-pattern.You are better off going to the database which
> often uses app level caching mechanisms.
>
> Just my 2 cents, I'm eager to hear what the others have to say.
>
> - Jim
>
>
> ----- Original Message -----
> From: "Neil Matatall"
> To: "Jim Manico"
> Cc: "John Melton" ;
> Sent: Wednesday, March 11, 2009 10:37 AM
> Subject: [OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization
>
>
> > On the topic of changing things, should we submit feature requests 
> to this
> > list directly? I couldn't find anything on the OWASP page other than 
> the
> > Google code bug tracker. What does everyone think about making the
> > AccessReferenceMap extend Serializable? That way we can just toss the
> > object into the session and pull it out when we need the references
> > instead of the approach taken in the Swingset Application.
> > session.setAttribute(ind0, directReference0);
> > session.setAttribute(ind1, directReference1);
> > session.setAttribute(ind2, directReference2);
> > session.setAttribute(ind3, directReference3);
> > session.setAttribute(ind4, directReference4);
> > session.setAttribute(ind5, directReference5);
> > session.setAttribute(ind6, directReference6);
> > session.setAttribute("ind0", ind0);
> > session.setAttribute("ind1", ind1);
> > session.setAttribute("ind2", ind2);
> > session.setAttribute("ind3", ind3);
> > session.setAttribute("ind4", ind4);
> > session.setAttribute("ind5", ind5);
> > session.setAttribute("ind6", ind6);
> >
> > Retrieving the reference from the session becomes somewhat clunky. By
> > making the AccessReferenceMap Serializable, we can save it to the 
> session
> > and write code like this:
> >
> > AccessReferenceMap refMap = (AccessReferenceMap)
> > request.getSession().getAttribute("refMap");
> > String indirectRef = request.getParameter("indirectReference");
> > Object resource = refMap.getDirectReference(indirectRef);
> >
> >
> >
> > Neil
> >
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090311/1de10a25/attachment.html 


More information about the OWASP-ESAPI mailing list