[OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization

Jim Manico jim.manico at owasp.org
Wed Mar 11 22:17:24 EDT 2009


Agreed, it's a reasonable option.

- Jim
----- Original Message ----- 
From: "Dan Cornell" <dan at denimgroup.com>
To: "Neil Matatall" <nmatatal at uci.edu>; <me at alexsmolen.com>; 
<owasp-esapi at lists.owasp.org>
Sent: Wednesday, March 11, 2009 3:19 PM
Subject: Re: [OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization


>
> Yes - I think having the _option_ to safely put the AccessReferenceMap in 
> the session is a good one to have.  On an application-specific basis the 
> developer will have to make a decision to use session state or use some 
> other means of persistence, but having the option is a valuable one.
>
> Thanks,
>
> Dan
>
>
> -----Original Message-----
> From: owasp-esapi-bounces at lists.owasp.org on behalf of Neil Matatall
> Sent: Wed 3/11/2009 7:08 PM
> To: me at alexsmolen.com; owasp-esapi at lists.owasp.org
> Subject: Re: [OWASP-ESAPI] Feature Request: AccessReferenceMap 
> Serialization
>
> Jim,
>
> As your comments suggest, anyone working with a large amount of indirect
> references probably has some other mechanism in place, but for smaller
> instances I would think storing the AccessReferenceMap in the session
> should be fine.  My 10 second analysis tells me that putting both the
> indirect and direct references in the session doesn't save you much more
> than putting the entire AccessReferenceMap.  It seems that the impact on
> the session is more dependent on the size of the values being stored
> than the technique being used.
>
> Neil
>
> Alex Smolen wrote:
>> I'm with Neil on this one. If you don't store the AccessReferenceMap
>> in the session, then it basically becomes a random number generator -
>> it only creates indirect reference IDs, and you have to store the
>> object and references yourself between requests.
>>
>> Besides, making it serializable doesn't force people to put it in the
>> session - it just makes it a lot more convenient to do so.
>>
>> Thanks,
>> Alex
>> ------------------------------------------------------------------------
>> *From*: "Jim Manico" <jim.manico at owasp.org>
>> *Sent*: Wednesday, March 11, 2009 1:43 PM
>> *To*: "Neil Matatall" <nmatatal at uci.edu>
>> *Subject*: Re: [OWASP-ESAPI] Feature Request: AccessReferenceMap
>> Serialization
>>
>> Thanks for participating, Neil!
>>
>> > That way we can just toss the object into the session and pull it
>> out when
>> > we need the references instead of the approach taken in the Swingset
>> > Application.
>>
>> That worries me from a performance consideration. "Packing the
>> session" with
>> to much actual data is normally not recommended for scalability purposes.
>> Even session mechanisms that are database driven still should avoid this
>> anti-performance-pattern.You are better off going to the database which
>> often uses app level caching mechanisms.
>>
>> Just my 2 cents, I'm eager to hear what the others have to say.
>>
>> - Jim
>>
>>
>> ----- Original Message -----
>> From: "Neil Matatall"
>> To: "Jim Manico"
>> Cc: "John Melton" ;
>> Sent: Wednesday, March 11, 2009 10:37 AM
>> Subject: [OWASP-ESAPI] Feature Request: AccessReferenceMap Serialization
>>
>>
>> > On the topic of changing things, should we submit feature requests
>> to this
>> > list directly? I couldn't find anything on the OWASP page other than
>> the
>> > Google code bug tracker. What does everyone think about making the
>> > AccessReferenceMap extend Serializable? That way we can just toss the
>> > object into the session and pull it out when we need the references
>> > instead of the approach taken in the Swingset Application.
>> > session.setAttribute(ind0, directReference0);
>> > session.setAttribute(ind1, directReference1);
>> > session.setAttribute(ind2, directReference2);
>> > session.setAttribute(ind3, directReference3);
>> > session.setAttribute(ind4, directReference4);
>> > session.setAttribute(ind5, directReference5);
>> > session.setAttribute(ind6, directReference6);
>> > session.setAttribute("ind0", ind0);
>> > session.setAttribute("ind1", ind1);
>> > session.setAttribute("ind2", ind2);
>> > session.setAttribute("ind3", ind3);
>> > session.setAttribute("ind4", ind4);
>> > session.setAttribute("ind5", ind5);
>> > session.setAttribute("ind6", ind6);
>> >
>> > Retrieving the reference from the session becomes somewhat clunky. By
>> > making the AccessReferenceMap Serializable, we can save it to the
>> session
>> > and write code like this:
>> >
>> > AccessReferenceMap refMap = (AccessReferenceMap)
>> > request.getSession().getAttribute("refMap");
>> > String indirectRef = request.getParameter("indirectReference");
>> > Object resource = refMap.getDirectReference(indirectRef);
>> >
>> >
>> >
>> > Neil
>> >
>>
>> _______________________________________________
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>>
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
> 



More information about the OWASP-ESAPI mailing list