I am working on a webprojekt where I in order to minimize session bloating are using primarily ViewScoped beans. But then I face the problem that I need to transfer clients usernames and passwords between my beans (to access the database etc.).
I have made a system where I am using flash objects to transfer usernames and passwords between beans such as this:
public String gotoNextView() {
ExternalContext external = FacesContext.getCurrentInstance().getExternalContext();
external.getFlash().put("user_name", (String) FacesContext.getCurrentInstance().getExternalContext().getFlash().get("user_name"));
external.getFlash().put("password", (String) FacesContext.getCurrentInstance().getExternalContext().getFlash().get("password"));
return "/../../next_view.xhtml";
}
But I am worried about whether it is somehow possible for a hacker to manipulate the client and thereby trick the server to expose the flash objects!
Another solution that I am thinking about is to store all the JSESSIONID's for the web application as keys in a Map with the usernames and passwords as values. To make that work I suppose that I need a callback method to be called when a user session ends or expires so that I can remove the relevant JSESSIONID from the Map. But the problem with that solution is that I am in doubt about what is the best way to implement the callback so that I can be 100% sure that the Map entry is removed before a new similar JSESSIONID is created by the server (even though I know that the chances are extremely small that it will happen in such a short amount of time). Also I am in doubt about what to with beans that are working with a JSESSIONID (a user) if for some reason the server discards the JSESSIONID before the bean (and for example database operations) is finished (as I then can risk that a new similar JSESSIONID is created by the server for another user which then might get mingled with the JSESSIONID and user the other bean is servicing)!
I Hope that someone with deep insight into the problem will write about what is the best practise and a 100% secure way to this (also I suppose that most people working with JSF webapp servers encounter this problem and therefore it would be helpful for others to know the best solution to the problem). Thanks.
I think you're under a misconception here. The fact that a variable resides in one managed bean, and then is "passed" to another managed bean does not mean that there's actual movement across a physical medium. All viewscoped beans are implemented in the same storage area (I believe it's the
UIViewRootobject). At this level, there's an implicit Boundary of Trust between these entities, and unless there's user-accessible movement between the two beans (maybe a client side variable, URL parameter or other HTTP artifact), I don't see the risk.What this means is that, regardless of the specific
@ViewScopedbean the variable sits in, they're all exposed to the same vulnerability (if any). "Passing" a variable between the beans doesn't introduce any new risk. Unless you're displaying the values anywhere to the users (maybe in the URL or in a hidden HTML form element), there's no new risk introduced by the@ViewScopedobject in and of itself (improper use of the scopes is a different matter).Ultimately, if you're still concerned about it, just encrypt your stuff (consider the overhead) before handing the variable to another entity