Vinay,
As you suggested, I have upgraded my version of DWR to 2.0RC2,
So can you please test if the CSRF protection now works with
Websphere, and report back here? (I guess you have been running with
crossDomainSessionSecurity=false lately, so you have to remove
that.)
but I am running into an error that did not occur in 2.0M4b. I have
listed the details of the issue
here:
http://www.nabble.com/postHook-behavior-change-in-2.0-RC2--tf3241170.html
Please
suggest a fix.
See
my reply in that thread.
thanks,
Vinay
Mike Wilson
<mikewse-PkbjNfxxIARBDgjK7y7TUQ@xxxxxxxxxxxxxxxx> wrote:
Vinay,
The
security fix for Weblogic (and hopefully for Websphere too) has
now been
added by Joe and made available in 2.0RC2. It would be
great if you
could try with this version and tell us how it works
out!
Best
regards
Mike
> -----Original Message-----
> From: Mike
Wilson [mailto:mikewse-PkbjNfxxIARBDgjK7y7TUQ@xxxxxxxxxxxxxxxx]
> Sent: den 28 december 2006
12:27
> To: users-EyPigyGktj4FDOXUYO6UHQ@xxxxxxxxxxxxxxxx
> Subject: RE: [dwr-user] DWR
2.0 rc1 and WebSphere 6.1= Session Error
>
> Vinay,
>
> > I am using WDR 2.0-rc1 with IBM WebSphere 6.1 and I get
> > "Session Error" alert
> > message when I try to use
the debug page to make any DWR
> > calls. Is it a known
>
> issue or a configuration problem?
> >
> > The same
configuration works fine with Tomcat 5.5.
>
> If you search for
"session error" on the mailing list:
>
http://www.nabble.com/forum/Search.jtp?forum=13934&local=y&que
>
ry=%22session+
> error%22
> you will find posts with similar
problems for Weblogic.
>
> The "Session error" means that the
call didn't pass DWR's
> security test for cross-site request-forgery
(CSRF). On
> some appservers (Weblogic) this is triggered even for
legal
> calls due to strange handling of the standard JSESSIONID
> cookie.
>
> You can workaround it by setting the
servlet parameter
> crossDomainSessionSecurity
> to false. See
http://getahead.ltd.uk/dwr/server/servlet
>
> I submitted a
bugfix that solves the problem for Weblogic a
> few weeks ago
>
http://www.nabble.com/forwardToString-does-not-work-with-Weblo
>
gic-8.1-tf2467
> 394.html#a7726070
> and I think my "alternative
2" solution has a high
> probability to also solve the problem for
Websphere. When it
> becomes available in CVS or RC2 please let us
know how it
> works out for you.
>
> Followup to
Joe:
> - maybe it would be a good idea to change the
> "Session
error" message into something that gives a hint
> on what is going
on?
> - would it be possible to have my patch put into CVS now
that
> RC1 is out?
>
> Best regards
> Mike
>
>
---------------------------------------------------------------------
>
To unsubscribe, e-mail: users-unsubscribe-EyPigyGktj4FDOXUYO6UHQ@xxxxxxxxxxxxxxxx
> For
additional commands, e-mail: users-help-EyPigyGktj4FDOXUYO6UHQ@xxxxxxxxxxxxxxxx
>
>
TV dinner still cooling?
Check out
"Tonight's Picks" on Yahoo! TV.
| 