Dojo

crossDomainSessionSecurity


#1

Hi Team,
i’m using the DWR frame work in my web application
in web.xml add the following entry :

crossDomainSessionSecurity
false

how to validate this feature with out server side code changes


#2

Can you please clarify what you want to accomplish?


#3

Also read the docs:
http://directwebremoting.org/dwr/documentation/server/configuration/servlet/index.html

Set to false to enable requests from other domains. Note that enabling this can be a significant security risk. See the Wikipedia notes on CSRF for more. Do not set this to false without understanding the consequences.


#4

Hi Mikewse,
I have enabled the cross domainsessionsecurity falg is true , This feature is not working in 3.0.0.RC3 release. but it is working 3.0.2 version.
if we migrate from 3.0.0 rc3 to 3.0.2 what are things need to take care it.
Please provide me amy study meterails.
Regards,
Madhu


#5

Hi Mikewse,
I have enabled the cross domainsessionsecurity falg is true , This feature is not working in 3.0.0.RC3 release. but it is working 3.0.2 version.
if we migrate from 3.0.0 rc3 to 3.0.2 what are things need to take care it.
Please provide me amy study meterails or what are the things need to take care it.
Regards,
Madhu


#6

Sorry about the delayed reply!
Apart from probably needing to update Spring if you are using it in your project, the DWR 3.0.0 release notes (see http://dwr.2114559.n2.nabble.com/Announcing-the-official-release-of-DWR-3-0-0-td7581090.html) should be a good indication of what you need to look at:

DWR 3.0 RELEASE NOTES (issues resolved since 3.0 RC3) 
===================================================== 

Potentially Breaking Changes 
---------------------------- 

[DWR-645] - Clean up path configuration options 
[DWR-642] - Remove legacy packages 
[DWR-639] - Simplify destroy event methods 
[DWR-511] - Evaluate ServerLoadMonitors, remove unneeded 
            monitors, solidify monitors we want to keep 

Security fixes 
-------------- 

[DWR-638] - Improve DWRSESSIONID cryptographic strength 
[DWR-632] - Improve CSRF protection to handle more scenarios 

New Features and Improvements 
----------------------------- 

[DWR-648] - Add support for Cache-Control and Expires header 
            handling 
[DWR-647] - Allow customization of DWRSESSIONID cookie 
[DWR-644] - Provide a standard way to specify client-side options 
            before DWR loads (dwrConfig) 
[DWR-643] - Allow remapping of DWR's effective contextPath (for 
            DWRSESSIONID cookie etc) 
[DWR-641] - Offer more access to servlet request from Reverse Ajax 
[DWR-636] - Rename allowGetForSafariButMakeForgeryEasier setting 
[DWR-628] - Add support for Spring Java configurations 
[DWR-587] - add support to > ("Content-Disposition", "inline; 
            filename=") 
[DWR-547] - Update class-mapping documentation to mention 
            automatically generated inheritance scripts 
[DWR-110] - add name (javascript) attribute to DataTransferObject 
            annotation 

Bugfixes 
-------- 

[DWR-649] - Optimizing proxies are removing meta-data in DWR 
            responses 
[DWR-646] - Incoming request attributes should be available to 
            ScriptSessionListener.sessionCreated() 
[DWR-640] - Reverse Ajax polling mode broken 
[DWR-635] - New callbackArg option causing conflict when delegating 
            functions 
[DWR-634] - Auto-filled servlet objects (request, session, etc) in 
            method parameters not matched correctly 
[DWR-631] - FileStoreDownloadManager - encodeFileNameSegment 
[DWR-629] - DefaultCreatorManager throws NullPointerException 
            during destroy of Spring context 
[DWR-627] - IllegalStateException on Jetty 8 and 9 
[DWR-614] - org.springframework.util.ClassUtils.forName(className) 
            has been removed in Spring 4.x 
[DWR-585] - java.io.NotSerializableException: 
            org.directwebremoting.impl.DefaultContainer 
[DWR-554] - Reverse ajax client side timeout is missing 
[DWR-396] - Transfering a file using DWR 3.0 disables the "input" 
            events 
[DWR-378] - Window.dwr access permission denied 
[DWR-352] - Javascript error in engine.js when file input field 
            has no parentNode

#7

Hi Mikewse,
Thank you for updating this information .
you have mentioned that need to updated the Spring version why ?,
but in our project we are using following the spring version
Spring-web-4.3.7.RELEASE
Spring-webmvc-4.3.7.RELEASE
Spring-context-4.3.7.RELEASE
Spring-beans-4.3.7.RELEASE
whit this version we can migrate to DWR 3.0.0 or DWR 3.0.2
please provide the details what are things need to take care while migrating from dwr-3.0.0.RC3 to dwr-3.0.0 or dwr-3.0.2

Regards,
Madhu Pudi


#8

I mentioned Spring in case you were using an old version, no problem for you.
Upgrading to DWR 3.0.2 should be seamless unless you use any of the features mentioned under “Potentially Breaking Changes” in the release notes I posted earlier. These are quite specific things so it’s unlikely you are affected. My recommendation is that you upgrade and see how it goes. All 3.0.x releases are compatible unless you hit one of the breaking changes.


#9

Hi Mikewse,
as you suggested we are migrating the from dwr 3.0.0-RC3 to dwr 3.0.0.0-Final.
following error is getting for dwr call :
Apr 06, 2018 11:55:58 AM org.directwebremoting.impl.DefaultCreatorManager getCreator
SEVERE: Class not found: ‘XXXXX’
but previous version the same dwr call is working fine .
please let me know what is causing this issue.

Regards,
Madhu Pudi.


#10

First, to be clear I suggested that you upgrade to the latest version which is 3.0.2.

The error message you refer to is not associated with a failed call. It is printed when you refer to a non-existent DWR interface, typically like <script src="dwr/interface/XXXXX.js">. If you configure your logging to show the Warning level there will be more info printed about known/allowed classes.


#11

Hi Mikewse,
Thank your support ,
for example i have 5 modules of dwr . need to access the DWR interface from module 1 to module 2, So that time getting error like class not found issues . because the DWR interface is available in module 2 .Please let me know how can access the module 2 DWR interface n module 1
how to communicate inter modules

Regards,
Madhu Pudi


#12

I am not making any sense out of your question. I think you should spend more time learning what DWR can do. Read through the docs at http://directwebremoting.org and also download, install and play around with our demo app “dwrdemo.war” from
http://directwebremoting.org/dwr/downloads/index.html

Also, it seems your question no longer has anything to do with crossDomainSecurity. Please start new forum threads with appropriate subjects.