crossDomainSessionSecurity

madhu · February 21, 2018, 12:20pm

Hi Team,
i’m using the DWR frame work in my web application
in web.xml add the following entry :

crossDomainSessionSecurity
false

how to validate this feature with out server side code changes

mikewse · February 28, 2018, 1:26pm

Can you please clarify what you want to accomplish?

mikewse · February 28, 2018, 2:04pm

Also read the docs:
http://directwebremoting.org/dwr/documentation/server/configuration/servlet/index.html

Set to false to enable requests from other domains. Note that enabling this can be a significant security risk. See the Wikipedia notes on CSRF for more. Do not set this to false without understanding the consequences.

madhu · February 28, 2018, 2:12pm

Hi Mikewse,
I have enabled the cross domainsessionsecurity falg is true , This feature is not working in 3.0.0.RC3 release. but it is working 3.0.2 version.
if we migrate from 3.0.0 rc3 to 3.0.2 what are things need to take care it.
Please provide me amy study meterails.
Regards,
Madhu

madhu · March 4, 2018, 11:12am

Hi Mikewse,
I have enabled the cross domainsessionsecurity falg is true , This feature is not working in 3.0.0.RC3 release. but it is working 3.0.2 version.
if we migrate from 3.0.0 rc3 to 3.0.2 what are things need to take care it.
Please provide me amy study meterails or what are the things need to take care it.
Regards,
Madhu

mikewse · March 13, 2018, 7:06pm

Sorry about the delayed reply!
Apart from probably needing to update Spring if you are using it in your project, the DWR 3.0.0 release notes (see http://dwr.2114559.n2.nabble.com/Announcing-the-official-release-of-DWR-3-0-0-td7581090.html) should be a good indication of what you need to look at:

DWR 3.0 RELEASE NOTES (issues resolved since 3.0 RC3) 
===================================================== 

Potentially Breaking Changes 
---------------------------- 

[DWR-645] - Clean up path configuration options 
[DWR-642] - Remove legacy packages 
[DWR-639] - Simplify destroy event methods 
[DWR-511] - Evaluate ServerLoadMonitors, remove unneeded 
            monitors, solidify monitors we want to keep 

Security fixes 
-------------- 

[DWR-638] - Improve DWRSESSIONID cryptographic strength 
[DWR-632] - Improve CSRF protection to handle more scenarios 

New Features and Improvements 
----------------------------- 

[DWR-648] - Add support for Cache-Control and Expires header 
            handling 
[DWR-647] - Allow customization of DWRSESSIONID cookie 
[DWR-644] - Provide a standard way to specify client-side options 
            before DWR loads (dwrConfig) 
[DWR-643] - Allow remapping of DWR's effective contextPath (for 
            DWRSESSIONID cookie etc) 
[DWR-641] - Offer more access to servlet request from Reverse Ajax 
[DWR-636] - Rename allowGetForSafariButMakeForgeryEasier setting 
[DWR-628] - Add support for Spring Java configurations 
[DWR-587] - add support to > ("Content-Disposition", "inline; 
            filename=") 
[DWR-547] - Update class-mapping documentation to mention 
            automatically generated inheritance scripts 
[DWR-110] - add name (javascript) attribute to DataTransferObject 
            annotation 

Bugfixes 
-------- 

[DWR-649] - Optimizing proxies are removing meta-data in DWR 
            responses 
[DWR-646] - Incoming request attributes should be available to 
            ScriptSessionListener.sessionCreated() 
[DWR-640] - Reverse Ajax polling mode broken 
[DWR-635] - New callbackArg option causing conflict when delegating 
            functions 
[DWR-634] - Auto-filled servlet objects (request, session, etc) in 
            method parameters not matched correctly 
[DWR-631] - FileStoreDownloadManager - encodeFileNameSegment 
[DWR-629] - DefaultCreatorManager throws NullPointerException 
            during destroy of Spring context 
[DWR-627] - IllegalStateException on Jetty 8 and 9 
[DWR-614] - org.springframework.util.ClassUtils.forName(className) 
            has been removed in Spring 4.x 
[DWR-585] - java.io.NotSerializableException: 
            org.directwebremoting.impl.DefaultContainer 
[DWR-554] - Reverse ajax client side timeout is missing 
[DWR-396] - Transfering a file using DWR 3.0 disables the "input" 
            events 
[DWR-378] - Window.dwr access permission denied 
[DWR-352] - Javascript error in engine.js when file input field 
            has no parentNode

madhu · March 14, 2018, 6:11am

Hi Mikewse,
Thank you for updating this information .
you have mentioned that need to updated the Spring version why ?,
but in our project we are using following the spring version
Spring-web-4.3.7.RELEASE
Spring-webmvc-4.3.7.RELEASE
Spring-context-4.3.7.RELEASE
Spring-beans-4.3.7.RELEASE
whit this version we can migrate to DWR 3.0.0 or DWR 3.0.2
please provide the details what are things need to take care while migrating from dwr-3.0.0.RC3 to dwr-3.0.0 or dwr-3.0.2

Regards,
Madhu Pudi

mikewse · March 14, 2018, 2:10pm

I mentioned Spring in case you were using an old version, no problem for you.
Upgrading to DWR 3.0.2 should be seamless unless you use any of the features mentioned under “Potentially Breaking Changes” in the release notes I posted earlier. These are quite specific things so it’s unlikely you are affected. My recommendation is that you upgrade and see how it goes. All 3.0.x releases are compatible unless you hit one of the breaking changes.

madhu · April 6, 2018, 7:06am

Hi Mikewse,
as you suggested we are migrating the from dwr 3.0.0-RC3 to dwr 3.0.0.0-Final.
following error is getting for dwr call :
Apr 06, 2018 11:55:58 AM org.directwebremoting.impl.DefaultCreatorManager getCreator
SEVERE: Class not found: ‘XXXXX’
but previous version the same dwr call is working fine .
please let me know what is causing this issue.

Regards,
Madhu Pudi.

mikewse · April 8, 2018, 10:01pm

First, to be clear I suggested that you upgrade to the latest version which is 3.0.2.

The error message you refer to is not associated with a failed call. It is printed when you refer to a non-existent DWR interface, typically like <script src="dwr/interface/XXXXX.js">. If you configure your logging to show the Warning level there will be more info printed about known/allowed classes.

madhu · April 10, 2018, 10:26am

Hi Mikewse,
Thank your support ,
for example i have 5 modules of dwr . need to access the DWR interface from module 1 to module 2, So that time getting error like class not found issues . because the DWR interface is available in module 2 .Please let me know how can access the module 2 DWR interface n module 1
how to communicate inter modules

Regards,
Madhu Pudi

mikewse · April 10, 2018, 10:49am

I am not making any sense out of your question. I think you should spend more time learning what DWR can do. Read through the docs at http://directwebremoting.org and also download, install and play around with our demo app “dwrdemo.war” from
http://directwebremoting.org/dwr/downloads/index.html

Also, it seems your question no longer has anything to do with crossDomainSecurity. Please start new forum threads with appropriate subjects.

Topic		Replies	Views
DWR 3 Javascript wildcard syntax not working	0	804	October 29, 2018
Does http://www.directwebremoting.org/schema/spring-dwr-3.0.xsd accessible	0	684	February 18, 2022
DWR 3.0.2 Upgrade - "Incomplete reply from server" DWR users	0	1634	August 13, 2021
Multi module communication in DWR frame work DWR users	17	3223	May 3, 2018
One module jsp pages calling the other module dwr call DWR users	1	1555	June 7, 2018

crossDomainSessionSecurity

Related Topics