Re: DirectConnect and Security

2019-08-13 Thread Mark Gowdy via Webobjects-dev 


> On 12 Aug 2019, at 14:01, Samuel Pelletier  wrote:
> 
> Hi Mark,
> 
> If you want to simulate a WOAdaotor environment and have the app generate 
> static file URL, configure your load balancer to add 
> "x-webobjects-adaptor-version" header like I do using apache reverse proxy:
> 
> RequestHeader set x-webobjects-adaptor-version “1"

It doesn’t look like I can set RequestHeaders within AWS - Application Load 
Balancer.

:-(


> 
> Regards,
> 
> Samuel
> 
> 
>> Le 12 août 2019 à 06:52, Mark Gowdy via Webobjects-dev 
>> mailto:webobjects-dev@lists.apple.com>> a 
>> écrit :
>> 
>> 
>> 
>>> On 12 Aug 2019, at 10:03, Matthew Ness via Webobjects-dev 
>>> mailto:webobjects-dev@lists.apple.com>> 
>>> wrote:
>>> 
>>> 
>>> 
>>> On Sat, Aug 10, 2019, at 5:54 AM, Mark Gowdy via Webobjects-dev wrote:
 Hi.
 
 Is anyone aware of any security issues (or other considerations) with 
 Direct Connect mode for a live deployment?
 
 This will be using the Amazon’s Application Load Balancer.
 And it _might_ mean that I can ditch Apache once and for all :-)
 
 Thanks, 
 
 Mark
>>> 
>>> 
>>> Hi Mark,
>>> 
>>> If you are applying a cert to your ALB, then SSL effectively terminates at 
>>> that point and the request is forwarded on to your direct connect EC2 
>>> instances.
>>> I'm not sure what kind of security issues you are envisioning. Your should 
>>> hold your EC2 instances security considerations to the same standard 
>>> whether using Apache over 443 or your app on, say, 5.
>>> To that end, there should be no accessibility outside the above mentioned 
>>> ALB connectivity and some administration bastion host for your terminal 
>>> access.
>>> 
>>> Having said all that, if your application is completely session-less, then 
>>> you're good to go.
>>> 
>>> If you have sessions in your app you still have some problems to overcome.
>>> You can use session affinity (sticky sessions) in ALB/ELB (but not Network 
>>> LB), but be aware they require cookies on the client.
>>> So, you have the sticky sessions working, great! As your load balancer 
>>> horizontally scales out, it's creating EC2 instances running your java app. 
>>> But when your ALB decides to scale _in_, it'll wipe one or more of your EC2 
>>> instances, which could still have active sessions.
>>> So, unless you de-/serialise your Sessions at the start and end of the R-R 
>>> loop and store that somewhere else (db/redis/etc) which your EC2 instances 
>>> would have access to, it may annoy some users. 
>>> Because of proprietary classes in WO, Session serialisation is unsolved and 
>>> inflexible.
>> 
>> Wow..
>> 
>> Thanks for the info.
>> 
>> My apps have session, and I was planning on using sticky sessions with the 
>> AWS’s ALB (Application Load Balancer).  I am aware of the cookie monster :-)
>> 
>> I will be using the ALB with an explicit list of AppServers, so I don’t 
>> _think_ that will be a problem.  There will be no auto-scaling (for now).
>> Basically, I plan to use ALB in the _similar_ way to Apache’s mod_proxy.
>> 
>> I tried session serialisation (in the DB) a long time ago, and it wasn’t an 
>> ideal solution.. I would rather not go there.
>> 
>> I am happy enough with any network security concerns (i.e. nothing within 
>> the VPC can be accessed externally).  The only way in is via the ALB (with 
>> SSL) with SSL redirection rules etc..
>> 
>> My question was mainly around Direct Connect mode in the Application.
>> e.g. I know it accesses the WebServer resources using a full system path in 
>> the URL.
>> But I know in that case it can’t access any files outside of its scope, so 
>> that should be fine.
>> 
>> I just wanted to check if anyone knew of any security ‘gotchas’ I was 
>> unaware when using DirectConnect.
>> 
>> Thanks, 
>> 
>> Mark
>> 
>>> 
>>> 
>>> Regards,
>>> 
>>> 
>>> -- 
>>> Matt
>>> http://logicsquad.net 
>>> https://www.linkedin.com/company/logic-squad/
>>> ___
>>> Do not post admin requests to the list. They will be ignored.
>>> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
>>> Help/Unsubscribe/Update your Subscription:
>>> https://lists.apple.com/mailman/options/webobjects-dev/mark%40gowdy.co.uk
>>> 
>>> This email sent to m...@gowdy.co.uk
>> 
>> ___
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com 
>> )
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/webobjects-dev/samuel%40samkar.com 
>> 
>> 
>> This email sent to sam...@samkar.com
> 

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)

Re: Dump NSDictionary as JSON structure?

2019-08-13 Thread René Bock via Webobjects-dev 
For serialializing a NSKeyValue Structure to JSON  you may use

https://cliftonlabs.github.io/json-simple/

You may postprocess the result string to get rid of the "class 
com.webobjects.foundation.NSKeyValueCoding$Null" artifacts.




Am 13.08.2019 um 13:28 schrieb Markus Ruggiero via Webobjects-dev 
mailto:webobjects-dev@lists.apple.com>>:

I got the task of maintaining a rather complex WO app. The original developer 
had ideas about keeping tons of data in memory (no idea why). For this he 
created several nested NSDictionary structures to cache data across page 
navigation. You can imagine there being lots of issues when users go back and 
forth through page sequences. Debugging this is a nightmare.

What I want is a method that I can call from anywhere and pass it such a cache 
dict. This method should then create (preferrably) a JSON structure (XML, PLIST 
is just too chatty, but would be ok) that I can dump into the log allowing me 
to track that cache in a human readable form while running user interactions. 
Anyone has something or knows of anything that would help me write such a 
method? I didn't spend too much time but I looked at the Wonder frameworks 
quickly - nothing simple jumped out.

Thanks
---markus---


___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  
(Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/bock%40salient-doremus.de

This email sent to b...@salient-doremus.de

Mit freundlichen Grüßen

René Bock

--
Telefon: +49 69 650096 18

salient GmbH, Lindleystraße 12, 60314 Frankfurt
Telefon Zentrale: 069 / 65 00 96 - 0  |  
www.salient-doremus.de

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Dump NSDictionary as JSON structure?

2019-08-13 Thread Hugi Thordarson via Webobjects-dev 
Hi Markus,

check out Gson. I've been using it for a few years and it works great. Simple 
things are simple, but it's also powerful, allowing you to pass in custom 
serializers, customize date formats etc.

Simple example:
String jsonString = new GsonBuilder().create().toJson( someNSDictionary );

Cheers,
- hugi


> On 13 Aug 2019, at 11:28, Markus Ruggiero via Webobjects-dev 
>  wrote:
> 
> I got the task of maintaining a rather complex WO app. The original developer 
> had ideas about keeping tons of data in memory (no idea why). For this he 
> created several nested NSDictionary structures to cache data across page 
> navigation. You can imagine there being lots of issues when users go back and 
> forth through page sequences. Debugging this is a nightmare.
> 
> What I want is a method that I can call from anywhere and pass it such a 
> cache dict. This method should then create (preferrably) a JSON structure 
> (XML, PLIST is just too chatty, but would be ok) that I can dump into the log 
> allowing me to track that cache in a human readable form while running user 
> interactions. Anyone has something or knows of anything that would help me 
> write such a method? I didn't spend too much time but I looked at the Wonder 
> frameworks quickly - nothing simple jumped out.
> 
> Thanks
> ---markus---
> 
> 
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/hugi%40karlmenn.is
> 
> This email sent to h...@karlmenn.is

 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Dump NSDictionary as JSON structure?

2019-08-13 Thread Markus Ruggiero via Webobjects-dev 
I got the task of maintaining a rather complex WO app. The original developer 
had ideas about keeping tons of data in memory (no idea why). For this he 
created several nested NSDictionary structures to cache data across page 
navigation. You can imagine there being lots of issues when users go back and 
forth through page sequences. Debugging this is a nightmare.

What I want is a method that I can call from anywhere and pass it such a cache 
dict. This method should then create (preferrably) a JSON structure (XML, PLIST 
is just too chatty, but would be ok) that I can dump into the log allowing me 
to track that cache in a human readable form while running user interactions. 
Anyone has something or knows of anything that would help me write such a 
method? I didn't spend too much time but I looked at the Wonder frameworks 
quickly - nothing simple jumped out.

Thanks
---markus---


 ___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list  (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com