Re: Security bug with application clients? (More Info)

2001-06-13 Thread Michael Jara
"RoleManager.login" for each one... But what a hack that would be.)   Mike   - Original Message - From: Lachezar Dobrev To: Orion-Interest Sent: Wednesday, June 13, 2001 2:31 AM Subject: RE: Security bug with application clients? (More Info)

RE: Security bug with application clients? (More Info)

2001-06-13 Thread Lachezar Dobrev
   Hello.    Here I want to provide more information on the problem.    Just for clarification.      The problem is NOT the security itself. It works just fine.    The problem lies IMHO in caching or something.    It is also seen only in the RMI connection.      EXAMPLE: Consider following

RE: Security bug with application clients?

2001-06-12 Thread Dvornikov Victor
ad of ClientInitialContextFact) - OK. So what's the point? > -Original Message- > From: cybermaster [SMTP:[EMAIL PROTECTED]] > Sent: &yod;&vav;&fmem; &resh;&bet;&yod;&ayin;&yod; 13 &yod;&vav;&nun;&yod; 2001 01:20 > To: Or

RE: Security bug with application clients?

2001-06-12 Thread cybermaster
inal Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Endres Sent: Tuesday, June 12, 2001 10:51 AM To: Orion-Interest Subject: Re: Security bug with application clients? > I think maybe I didn't make something clear. I am using a java "application&quo

Re: Security bug with application clients?

2001-06-12 Thread Tim Endres
> I think maybe I didn't make something clear. I am using a java "application" >client, NOT a web client. As such, I cannot invalidate sessions, make posts, etc. > I will repeat that we have seen that Orion's InitialContext and Principal identity features do not work. They do not work in serv

Re: Security bug with application clients?

2001-06-12 Thread Michael Jara
I think maybe I didn't make something clear.  I am using a java "application" client, NOT a web client.  As such, I cannot invalidate sessions, make posts, etc.   Orion seems to be written primarily as a web app server, and I have seen very little information on using it as a direct applicat

Re: Security bug with application clients?

2001-06-12 Thread Lachezar Dobrev
   WRONG!!!    As I see it... There is nothing in the post, that says SESSION or HTTP or JSP or SERVLET.    I have stumbled upon this problem many times. I've raised that question on this list many times.    However... Except for threads like "Orion deal blah, blah" I hardly see any meaningfu

RE: Security bug with application clients?

2001-06-11 Thread Dvornikov Victor
Don't jump into the conclusions. To my limited experience the Orion's authentication is very intelligent and tolerant to the user mistakes. For reference you may use OCJ4 manual (Oracle app server, see mail list ). I recommend reading it carefully. > -Original Message- > From: Michael Ja

RE: Security bug with application clients?

2001-06-11 Thread elephantwalker
its in the "clean things up" step that something went wrong.   You need to do a session.invalidate(), and then create a new guest session with a session.create("true").  Here is the bit in the RequestProcessor of the BluePrint (petstore):     if (event instanceof LogoutEvent) {