Web Container (Sun Java System Application Server 7 Update 11 Release Notes)

Sun Java System Application Server 7 Update 11 Release Notes

Web Container

This section describes the known web container issues, and the associated solutions.

ID	Summary
4740477	The web cache example in sun-web-app_2_3-0.dtd file provides incorrect syntax for the timeout element. The `timeout` element is specified to use in XML cache object as: `<timeout> 60 </timeout>` Because the name parameter is a required field, it should be written as: `<timeout name="foo">60</timeout>` Solution Do not use with verifier.
4817642	Allowing separate web applications to share the same session ID creates security weakness. Solution According to J2EE specification, each deployed web application maintains separate, unique session objects (session IDs). This is the default behavior of the Sun Java System Application Server. However, in some instances it may be desirable to allow separate web applications to share the same session ID. In this case, the Sun Java System Application Server allows you to specify a special deployment property in the `sun-web.xml` deployment descriptor to tell the application server that this particular application is allowed to reuse session IDs when going across web application modules. (The first access to a web application will generate a new unique session ID. Later requests to other web applications that have this property set will use that same session ID instead of generating a new one for this client and this web application.) To do this, the `reuseSessionId` property must be set to true for each deployed web application upon which you want to allow sharing of the same session object. For example: `<?xml version="1.0" encoding="UTF-8"?><sun-web-app> <session-config> <cookie-properties> <property name="cookiePath" value = "/" /> <property name="cookieDomain" value = ".sun.com" /> </cookie-properties> </session-config> <property name="reuseSessionID" value="true"/></sun-web-app>` The property `reuseSessionID` is set to true in next to last line. CAUTION: Turning on `reuseSessionId` opens a potential avenue for a security weakness (though it is not a weakness in of itself). This property should not be used in a shared environment (such as an ISV) where multiple customers are allowed to run their applications on the same Sun Java System Application Server instance. In such as setting, it is much safer to use the default J2EE behavior of forcing different web applications deployed to the same server instance to use different session objects.
5039545	Sun Java System Application Server sends absolute redirects causing problems with external SSL endpoints. Solution Add the `sun-web.xml` property `relativeRedirectAllowed`. The default is `false.` When set to `true` relative redirects are allowed instead of absolute redirects.

Summary

4740477

The web cache example in sun-web-app_2_3-0.dtd file provides incorrect syntax for the timeout element.

The timeout element is specified to use in XML cache object as: <timeout> 60 </timeout>

Because the name parameter is a required field, it should be written as: <timeout name="foo">60</timeout>

Solution

Do not use with verifier.

4817642

Allowing separate web applications to share the same session ID creates security weakness.

Solution

According to J2EE specification, each deployed web application maintains separate, unique session objects (session IDs). This is the default behavior of the Sun Java System Application Server. However, in some instances it may be desirable to allow separate web applications to share the same session ID. In this case, the Sun Java System Application Server allows you to specify a special deployment property in the sun-web.xml deployment descriptor to tell the application server that this particular application is allowed to reuse session IDs when going across web application modules. (The first access to a web application will generate a new unique session ID. Later requests to other web applications that have this property set will use that same session ID instead of generating a new one for this client and this web application.)

To do this, the reuseSessionId property must be set to true for each deployed web application upon which you want to allow sharing of the same session object. For example:

<?xml version="1.0" encoding="UTF-8"?><sun-web-app> <session-config> <cookie-properties> <property name="cookiePath" value = "/" /> <property name="cookieDomain" value = ".sun.com" /> </cookie-properties> </session-config> <property name="reuseSessionID" value="true"/></sun-web-app>

The property reuseSessionID is set to true in next to last line.

CAUTION: Turning on reuseSessionId opens a potential avenue for a security weakness (though it is not a weakness in of itself). This property should not be used in a shared environment (such as an ISV) where multiple customers are allowed to run their applications on the same Sun Java System Application Server instance. In such as setting, it is much safer to use the default J2EE behavior of forcing different web applications deployed to the same server instance to use different session objects.

5039545

Sun Java System Application Server sends absolute redirects causing problems with external SSL endpoints.

Solution

Add the sun-web.xml property relativeRedirectAllowed. The default is false. When set to true relative redirects are allowed instead of absolute redirects.