Comments on entrepreneurial musings: Adobe Flex + J2EE Security - Mismatched SessionID!...

Hi subhash, It was fairly simple. I created a wr...

2009-06-05T06:04:56.938-04:00

Hi subhash,

It was fairly simple. I created a wrapper class around a ConcurrentHashMap that exposed three static methods: put, get and expire. Passing an object to put would return a unique key, which could later be used to retrieve that object. From there, get and expire worked just like Map's get and remove.

So, I used it like this. When the user hit the servlet the first time (to load the upload page), I had the right sessionId and thus the right user. So, I stored the user in the class above and got a key to fetch it later. I then passed this key to my flex app, which would return the key as part of the multi-part upload with the file. Then I'd just look up the user by key, instead of relying on the incorrect the sessionId that came with the file upload.

Ryan, What is the other single token approach tha...

2009-06-05T05:51:05.686-04:00

Ryan,

What is the other single token approach that you follow? I am trying to integrate this into an existing application.

Never figured one out... I ended up implemented an...

2008-12-26T17:49:00.000-05:00

Never figured one out... I ended up implemented an alternative authentication system to use just for this problem that was based on single-use tokens. I don't know what application server you use, but you'd have to enable session tracking via url parameter for the method you tried to work. From what I know, Tomcat and Glassfish, at least, don't look for the session ID in the url by default.

Hi, you have posted a problem...so what is the sol...

2008-12-25T10:57:00.000-05:00

Hi, you have posted a problem...so what is the solution for this one...I am also facing the same problem...even I have passed JSESSIONID in URL...like this -> var request:URLRequest = new URLRequest(FILE_UPLOAD_URL + ";JSESSIONID=" + Application.application.parameters.jsessionid);