slash dev slash null

stuff about puters

Month: May, 2014

The Secure Remote Password Protocol

The recent Heartbleed debacle had me remember a project a decade ago where the version of weblogic was upgraded but the script failed to deploy the matching version of the apache plugin. Fortunately we contracted a pen test firm who threw a load of custom perl script attacks at the site before we let the public in. They found that the error responses being thrown back to the attack scripts were just like Heartbleed; raw chunks of memory containing whatever was passing through the web server after having been decrypted. Read the rest of this entry »

OpenID Authentication with Socko Webserver

In my last post we took a look at Immutable Session State in Scala. That outlined an immutable SessionState data structure suitable to wrap in an Actor running in the mighty yet diminutive Socko Web Server.  In this post we will pick up where we left off and use the SessionState data structure wrapped in an Actor to implement user registration with openid4java. Read the rest of this entry »

Immutable Session State in Scala

In the servlet world the HttpSession object is a workhorse which few developers could live without. Recently I have been taking a hard look at Socko a minimal webserver which does not come with a session object.

“What!?” I hear you cry “Why would you use a webserver on the JVM that forgot to implement the J2EE standard HttpSession???”. Well Socko is a fresh look at what a JVM webserver needs to be in the age of REST, Websockets and Actors. If you need to write an Actor back-end exposed as websockets to a single-page/mobile app do you really need a HttpSession as a separate concept? Are not Actors sufficient to encapsulate user session state? Read the rest of this entry »