search

miaoyf / javamelody

Automatically exported from code.google.com/p/javamelody
0 stars 0 forks source link

Monitoring Page not accessible if sessionids are used inside the URL #451

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Disable Cookies for SessionIds in the Servlet Container
2. Log on to the application and access the monitoring url with the jsessionid 
appended to it.

What is the expected output? What do you see instead?
The Monitoring page should be shown. But the MonitoringFilter does not handle 
the request.

What version of the product are you using? On what application server, JDK,
operating system?
I'm using version 1.54.0 on a embedded tomcat 7.0.54. JDK 1.8 on Windows 7.

Please provide any additional information below.

The problem is on line 166 in the MonitoringFilter. httpRequest.getRequestURI() 
returns the URI with appended ;jsessionid=FOO. So it does not match the 
monitoring URL as the sessionid is missing here.

if (httpRequest.getRequestURI().equals(getMonitoringUrl(httpRequest))) {
    doMonitoring(httpRequest, httpResponse);
    return;
}

Unfortunately it is not possible to override the getMonitoringUrl Method 
because it is marked as final. It would be the best to strip the sessionId from 
the requestURI.

Original issue reported on code.google.com by daniel.f...@gmail.com on 22 Dec 2014 at 1:02

GoogleCodeExporter commented 8 years ago 
First, you should note that disabling session cookies could cause a security 
problem, by leaking session id.
For example:
http://seckb.yehg.net/2012/06/httponly-session-id-in-url-and-page.html

If you don't care about that security problem, then a workaround to this issue 
would be to add the javamelody ReportServlet in your webapp. For this, just add 
the following in the WEB-INF/web.xml file of your webapp:
    <servlet>
        <servlet-name>monitoringServlet</servlet-name>
        <servlet-class>net.bull.javamelody.ReportServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>monitoringServlet</servlet-name>
        <url-pattern>/monitoring</url-pattern>
    </servlet-mapping>

You can change the url-pattern above to anything you want, provided that you 
use the same path in your browser to access the reports.

Original comment by evernat@free.fr on 22 Dec 2014 at 2:17

GoogleCodeExporter commented 8 years ago 
We are aware of the problem with session ids in URLs. But we use them in 
combination with a security token inside a HttpOnly cookie. So an attacker 
would need both, the session id from the url and the token from the cookie, to 
access our page.

Thanks for the hint with the ReportServlet. It works now.

Maybe this Servlet could be documented somewhere? I searched in the user guide 
and user guide advanced for ReportServlet but did not find anything.

Original comment by daniel.f...@gmail.com on 24 Dec 2014 at 6:44

GoogleCodeExporter commented 8 years ago 
I have now documented the ReportServlet at:
https://code.google.com/p/javamelody/wiki/UserGuideAdvanced#Using_a_servlet_to_d
isplay_the_monitoring_reports

(And I will not change the code, to strip possible sessionIds from the 
requestUri, because I think that it is a very rare case and it's better to keep 
performance overhead as low as possible.)

Original comment by evernat@free.fr on 10 Jan 2015 at 7:10