The recent Heartbleed debacle had me remember a project a decade ago where the version of weblogic was upgraded but the script failed to deploy the matching version of the apache plugin. Fortunately we contracted a pen test firm who threw a load of custom perl script attacks at the site before we let the public in. They found that the error responses being thrown back to the attack scripts were just like Heartbleed; raw chunks of memory containing whatever was passing through the web server after having been decrypted. Read the rest of this entry »
In the servlet world the HttpSession object is a workhorse which few developers could live without. Recently I have been taking a hard look at Socko a minimal webserver which does not come with a session object.
“What!?” I hear you cry “Why would you use a webserver on the JVM that forgot to implement the J2EE standard HttpSession???”. Well Socko is a fresh look at what a JVM webserver needs to be in the age of REST, Websockets and Actors. If you need to write a back-end exposed as websockets to a single-page/mobile app do you really need a HttpSession as a separate concept? Furthermore wasn’t HTTP supposed to be stateless? Read the rest of this entry »