SRP6ServerSession should implement Serializable
Issue #3
resolved
The Serializable interface is required to save the SRP session to a servlet session.
Case submitted by Daniele Grasso:
Between the two normal roundtrips of SRP (i had a servlet for each) i had to maintain the state of the srp session. The only problem is that i needed to work on GoogleAppEngine, where everything you put in the HttpSession must be implementing the Serializable interface, due to distribution reasons. So i couldn't put there just the whole SRP6ServerSession object , and even inheritance doesn't help. I also tried to somehow extract the internal state, in particular the random private values of a and b, but the internal state is declared private in your implementation. On BC these things where in protected variables, so i extended the object and added a getSrpContext() method that exports them in a SrpServerContext object (just a bean with the values i want to store in the session) and a setSrpContext() that imports them.
Comments (4)
-
-
Hi,
In a product of ours we serialise the server session manually to a JSON object.
A merge request will be appreciated.
Cheers,
-
Hello, Here is the PR 5. Thanks Bernard.
-
- changed status to resolved
- Log in to comment
Hello, I am also facing the same issue when deploying on a clustered environement. I had a look and I would say that in order to have SRP6ServerSession implementing Serializable, it would require to either extract the MessageDigest out of the SRP6ServerSession or change it to get a new instance each time it is needed (MessageDigest is the only member that is not serializable). I don't think it would be a performance issue to get a new instance of the message digest when needed compared to the overhead that would be required to get it out of the session instance. What do you think of this approach ? I have made working sample in a fork here. Are you open to review a pull request ? Thank you, Best Regards, Bernard.