New DWR Releases

Hot from the oven today are 2 new DWR releases: version 1.1.4 and version 2.0rc2. Download them now.

The release candidate for version 2 contains a decent set of bug fixes including once that several people found annoying - our new CSRF protection confused WebLogic. WebLogic does some fairly funky things with the JSESSIONID security cookie for some reason that I don't understand yet, so reading the value of the cookie using request.getCookie("JSESSIONID") (not the literal code, but close enough) will get you a different result from using request.getRequestedSessionId(). Does anyone know why?

Both 2.0rc2 and 1.1.4 contain 2 security related fixes. It was possible to craft special requests that would evade the <exclude> mechanism for denying access to functions or to perform a large number of requests that could cause an out of memory exception, which could in turn affect other processes.

We got fixes out for both issues less than 24 hours after we found out about them so while I'm not pleased that we needed to fix anything, I think we did a good job in being responsive.

Posted by Joe Walker 4 Jan 2007

Comments

Comments have been turned off on old posts

Projects

GCLI is a web developers command-line that's being used in Firefox Developer Tools, and alongside Ace

DOM Template is an experimental DOM template engine with some nice features like asynchronous layout

CSS Doctor is an experiment into how we can improve the CSS telemetry in a browser

DWR is a Java library that enables Java on the server and JavaScript in a browser to interact and call each other as simply as possible