tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <Yoav.Shap...@mpi.com>
Subject RE: SessionListener
Date Tue, 02 Dec 2003 14:23:08 GMT

Howdy,
Yes, now you got it ;)  It's these simple misunderstandings that often
cause a lot of debate.  As a bonus, your approach will work very well in
any J2EE container.

You may not have to do any custom coding, just the JDBC realm.

Yoav Shapira
Millennium ChemInformatics


>-----Original Message-----
>From: Hart, Justin [mailto:JHart@sfa.com]
>Sent: Tuesday, December 02, 2003 9:22 AM
>To: Tomcat Users List
>Subject: RE: SessionListener
>
>How will the container get my user logged into the database?  My plan
was
>to use the username & password to authenticate to my database so the
user
>only operates with their perms in the database.  My original approach
was
>through realm, but this left the problem of figuring out which user was
>tied to which session.
>
>D'oh!
>
>Nevermind, damnit...  I spent a week doing this, and I figured it out.
>
>I wanted to use session ID, which I don't have in the realm, instead, I
use
>their principal!  The principal isn't unique to the session... but it
>doesn't need to be, in fact, it's BETTER if it isn't, because then if
the
>same user logs in multiple times, it will share a database connection,
>meaning I open fewer database connections (of which there are a
limitted
>pool).
>
>Ok, so my realm implementation will authenticate to the database, the
JSP
>will use the userprincipal to pair the authenticated user to their
>connection... better yet, the hash, so it's a bit more optimal.
>
>*SLAPS FOREHEAD!*
>
>Justin
>
>-----Original Message-----
>From: Shapira, Yoav [mailto:Yoav.Shapira@mpi.com]
>Sent: Tuesday, December 02, 2003 9:13 AM
>To: Tomcat Users List
>Subject: RE: SessionListener
>
>
>
>Howdy,
>
>>Basic authentication.  I figured it wouldn't be hard with Form
>>authentication, but I'm using basic in order to match the look and
feel
>of
>>the rest of the site.
>
>OK, so you have basic authentication. Do you have a security-constraint
>defined in web.xml?  A login-config?  You can let tomcat do the
>authentication for you, and then use the HttpServletRequest methods
>(getRemoteUser, getUserPrincipal, isUserInRole).  This is a standard,
>easy, portable way, and you don't have to write any custom tomcat code.
>Your webapp will not have access to the user's password, but you won't
>need it either since the container will authenticate it for you.
>
>Does that fill your needs?
>
>Yoav Shapira
>
>>
>>Yeah, saw the same problem with Basu's implementation, though I did
>like
>>the idea.
>>
>>Justin
>>
>>-----Original Message-----
>>From: Shapira, Yoav [mailto:Yoav.Shapira@mpi.com]
>>Sent: Tuesday, December 02, 2003 9:00 AM
>>To: Tomcat Users List
>>Subject: RE: SessionListener
>>
>>
>>
>>Howdy,
>>Senor Basu, your solution is seriously not thread-safe.  But that's
for
>>you to worry about it, maybe it's good enough for your needs ;)
>>
>>As for Senor Hart's questions:
>>- HttpSessionListener goes in web.xml, as do all other Servlet
>>Specification listeners.
>>- SessionListener goes in server.xml, as do all other Tomcat-specific
>>listeners.
>>
>>SessionListener is not tied to HttpSessionListener or HttpSession
>>directly.  You have to do a series of casts.  The event object in the
>>SessionListener's SessionEvent is a catalina-specific Session
>>implementation.  It will also implement the HttpSession interface.  So
>>you can get from one to another by casting, but it's ugly (as is the
>>whole SessionListener solution).
>>
>>Let's step back a minute: you have this whole hassle because you want
>>the user's password.  You want the user's password in order to
>>authenticate the user.  But with the getUserPrincipal approach, the
>user
>>is already authenticated if the Principal is not null.  Alternatively,
>>if you have some input screen where the user enters the username and
>>password, grab them there instead of from the session.  I think what's
>>missing here is the big picture: tell us what you're trying to do,
what
>>authentication mechanism you're using, and let's forget about the
>>tomcat-specific hacks for a minute ;)
>>
>>Yoav Shapira
>>Millennium ChemInformatics
>>
>>
>>>-----Original Message-----
>>>From: Atreya Basu [mailto:atreya@greenfieldresearch.ca]
>>>Sent: Monday, December 01, 2003 4:37 PM
>>>To: Tomcat Users List
>>>Subject: Re: SessionListener
>>>
>>>Hi,
>>>
>>>Here is how I use the HttpSessionListener.
>>>
>>>First I create a Class that implements HttpSessionListener:
>>>package com.gri.web;
>>>import javax.servlet.http.*;
>>>public MySessionListener implements HttpSessionListener
>>>{
>>>   private static int num_sessions = 0;
>>>   private HttpSession session = null;
>>>
>>>   public void sessionCreated(HttpSessionEvent se)
>>>    {
>>>        num_sessions++;
>>>        session = se.getSession();
>>>    }
>>>    public void sessionDestroyed(HttpSessionEvent se)
>>>    { num_session--;}
>>>    public static int getNumSessions() {return num_sessions; }
>>>     public static HttpSession getLastSession() { return session;}
>>>}
>>>
>>>Now include this in the web.xml for your context (directly after
>>>filter&filter-mapping but before Servlet element):
>>>
>>>|<listener>|
>>>|||  <listener-class>com.gri.web.MySessionListener</listener-class>
>>></listener>||
>>>
>>>now all you have to do is create a JSP:
>>><jsp:root xmlns:jsp="http://java.sun.com/JSP/Page">
>>><jsp:directive.page import="com.gri.web.*" />
>>><jsp:text>
>>><html>
>>><body>
>>>|Last user in session:
>>></jsp:text>
>>><jsp:expression>
>>>MySessionListener.getLastSession().getAttribute("j_username")
>>></jsp:expression>
>>>|<jsp:text>
>>>|Username of current person
>>></jsp:text>
>>><jsp:expression>
>>>session.getAttribute("j_username")
>>></jsp:expression>
>>>|</jsp:root>
>>>
>>>|</body>
>>></html>
>>></jsp:root>
>>>Hart, Justin wrote:
>>>
>>>>Ok, still, I haven't found any documentation on how to add a
>>>SessionListener in the server.xml file, and adding one using the
>>listener
>>>tags defined for web.xml files doesn't seem to work.
>>>>
>>>>I also haven't seen how to get a user's credentials from a
>>HttpSession, or
>>>how to get a Session from an HttpSessionListener.  Could you throw me
>a
>>>bone?
>>>>
>>>>Justin
>>>>
>>>>-----Original Message-----
>>>>From: Shapira, Yoav [mailto:Yoav.Shapira@mpi.com]
>>>>Sent: Monday, December 01, 2003 2:52 PM
>>>>To: Tomcat Users List
>>>>Subject: RE: SessionListener
>>>>
>>>>
>>>>
>>>>Howdy,
>>>>A SessionListener of the org.apache.catalina variety would go in the
>>>>same place as all tomcat-specific features:
>>>>$CATALINA_HOME/conf/server.xml.  That means the class specified
there
>>>>must be accessible to the server classloaders, i.e. must reside in
>>>>common/lib or higher on the classloader hierarchy.
>>>>
>>>>The above is true for Valves, Realms, Listeners, etc, that are
>>>>proprietary to tomcat.
>>>>
>>>>Yoav Shapira
>>>>Millennium ChemInformatics
>>>>
>>>>
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: Hart, Justin [mailto:JHart@sfa.com]
>>>>>Sent: Monday, December 01, 2003 11:53 AM
>>>>>To: Tomcat Users List
>>>>>Subject: RE: SessionListener
>>>>>
>>>>>Ok, so, the listener in there must implement HttpSessionListener,
>>where
>>>>>
>>>>>
>>>>can
>>>>
>>>>
>>>>>I use SessionListeners?
>>>>>
>>>>>Justin
>>>>>
>>>>>-----Original Message-----
>>>>>From: Hart, Justin
>>>>>Sent: Monday, December 01, 2003 11:34 AM
>>>>>To: Tomcat Users List (E-mail)
>>>>>Subject: SessionListener
>>>>>
>>>>>
>>>>>My SessionListener doesn't seem to be firing, any help?
>>>>>
>>>>>I have a SessionListener that I want to go off when a user
>>>>>
>>>>>
>>>>authenticates to
>>>>
>>>>
>>>>>my web app (this is a correct usage, right?)
>>>>>
>>>>>So, in the web.xml of my app, I would put the lines:
>>>>>
>>>>><web-app>
>>>>>	<listener>
>>>>>		<listener-class>
>>>>>			the class
>>>>>		</listener-class>
>>>>>	</listener>
>>>>></web-app>
>>>>>
>>>>>This should fire off when the user signs in to the page, correct?
>>>>>
>>>>>Justin
>>>>>
>>>>>-------------------------------------------------------------------
-
>-
>>>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>>>For additional commands, e-mail:
tomcat-user-help@jakarta.apache.org
>>>>>
>>>>>
>>>>>-------------------------------------------------------------------
-
>-
>>>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>>>For additional commands, e-mail:
tomcat-user-help@jakarta.apache.org
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>This e-mail, including any attachments, is a confidential business
>>>communication, and may contain information that is confidential,
>>>proprietary and/or privileged.  This e-mail is intended only for the
>>>individual(s) to whom it is addressed, and may not be saved, copied,
>>>printed, disclosed or used by anyone else.  If you are not the(an)
>>intended
>>>recipient, please immediately delete this e-mail from your computer
>>system
>>>and notify the sender.  Thank you.
>>>>
>>>>
>>>>--------------------------------------------------------------------
-
>>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>>
>>>>
>>>>--------------------------------------------------------------------
-
>>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>>
>>>>
>>>>
>>>>
>>>
>>>--
>>>____________________________________
>>>Developer
>>>Greenfield Research Inc.
>>>atreya(AT)greenfieldresearch(DOT)ca
>>>(902)422-9426
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>>This e-mail, including any attachments, is a confidential business
>>communication, and may contain information that is confidential,
>>proprietary and/or privileged.  This e-mail is intended only for the
>>individual(s) to whom it is addressed, and may not be saved, copied,
>>printed, disclosed or used by anyone else.  If you are not the(an)
>intended
>>recipient, please immediately delete this e-mail from your computer
>system
>>and notify the sender.  Thank you.
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
>This e-mail, including any attachments, is a confidential business
>communication, and may contain information that is confidential,
>proprietary and/or privileged.  This e-mail is intended only for the
>individual(s) to whom it is addressed, and may not be saved, copied,
>printed, disclosed or used by anyone else.  If you are not the(an)
intended
>recipient, please immediately delete this e-mail from your computer
system
>and notify the sender.  Thank you.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message