tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Akoulov, Alexandre [IT]" <alexandre.akou...@citigroup.com>
Subject RE: problem: Session invalidation in the servlet accessed via foreign context
Date Mon, 23 May 2005 05:52:40 GMT
Thanks again, Steve, for your time.

I am not trying to share sessions between different apps. I just want to ensure that when
we're programmatically accessing web application in the different context it can do its own
session management (ie invalidate / create new ones)

-----Original Message-----
From: Steve Kirk [mailto:tomcat-user@web-startup.co.uk]
Sent: Monday, 23 May 2005 11:52 AM
To: 'Tomcat Users List'
Subject: RE: problem: Session invalidation in the servlet accessed via
foreign context 



I'm not sure why you think there is a problem with invalidation.  I'm no
expert, but I'm not sure that I would expect the code below to work, because
by default, servlets must not share sessions between webapps, and you are
asking that a client request to one context is passed to another, and still
the session data is available.  Withouht single sign-on, I would have
thought that sessions will not be shared.

I've just flipped through the 2.4 servlet spec.  Section SRV.7.3 says
something very specific about your scenario, as follows: "if a servlet uses
the RequestDispatcher to call a servlet in another Web application, any
sessions created for and visible to the servlet being called must be
different from those visible to the calling servlet."

I appreciate that you are also saying that v3/v4 behaved differently - but
are you sure that the config of those versions was not different, perhaps
they were configured to share sessions (single sign-on)?  I'm not sure on
the detail of earlier versions of the servlet spec, but perhaps session
behaviour was defined differently in previous versions.  You could find out
with a google search, or maybe someone else will answer....

> -----Original Message-----
> From: Akoulov, Alexandre [IT] 
> [mailto:alexandre.akoulov@citigroup.com] 
> Sent: Monday 23 May 2005 01:29
> To: Tomcat Users List
> Subject: RE: problem: Session invalidation in the servlet 
> accessed via foreign context 
> 
> 
> Thanks a lot, Steve, for your reply.
> 
> No, I am not using SingleSignOn neither hoping to share the 
> same session across contexts.
> 
> The only thing I was testing is that I could invalidate and 
> then create a new session in different scenarios. 
> 
> I ran the test with the java debugger and could observe that 
> when invalidating/creating a session in ForeignContextServlet 
> it in fact did not create a new session and left us with the 
> reference to old (ie invalidated) session after line No.3.
> 
> My next step is start looking into the tomcat source code to 
> try to work out what's happening. Do you think it's best way 
> to approach this issue?
> 
> 
> Thanks again,
> 
> Alex.
> 
> -----Original Message-----
> From: Steve Kirk [mailto:tomcat-user@web-startup.co.uk]
> Sent: Monday, 23 May 2005 10:18 AM
> To: 'Tomcat Users List'
> Subject: RE: problem: Session invalidation in the servlet accessed via
> foreign context 
> 
> 
> 
> I'm not sure I fully understand this issue, but seeing as 
> no-one else seems
> to have replied yet, maybe a few Qs might help you work through it:
> 
> Are you hoping that both contexts will share their sessions?
> 
> Are you using the SingleSignOn feature in server.xml?
> 
> When you say that ForeignContextServlet does not create a new session
> object, are you explicitly testing that within 
> ForeignContextServlet itself,
> or from a servlet in another context (e.g. DebuggerServlet)?  i.e. is
> null==session after step 3?
> 
> You say that the session is invalid/null after line 2, but 
> have you tested
> that it was valid/non-null before line 2?
> 
> > -----Original Message-----
> > From: Akoulov, Alexandre [IT] 
> > [mailto:alexandre.akoulov@citigroup.com] 
> > Sent: Monday 23 May 2005 00:43
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: problem: Session invalidation in the servlet 
> > accessed via foreign context 
> > 
> > 
> > Hi all,
> > 
> > I'd greatly appreciate if you could shed a ray of light on 
> > the following problem ( see below)
> > 
> > 
> > 
> > -----Original Message-----
> > From: Akoulov, Alexandre [IT] 
> > Sent: Friday, 20 May 2005 11:15 AM
> > To: Tomcat Users List
> > Subject: problem: Session invalidation in the servlet accessed via
> > foreign context 
> > 
> > 
> > Hi all,
> > 
> > It seems that there is a problem with session invalidation in 
> > tomcat5.0. Please refer to the explanation below:
> > 
> > 
> > 1. HttpSession session = req.getSession(true); // get 
> > existing user session or create one if does not exist
> > 2. session.invalidate(); // invalidate user session         
>          
> > 3. session = req.getSession(true); // create a new session ( 
> > ie a valid session)                                       
> >                                        
> > The above three lines of code are commonly used to invalidate 
> > the user session and then create a new one. Tomcat implements 
> > this behaviour by creating a new session object in line No.3.
> > However, in tomcat5.0 implementation (5.0.28) when the above 
> > code is accessed via foreign context it does not create a new 
> > session object and therefore a session is still invalid after 
> > lineNo.3 is executed. The following code demonstrates the 
> > problem:                                      
> >                                        
> >                                        
> > // servlet that runs in the same tomcat instance but in a 
> > different context to DebuggerServlet's context
> > public class ForeignContextServlet extends HttpServlet {
> >      public void doGet(HttpServletRequest req, 
> > HttpServletResponse res) 
> >          throws ServletException, IOException {
> >          
> >          HttpSession session = req.getSession(true);
> >          
> >          session.invalidate();                                  
> >          session = req.getSession(true); // 
> > !!!!!!PROBLEM!!!!!!!!!! does NOT create a new session when 
> > accessed via foreign context's dispatcher              
> >      }
> > }
> > 
> > 
> > // servlet that accesses ForeignContextServlet via foreign 
> > context's dispatcher
> > public class DebuggerServlet extends HttpServlet {
> >     public void doGet(HttpServletRequest req, 
> > HttpServletResponse res) 
> >         throws ServletException, IOException {             
> >         
> >         ServletContext ctx = getServletContext();
> >         
> >         // dispatch the request to the servlet in a 
> different context 
> >         ServletContext foreignContext = 
> > ctx.getContext("/AccessCommon");    
> >         
> > foreignContext.getRequestDispatcher("/foreignContextServlet").
> > include(req, res);
> >     }
> > }                                       
> >                                        
> > Such behaviour is only observed in tomcat 5.0 (have not tried 
> > on tomcat5.5); tomcat3 and tomcat4 do create new session 
> > objects in lineNo.3
> > 
> > 
> > I greatly appreciate your comments on this issue.
> > 
> > 
> > Kind regards,
> > 
> > Alex.
> >                                        
> >                                 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> > 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message