tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lynckmeister <lync...@gmx.de>
Subject Re: Tomcat Realm Auto-Relogin after Session-Timeout Problem
Date Wed, 11 Feb 2009 14:32:11 GMT

dear christoph, hope that this is not private now , i was sure, that i sent
the last one also to the list... anyway ... 

again thanks for you help ... 
i copied now all the gode as desired and hope that this will help ;) 





>ou won't really be able to tell if the user is "coming" from the login
>page. The best you can do is to detect that the session is not in a
>proper state - by checking for some key in the session. I'm just trying
>to be clear.

no i dont case all i want is to relogin without after crash if a timeout
happens...


>You have to do your checking in a Filter so that it occurs /before/ the
>servlet handles the request. Otherwise, you'd have to re-write a LOT of
>your application to check for proper session state before doing whatever
>it is your servlet needs to do.

yes that sounds logical to me ....but were is the right point ...;) 



>Exactly where?




Im writing this in a Sigelton bean wich is initialized via spring with the
postconstruct 
paramenter. it seems that this is to late, what do you suggest ? maybe a
special filter would be a better place?


like the following : 

@PostConstruct
	public void SNUserSingletonInit() {

session.setAttribute("ISVALID",test);

}



to give you an idea , where in the activity chain we are I send you the
callstack wich is shown if I set a breakboint the the codeline wich setts
the session-key:


SNUserSessionUtil.SNUserSingletonInit() line: 53	
NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not
available [native method]	
NativeMethodAccessorImpl.invoke(Object, Object[]) line: 39	
DelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 25	
Method.invoke(Object, Object...) line: 597	
InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(Object) line:
297	
InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(Object,
String) line: 250	
CommonAnnotationBeanPostProcessor(InitDestroyAnnotationBeanPostProcessor).postProcessBeforeInitialization(Object,
String) line: 144	
DefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).applyBeanPostProcessorsBeforeInitialization(Object,
String) line: 350	
DefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).initializeBean(String,
Object, RootBeanDefinition) line: 1329	
DefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).doCreateBean(String,
RootBeanDefinition, Object[]) line: 471	
AbstractAutowireCapableBeanFactory$1.run() line: 409	
AccessController.doPrivileged(PrivilegedAction<T>, AccessControlContext)
line: not available [native method]	
DefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).createBean(String,
RootBeanDefinition, Object[]) line: 380	
AbstractBeanFactory$2.getObject() line: 302	
SessionScope(AbstractRequestAttributesScope).get(String, ObjectFactory)
line: 43	
SessionScope.get(String, ObjectFactory) line: 90	
DefaultListableBeanFactory(AbstractBeanFactory).doGetBean(String, Class,
Object[], boolean) line: 298	
DefaultListableBeanFactory(AbstractBeanFactory).getBean(String, Class,
Object[]) line: 185	
DefaultListableBeanFactory(AbstractBeanFactory).getBean(String) line: 164	
DefaultListableBeanFactory.findAutowireCandidates(String, Class,
DependencyDescriptor) line: 671	
DefaultListableBeanFactory.resolveDependency(DependencyDescriptor, String,
Set, TypeConverter) line: 610	
AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(Object,
String, PropertyValues) line: 412	
InjectionMetadata.injectFields(Object, String) line: 105	
AutowiredAnnotationBeanPostProcessor.postProcessAfterInstantiation(Object,
String) line: 240
and so on...





>It's possible that the framework is interfering, but unlikely. Can you
>send the code for your SessionTimeoutFilter as well as the configuration
>from web.xml for /all/ of your filters? Remember to remove any sensitive
>information.

Ok here comes the the code please have a look at the incode comments...

public class SessionTimeoutFilter implements Filter {

	private final Log logger = LogFactory.getLog(SessionTimeoutFilter.class);

	private String timeoutPage = "timeout.html";

	public void init(FilterConfig filterConfig) throws ServletException {
	}

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain filterChain) throws IOException, ServletException {

		if ((request instanceof HttpServletRequest)
				&& (response instanceof HttpServletResponse)) {
			HttpServletRequest httpServletRequest = (HttpServletRequest) request;
			HttpServletResponse httpServletResponse = (HttpServletResponse) response;
			
			
			// is session expired control required for this request?
			if (isSessionControlRequiredForThisResource(httpServletRequest)) {
				String requestedID = httpServletRequest.getRequestedSessionId();
				
				// is session invalid?
				HttpSession session = httpServletRequest.getSession();
				String sID = session.getId();
				String nochmalID = httpServletRequest.getQueryString();
				
				// ok this is allways false , means the session is allways valid. sure
it is, but its a new one ! 
				boolean isSessionInValid = (requestedID != null)&&
!httpServletRequest.isRequestedSessionIdValid();
				Object testObject = session.getAttribute("ISVALID");
				
				// here I tried some things... the isSessionInValid flag doesnt help b/c
the session is allways valid
				// the testObject is allways null b/c if the user comes from the
loginpage the user is not set in the first time
				// with the code like this, we're allways redirected in an constant
loop.
				// besides that I think redirection is not the right way to handle , I
mean, 
				// i feel the right solution would recognize that the session is not in
a proper state and than 
				// delete the request wich allways causes in that crash. but how? and
wich restored information exactly is the wrong one ?
				if (testObject == null /*&& isSessionInValid*/ ) {
					String timeoutUrl = httpServletRequest.getContextPath()
							+ "/" + getTimeoutPage();
					logger
							.info("session is invalid! redirecting to timeoutpage : "
									+ timeoutUrl);

					httpServletResponse.sendRedirect(timeoutUrl);
					return;
				}
			}
		}
		
		filterChain.doFilter(request, response);
		System.out.println("test Request");
	}

	/**
	 * 
	 * session shouldn't be checked for some pages. For example: for timeout
	 * page.. Since we're redirecting to timeout page from this filter, if we
	 * don't disable session control for it, filter will again redirect to it
	 * and this will be result with an infinite loop...
	 */
	private boolean isSessionControlRequiredForThisResource(
			HttpServletRequest httpServletRequest) {
		String requestPath = httpServletRequest.getRequestURI();

		boolean controlRequired =
!StringUtils.contains(requestPath,getTimeoutPage());

		return controlRequired;
	}

	
	
	public void destroy() {
	}

	public String getTimeoutPage() {
		return timeoutPage;
	}

	public void setTimeoutPage(String timeoutPage) {
		this.timeoutPage = timeoutPage;
	}



the web xml : 



<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.5"
 xmlns="http://java.sun.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 <!-- Use for facelets  -->
 <context-param>
  <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
  <param-value>.xhtml</param-value>
 </context-param>
 <!-- Special Debug Output for Development -->
 <context-param>
  <param-name>facelets.DEVELOPMENT</param-name>
  <param-value>false</param-value>
 </context-param>
 <!-- -->
 <context-param>
  <param-name>facelets.SKIP_COMMENTS</param-name>
  <param-value>true</param-value>
 </context-param>
 <!-- context-param>
 	<param-name>facelets.BUFFER_SIZE</param-name>
 	<param-value>10000</param-value>
 </context-param -->
 <context-param>
  <param-name>facelets.REFRESH_PERIOD</param-name>
  <param-value>0</param-value>
 </context-param>
 <context-param>
  <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
  <param-value>server</param-value>
 </context-param>
 <context-param>
  <param-name>javax.faces.CONFIG_FILES</param-name>
  <param-value>/WEB-INF/faces-config.xml</param-value>
 </context-param>
 <context-param>
  <param-name>com.sun.faces.verifyObjects</param-name>
  <param-value>false</param-value>
 </context-param>
 <context-param>
 
<param-name>javax.faces.PARTIAL_STATE_SAVING_DISPATCH_EVERY_TIME</param-name>
  <param-value>false</param-value>
 </context-param>
 <context-param>
  <param-name>facelets.LIBRARIES</param-name>
  <param-value>/WEB-INF/myproject.taglib.xml;</param-value>
 </context-param>
 <!-- Vladi  -->
 <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>/WEB-INF/applicationContext.xml</param-value>
 </context-param>
 <!--  filter>
  <filter-name>HibernateFilter</filter-name>
  <filter-class>de.we.myproject.hibernate.HibernateFilter</filter-class>
 </filter 
 Filter zur Überprufung des Logins 
  filter>
  <filter-name>myproject-Auth-Filter</filter-name>
  <filter-class>de.we.myproject.Util.AuthFilter</filter-class>
 </filter>
 <filter-mapping>
  <filter-name>myproject-Auth-Filter</filter-name>
  <url-pattern>/pages/*</url-pattern>
 </filter-mapping 
  filter-mapping>
  <filter-name>HibernateFilter</filter-name>
  <url-pattern>*.jsf</url-pattern>
 </filter-mapping 
 Using bei Richfaces  -->
 <context-param>
  <param-name>org.richfaces.SKIN</param-name>
  <param-value>myproject</param-value>
 </context-param>
 <!--Richfaces has a few parsers onboard. The default one is based on Tidy,
but it is quite slow. 
 The Neko parser is faster and can be used by setting the following
context-param’
 Fast Filter which is based on nekko parser requires nekkohtml.jar and
xersesimpl.jar in your classpath. As this filter wasn't default for A4j and
later RF - 
 these jars arent included to distribution. Download it and put in your
classpath.-->
 <context-param>
  <param-name>org.ajax4jsf.xmlparser.ORDER</param-name>
  <param-value>TIDY,NEKO</param-value>
 </context-param>
 <!--  param-value>NEKO</param-value -->
 <context-param>
  <param-name>org.ajax4jsf.xmlparser.TIDY</param-name>
  <param-value>/pages/announcement/notif_1.xhtml, 
        	/pages/announcement/notif_1_search.xhtml,
        	/pages/announcement/mynotif.xhtml, 
        	/pages/gatgets/show_gatgets.xhtml, 
        	/pages/gatgets/my_gatgets.xhtml,
        	/pages/profile/profile_results.xhtml,
        	/pages/profile/profile_results_2.xhtml,
        	/pages/profile/show_profile_friends.xhtml,
        	/pages/profile/show_profile_trophies.xhtml,
        	/pages/profile/show_profile_groups.xhtml,
        	/pages/profile/show_profile_photoAlbums.xhtml,
        	/pages/myNetwork/addressbook_1.xhtml,
        	/pages/myNetwork/1_search.xhtml,
        	/pages/myNetwork/addressbook_2.xhtml,
        	/pages/myNetwork/addressbook_3.xhtml,
        	/pages/groups/searchgroup.xhtml,
        	/pages/groups/mygroupmessage.xhtml,
        	/pages/groups/mygroup.xhtml,
        	/pages/groups/updateGroup1.xhtml,
        	/pages/fotoAlbum/myPhotoAlbum.xhtml,
        	/pages/fotoAlbum/photoAlbums.xhtml,
        	/pages/messages/posteingang.xhtml,
        	/pages/messages/postausgang.xhtml,
        	/pages/appointment/appointment.xhtml,
        	/pages/appointment/myAppointment.xhtml</param-value>
 </context-param>
 <context-param>
  <param-name>org.ajax4jsf.xmlparser.NEKO</param-name>
  <param-value>.*\..*</param-value>
 </context-param>
 <!--  The following declaration allows to load only one integrated style
sheet file.
	   The integrated style sheet contains style for all shipped components. 
	   The skinnability feature still works.
	   The "DEFAULT" value is a classical on-demand variant.
	   The "NONE" stops loading the styles at all.
	   The earlier introduced plain skin resets all color and font parameters
to null. 
	   The "NONE" value for org.richfaces.LoadStyleStrategy means that
predefined 
	   styles for RichFaces are not used.  -->
 <context-param>
  <param-name>org.richfaces.LoadScriptStrategy</param-name>
  <param-value>none</param-value>
 </context-param>
 <!-- Orchastra Optional 
 filter>
    <filter-name>frameworkAdapterFilter</filter-name>
   
<filter-class>org.apache.myfaces.orchestra.frameworkAdapter.basic.BasicFrameworkAdapterFilter</filter-class>
  </filter>

  <filter>
    <filter-name>requestParameterFilter</filter-name>
   
<filter-class>org.apache.myfaces.orchestra.requestParameterProvider.RequestParameterServletFilter</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>frameworkAdapterFilter</filter-name>
    <url-pattern>*.jsf</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>requestParameterFilter</filter-name>
    <url-pattern>*.jsf</url-pattern>
  </filter-mapping -->
 <context-param>
  <param-name>org.ajax4jsf.VIEW_HANDLERS</param-name>
  <param-value>com.sun.facelets.FaceletViewHandler</param-value>
 </context-param>
 <filter>
  <display-name>RichFaces Filter</display-name>
  <filter-name>richfaces</filter-name>
  <filter-class>org.ajax4jsf.Filter</filter-class>
  <init-param>
   <param-name>forceparser</param-name>
   <param-value>false</param-value>
  </init-param>
  <init-param>
   <param-name>enable-cache</param-name>
   <param-value>true</param-value>
  </init-param>
  <init-param>
   <param-name>maxRequestSize</param-name>
   <param-value>1250000</param-value>
  </init-param>
  <init-param>
   <param-name>createTempFiles</param-name>
   <param-value>false</param-value>
  </init-param>
 </filter>
 <!-- filter-mapping>
  <filter-name>SessionTimeoutFilter</filter-name>
  <url-pattern>*.jsf</url-pattern>
 </filter-mapping-->
 <filter>
  <filter-name>springRequestContextFilter</filter-name>
 
<filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>
 </filter>
 <filter>
  <filter-name>SessionTimeoutFilter</filter-name>
  <filter-class>de.we.myproject.util.SessionTimeoutFilter</filter-class>
 </filter>
 <filter-mapping>
  <filter-name>richfaces</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>INCLUDE</dispatcher>
 </filter-mapping>
 <filter-mapping>
  <filter-name>springRequestContextFilter</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
 </filter-mapping>
 <filter-mapping>
  <filter-name>SessionTimeoutFilter</filter-name>
  <url-pattern>*.jsf</url-pattern>
 </filter-mapping>
 <listener>
  <listener-class>com.sun.faces.config.ConfigureListener</listener-class>
 </listener>
 <!-- Using bei Spring -->
 <listener>
 
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 </listener>
 <!-- Orchestra -->
 <listener>
 
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
 </listener>
 <listener>
 
<listener-class>org.apache.myfaces.orchestra.conversation.servlet.ConversationManagerSessionListener</listener-class>
 </listener>
 <!--Anfang  Session Time Out -->
 <listener>
  <listener-class>de.we.myproject.util.MySessionListener</listener-class>
 </listener>
 <!-- Faces Servlet -->
 <servlet>
  <servlet-name>Faces Servlet</servlet-name>
  <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
 </servlet>
 <!-- Faces Servlet 
  servlet>
<servlet-name>SourceCodeServlet</servlet-name>
<servlet-class>
	org.apache.myfaces.shared_tomahawk.util.servlet.SourceCodeServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet 
 servlet mapping 
  servlet-mapping>
<servlet-name>SourceCodeServlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping -->
 <servlet>
  <servlet-name>ConfirmServlet</servlet-name>
  <servlet-class>de.we.myproject.util.UserConfirm</servlet-class>
 </servlet>
 <servlet-mapping>
  <servlet-name>ConfirmServlet</servlet-name>
  <url-pattern>/confirm/*</url-pattern>
 </servlet-mapping>
 <!-- Faces Servlet Mapping -->
 <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>*.jsf</url-pattern>
 </servlet-mapping>
 <session-config>
  <session-timeout>1</session-timeout>
 </session-config>
 <!--End  Session Time Out -->
 <welcome-file-list>
  <welcome-file>/index.html</welcome-file>
  <!--  welcome-file>/index.xhtml</welcome-file -->
 </welcome-file-list>
 <error-page>
 
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
  <location>/login_error.html</location>
 </error-page>

 <!-- orchestraFilter -->
 <filter>  
   <filter-name>orchestraFilter</filter-name>
  
<filter-class>org.apache.myfaces.orchestra.conversation.jsf.filter.OrchestraServletFilter
   </filter-class>       
    <init-param>              
     <param-name>serializeRequests</param-name>            
     <param-value>true</param-value>        
     </init-param>  
     </filter>
     
  <filter-mapping>
        <filter-name>orchestraFilter</filter-name>
        <url-pattern>*.jsf</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
 
 <!-- test  -->
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>Geschuetzter Bereich</web-resource-name>
   <url-pattern>/pages/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
   <role-name>kunde</role-name>
   <role-name>premiumkunde</role-name>
   <role-name>superuser</role-name>
   <role-name>user</role-name>
   <role-name>premiumuser</role-name>
   <role-name>admin</role-name>
  </auth-constraint>
 </security-constraint>
 <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
   <form-login-page>/login.jsf</form-login-page>
   <form-error-page>/login_error.jsf</form-error-page>
  </form-login-config>
 </login-config>
 <security-role>
  <role-name>kunde</role-name>
 </security-role>
 <security-role>
  <role-name>premiumkunde</role-name>
 </security-role>
 <security-role>
  <role-name>superuser</role-name>
 </security-role>
 <security-role>
  <role-name>guest</role-name>
 </security-role>
 <security-role>
  <role-name>premiumGuest</role-name>
 </security-role>
 <security-role>
  <role-name>admin</role-name>
   <!--user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint-->
 </security-role>
 


 
</web-app>
	



thank again for reading all the stuff chris , 


cheers

filip






-- 
View this message in context: http://www.nabble.com/Tomcat-Realm-Auto-Relogin-after-Session-Timeout-Problem-tp21938671p21956226.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message