tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat Realm Auto-Relogin after Session-Timeout Problem
Date Tue, 10 Feb 2009 20:28:54 GMT
Hash: SHA1


On 2/10/2009 12:34 PM, lynckmeister wrote:
> i have the problem that if my session timeouts i 've been redirected to the
> loginpage ( from the secured area). If i relogin in i get some null-pointer
> exceptions in my application ( first the orchestra framework has a problem )

This is not surprising, as your session state has most likely been
reset. If you want users to be able to resume their sessions after a
session timeout, you need to provide enough information in the request
to either restore the session state, or to indicate to the user that
they need to start their process over after the re-login.

> i investigated , and it seems to be the problem , that the realm stores the
> request of the original call. if the user relogons now, the first request
> seems to be substituted.

Correct. This follows section 12.5.3 of the servlet specification:

When a user attempts to access a protected web resource, the container
checks the user’s authentication. If the user is authenticated and
possesses authority to access the resource, the requested web resource
is activated and a reference to it is returned. If the user is not
authenticated, all of the following steps occur:

1. The login form associated with the security constraint is sent to the
client and the URL path triggering the authentication is stored by the
2. The user is asked to fill out the form, including the username and
password fields.
3. The client posts the form back to the server.
4. The container attempts to authenticate the user using the information
from the form.
5. If authentication fails, the error page is returned using either a
forward or a re-direct, and the status code of the response is set to 200.
6. If authentication succeeds, the authenticated user’s principal is
checked to see if it is in an authorized role for accessing the resource.
7. If the user is authorized, the client is redirected to the resource
using the stored URL path.

> in my sessionfilter , im trying to check if the
> session is invalid, but its not, b/c there is already a new valid session
> after login.

Instead of checking for a non-null session, maybe you should check for
an object that you put in there -- something like SESSION_IS_VALID.
Tomcat will definitely create the new session for you, but it won't
store any attributes in there, so you can always add your own.

This is what we do in our application. On each request, we look for an
object in the session attributes called "USER". If it's in there, we do
nothing and let the request proceed as usual. If it's not in there, we
perform a formal "login", get user preferences from the database, etc.
and stuff them into the session. Then, we allow the request to proceed
as usual.

> Is there a possibility to affect this behavior, of that the realm just leads me
> to the login page and nothing more ? 

See above. Maybe that technique will work for you.

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message