tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Do objects in session always need to be serializable?
Date Thu, 21 Apr 2011 14:07:04 GMT
Hash: SHA1


On 4/20/2011 1:43 PM, Mukarram Baig wrote:
> To clarify, the application is
> not being defined as being distributable in my web.xml.

Okay, so Tomcat will not enforce the must-be-serializable rule, then.
Note that you can have an object that implements Serializable but is
still not actually serializable if you don't follow all the
serialization rules.

> The exceptions that
> I am seeing here are not at webapp restarts (we basically have very
> infrequent application restarts and we can afford to lose out on the user
> sessions in these scenarios) but during the normal running of the
> application.

Which exceptions? NPEs or NotSerializableException?

Please post stack traces of both exceptions.

> Chris, you have mentioned a very interesting point that one should do
> null-checks when accessing session objects. I was not quite able to
> understand the reason why this is so?

Because the session can be re-created at any time. Consider this scenario:

1. User logs in and navigates to a web page. This web page needs session
information to display itself (use your imagination).

2. User explicitly logs out, then hits BACK on their browser.
   Or, if you prefer, their session times out due to inactivity.

3. User re-loads the page.

4. If you are using contained-managed authentication, the user will be
   assigned a new session and then asked to provide their credentials,
   and upon successful login they will be redirected back to the page
   in step #1 (and #3)

5. Your software tries to access an object in the session to display
   the page. This object isn't there anymore because of the session
   timeout, so you get an NPE.

> Thanks in advance again!
> P.S.: I am subscribed via the digest option and didn't know how quite to
> reply to a thread, so apologies if this opens up a new thread :) BTW, why do
> we not have a web interface for this?

Yeah, digest is kind of a pain since your replies will go "to the list"
and not be tied to any one thread. Just subscribe to the list and put
the messages into a folder or something. You can delete anything you
don't care about.

Web interface? Try Nabble or any one of the other web-based mailing-list
interfaces. They work fine with this list. You can start a holy war on a
mailing list asking why it's not web-based, so let's just drop it. :)

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message