tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Rohde <...@ordix.de>
Subject AW: Manager activeSessions and customized error page
Date Mon, 14 May 2012 13:44:07 GMT
-----Urspr√ľngliche Nachricht-----
Von:	Konstantin Kolinko <knst.kolinko@gmail.com>
Gesendet:	Mo 14.05.2012 15:00
Betreff:	Re: Manager activeSessions and customized error page
An:	Tomcat Users List <users@tomcat.apache.org>; 
> 2012/5/14 Thomas Rohde <tro@ordix.de>:
> > Hi!
> >
> > I configured the Manager's maxActiveSessions attribute in context.xml. If the 
> configured value is exceeded an IllegalStateException "createSession: Too many 
> active sessions" is thrown in ManagerBase class. In our application we catch 
> this exception around httpServletRequest.getSession(true) and redirect to an 
> customized error page. Works!
> >
> > Now I activated form based authentication via securiy constraint in web.xml. 
> If I try to open the web application with my browser by sending the first 
> request, the response is empty (status 200 OK).
> >
> > Is there any way to map a static customized error page in this scenario?
> >
> 
> It depends on where ErrorReportValve is in the request processing
> chain in your situation. There were several changes to that (read:
> fixes) in different Tomcat 7.0.x versions. You did not wrote which
> version you do use.

Sorry! I tested with 7.0.8.

> 
> If it is reproducible in latest 7.0.27, feel free to create a bug
> report and attach a simple sample web application + steps to
> reproduce.
> 
> It might be that it is already reproducible with the standard example
> app [1], but I have not tried.
> 
> [1] http://localhost:8080/examples/jsp/security/protected/index.jsp

Now I tried with the standard example and 7.0.27. I get the default 500 error page. Would
be great to have a possibiltiy to make a distinguish between this error and any other error.

> 
> > If not: Is there any other approach to limit the number of sessions?
> 
> I think it is possible with a Filter, Valve or with a SessionListener.
> It should be also be possible with a custom o.a.c.Manager.
> YMMV.

A Filter was my first approach. But the filter is invoked after authentication has taken place.
And for authentication a session is needed. ;-)

A HttpSessionListener is invoked AFTER a session is created.

It seems that every approach has some ugly pitfalls. :(

> 
> Best regards,
> Konstantin Kolinko
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message