tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Rohde <>
Subject AW: Manager activeSessions and customized error page
Date Mon, 14 May 2012 13:44:07 GMT
-----Urspr√ľngliche Nachricht-----
Von:	Konstantin Kolinko <>
Gesendet:	Mo 14.05.2012 15:00
Betreff:	Re: Manager activeSessions and customized error page
An:	Tomcat Users List <>; 
> 2012/5/14 Thomas Rohde <>:
> > Hi!
> >
> > I configured the Manager's maxActiveSessions attribute in context.xml. If the 
> configured value is exceeded an IllegalStateException "createSession: Too many 
> active sessions" is thrown in ManagerBase class. In our application we catch 
> this exception around httpServletRequest.getSession(true) and redirect to an 
> customized error page. Works!
> >
> > Now I activated form based authentication via securiy constraint in web.xml. 
> If I try to open the web application with my browser by sending the first 
> request, the response is empty (status 200 OK).
> >
> > Is there any way to map a static customized error page in this scenario?
> >
> It depends on where ErrorReportValve is in the request processing
> chain in your situation. There were several changes to that (read:
> fixes) in different Tomcat 7.0.x versions. You did not wrote which
> version you do use.

Sorry! I tested with 7.0.8.

> If it is reproducible in latest 7.0.27, feel free to create a bug
> report and attach a simple sample web application + steps to
> reproduce.
> It might be that it is already reproducible with the standard example
> app [1], but I have not tried.
> [1] http://localhost:8080/examples/jsp/security/protected/index.jsp

Now I tried with the standard example and 7.0.27. I get the default 500 error page. Would
be great to have a possibiltiy to make a distinguish between this error and any other error.

> > If not: Is there any other approach to limit the number of sessions?
> I think it is possible with a Filter, Valve or with a SessionListener.
> It should be also be possible with a custom o.a.c.Manager.

A Filter was my first approach. But the filter is invoked after authentication has taken place.
And for authentication a session is needed. ;-)

A HttpSessionListener is invoked AFTER a session is created.

It seems that every approach has some ugly pitfalls. :(

> Best regards,
> Konstantin Kolinko
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message