I use Liferay 6.2 GA4 portal on WebLogic server 10.3.6.0 and I found out one annoying problem.
I log in as UserA.
Display portlet which stores data to portlet session.
I log out.
I log in as UserB.
Display the same portlet which stores data to portlet session.
Portlet shows data of UserA instead of UserB.
I added by ext-plugin some debug log messages to com.liferay.portal.kernel.servlet.PortletSessionListenerManager and com.liferay.portal.kernel.servlet.PortletSessionTracker and found out that session (sessionId) passed to the PortletSessionTracker.add method is different than one passed to invalidate method. See log messages below:
2016-01-28 10:38:34,191 [PortletSessionTracker:40] Adding session with id=4s6HmE3LdwWuUdOilk7-ytJLqJh1LnCiTKzoeH9YVSBM2USJuxU9
2016-01-28 10:40:38,875 [PortletSessionListenerManager:187] Destroying session with id=S4qHmPDaSTLkwkmEo6gDLt4W0U-siGlU_GNa1LJelXTtQvSaRyEd
2016-01-28 10:40:38,875 [PortletSessionTracker:73] Removing session with id=S4qHmPDaSTLkwkmEo6gDLt4W0U-siGlU_GNa1LJelXTtQvSaRyEd
session.invalidate(); in com.liferay.portal.kernel.servlet.PortletSessionTracker#invalidate is not called.
There is not error in portlet because on Tomcat it works ok. And on Tomcat session.invalidate(); is called.
Weblogic.xml:
<weblogic-web-app
xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.2/weblogic-web-app.xsd"
>
<jsp-descriptor>
<keepgenerated>true</keepgenerated>
<page-check-seconds>60</page-check-seconds>
</jsp-descriptor>
<session-descriptor>
<debug-enabled>true</debug-enabled>
<persistent-store-type>replicated_if_clustered</persistent-store-type>
<cookie-secure>true</cookie-secure>
</session-descriptor>
<container-descriptor>
<filter-dispatched-requests-enabled>false</filter-dispatched-requests-enabled>
<prefer-application-packages>
<package-name>antlr.*</package-name>
<package-name>com.ctc.wstx.*</package-name>
<package-name>org.antlr.*</package-name>
<package-name>org.apache.commons.lang.*</package-name>
<package-name>org.mozilla.*</package-name>
<package-name>org.xmlpull.*</package-name>
</prefer-application-packages>
<optimistic-serialization>true</optimistic-serialization>
<show-archived-real-path-enabled>true</show-archived-real-path-enabled>
</container-descriptor>
<context-root>/</context-root>
<wl-dispatch-policy>ejbtp_liferay</wl-dispatch-policy>
</weblogic-web-app>
Does anybody know what could be the problem? Thanks for any idea or help.
The problem had a tricky reason. Our customer wanted to have different name for session id cookie - not the default jsessionid. I set the modified jsessionid on liferay portal war but not on another wars like theme and portlet apps. These wars therefore used the default jsessionid whereas portal used the modified one. The default one was used by add method, the modified one by invalidate method.
So solution was to modify the session id cookie also in portlet and theme wars.
Related
I am developing a JSF web based application that makes use of CDI managed beans and Shiro managed sessions. The problem I've got is when a JSF page that references an object annotated with #javax.enterprise.context.SessionScoped an UnknownSessionException is thrown. I have set the logging level to finest and looking through the application server log file I can see that when the user accesses the login page a new session is created along with a cookie that sets JSESSIONID to b2b69494-2236-467f-9e0b-3c262c74b7c4. When the user accesses the page that references the SessionScoped bean the cookie is updated to have a JSESSIONID set to 49253beaee601d4107cba4b61c77, at this point an UnknownSessionException is thrown. When accessing pages that reference a managed bean annotated with either #javax.enterprise.context.ApplicationScoped or #javax.faces.view.ViewScoped everything works fine.
It appears that when accessing a page that references a session scoped bean, the servlet container is creating a new session rather than allowing the Shiro managed session to be used. If I configure Shiro to use something other than JSESSIONID then the error isn't thrown but instead two sessions appear to be created, one managed by Shiro and the other managed by the servlet container.
The contents of my shiro.ini file is
[main]
authc.loginUrl = /login.xhtml
authc.usernameParam = login:username
authc.passwordParam = login:password
authc.rememberMeParam = login:rememberMe
user.loginUrl = /login.xhtml
authc.successUrl = /app/index.xhtml
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
[users]
admin = password
[urls]
/login.xhtml = authc
/app/** = user
My environment is using Glassfish 4.1, Java EE version 7, Mojarra version 2.2.7 for JSF, Weld version 2.2.2 for CDI, and Shiro version 1.2.3. I have also reproduced the same issue on Glassfish version 4.0 albeit with earlier versions of Mojarra and Weld.
I have uploaded the relevant portion of the application server log to PasteBin which can be accessed with the URL http://pastebin.com/2sPHfdTQ
I've also created an example Maven project to demonstrate the problem. The example project can be downloaded from https://www.dropbox.com/s/1x9pe2o9ja0q9jw/TestJavaEE-web.zip?dl=0 which contains the source code and the complied war file.
Is anyone else currently using CDI managed session scoped beans with Shiro managed sessions, and if so have you had any problems?
Is there a configuration setting I've missed either in Shiro or GlassFish or is this a bug?
Note: I have previously posted this question on the Shiro mailing list but I'm yet to find a solution and I'm hoping that there will be a wider audience on StackOverflow.
below code fragment i added in my web xml file
<session-config>
<session-timeout>1</session-timeout>
</session-config>
i need to know is there any possibility to redirect to my login page when application session time out.?
I used JSF 2 + Spring security 3 + Richfaces final in my project
please advice me
thanks all
you want to that automatically or you want to redirect to login page after session timeout when user call some action.
for second one I can recommend this method. I've tested this method in my project and it will work for sure.
https://gist.github.com/banterCZ/5160269
but if you want to that with Richfaces use this:
Redirecting on session timeout in JSF-Richfaces-facelet
I used JSF 2.2 Mojarra and the Session Scope.
After some time the Session Scope is delete or something else. If I go back to the login page and login again I have a new Session Scope and everything worked again.
If I worked on the web application the Session Scope is not lost, and I have no problem. So I think it must be lost after some time if I don't use the web application.
Any idea how can I automatically go back to the login page if I lost the session scope?
To expect this first your state saving method should be set to server like below
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
After this you should have a session time out like below in your web.xml
<session-config>
<session-timeout>20</session-timeout>
</session-config>
If you are idle for more than 20 minutes and if try to make any request from the page then you would see a exception stack trace of ViewExpiredException. Now to redirect to the login page on this you have a have the following config in web.xml
<error-page>
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
<location>your login page path</location>
<error-page>
This would work if you make a non ajax request from the page after session time out. Now to make it to work on click of a an ajax button it requires special exception handler for exceptions on ajax requests. you can use <pe:ajaxErrorHandler> from primefaces extension library.
To use this you need to have following in your faces-config.xml
<application>
<el-resolver> org.primefaces.application.exceptionhandler.PrimeExceptionHandlerELResolver</el-resolver>
</application>
<factory>
<exception-handler-factory>org.primefaces.application.exceptionhandler.PrimeExceptionHandlerFactory</exception-handler-factory>
</factory>
And primefaces extension namespace xmlns:pe="http://primefaces.org/ui/extensions".
Now in your page just have <pe:ajaxErrorHandler /> in your page. This would navigate to login page on ajax button click in a page after session time out.
For automatic navigation to login page on time out you can use <p:idleMonitor> Something like
<p:idleMonitor timeout="6000" onidle="idleDialog.show()" />
Please have a look at this question for correct implementation of idle monitor
Timeout via idlemonitor (primefaces)
If you are using icefaces please visit the following link
JSF Session timeout and auto redirect to login page without user intraction eventhough Ajax push is active
You can also use omnifaces FullAjaxExceptionHandler, Please google for this.
Hope this helps!!!
I am using Spring MVC 3.1 and developing a web application.
I am storing loged in user name and password in session.since session is stored in cookie, once cookie is disabled I am not able to log in.
is there is any solution in SPRING MVC to store session other then cookie.
Thanks
You want to use URL rewriting to persist the JSESSIONID in the URL's across requests. You can configure the ServletContext to use the URL tracking mode (instead of COOKIE) as described here.
With Servlet 3.0 you do this:
<session-config>
<cookie-config>
<tracking-mode>URL</tracking-mode>
</cookie-config>
</session-config>
I noticed that in my application (Java EE 6, Spring MVC 3.2.4, Spring Security 3.1.4) JSTL's <c:url> tags start adding the sessionid value to each URL when cookies get disabled. Spring Security works normally. I did not have to do any configuration to achieve this.
I currently have a Spring 3 project and what I want to do is retrieve my session when the session expires. I have been doing some research and apparently the HttpSessionBindingListener can handle this although in a Spring project, I can't seem to figure out how to implement this properly. Within my session, I save a UserDetailsImpl object which contains my User object. Should I be implementing the HttpSessionBindingListener on the stated objects?
To be clear, what I want to do is retrieve the user's id from the session object before it expires.
EDIT: Apparently the HttpSessionBindingListener does not work properly in Websphere but it is okay in Tomcat. Are there any other alternatives?
You can also register listener in web.xml:
<listener>
<listener-class>com.example.MyHttpSessionListener</listener-class>
</listener>
And use method sessionDestroyed()
This is detailed describd in this answer: https://stackoverflow.com/a/3720512/516167
Inject Spring Application Context in this Listener like is described in this question:
How to inject dependencies into HttpSessionListener, using Spring?
Other possible solution are described here:
Logout/Session timeout catching with spring security