I'm using Spring 3.1.1.Release, Security 3.1.0.Release.
I've added login/logout to my web app, however a session scoped bean is not functioning the way it was. The bean is used to connect to a CMS called CMSConnector.
To authenticate users, I implemented an AuthenticationProvider, and in the authenticate() call, I get the session-scoped CMSConnector and call the CMSConnector.login(). If the CMS login fails, it fails the login.
THE PROBLEM -
If the login is success, #predestroy logout() is called immediately after the successful login. I then found it was the SessionFixationProtectionStrategy is invoking the invalidate the previous session and assign it a new session.
session.invalidate();
session = request.getSession(true); // we now have a new session
The invalidate() is calling the #predestroy method on the session-scoped bean.
So I have temporarily removed the the #predestroy annotation leaving the connection not closed. (VERY BAD PRACTICE.)
What is a work around to resolve the issue?
I tried to create a #PostConstruct and put the login process there, but the #PostConstruct doesn't get called when request.getSession(true) is called.
Thanks!
Jason
I think its not the SessionFixationProtectionStrategy but the ConcurrentSessionControlStrategy.
Set max-sessions="-1" for this code snippet
I did not solve my original question, but I implemented a workaround - expire session in the session expire object instead of attached with #predestroy.
Related
I'm using Java EE (EJB, JPA, JSF) and JBoss. How can I check online users? Of course, I have User entity. And user can login and logout. I thought we can check the session that created when a user login. But when that session times out, how do we know?
You can use HttpSessionListener, it receives notification when an HTTP session is activated or is about to be deactivated.
In order to receive these notification events, the implementation class must be either declared in the deployment descriptor of the web application or annotated with WebListener.
There are two methods declared in the HttpSessionListener interface which must be implemented by the servlet programmer to perform some action.
public void sessionCreated(HttpSessionEvent e) : is invoked when
session object is created.
public void sessionDestroyed(ServletContextEvent e) : is invoked when session is invalidated.
Here you can get an tutorial for implementation.
In my JSF application #PostConstruct mentioned in initApplication() method and
#PreDestroy is used to close all database connections
I gave more than 2 users to login same time. When any one Logged out session is invalidated by #PreDestroy. So other users also can not get connection.
I want to call #PreDestroy only when my Application scope terminated, not for session invalidation.
How can i do it?
I am working on a weam web application where the once the user logs in, the main (or landing) page calls 4 stateful session beans. So once the user logs in, there will be atleast 4 threads of stateful session beans created. The page also has a logout button. The logout component in the xhtml calls a POJO which has a logout method.
In the logout method, the following statement is executed:
Session.instance().invalidate();
Now the question is, will the 4 threads/instances of the stateful session beans which are created when the user logs in will be destroyed or not.
I am running this application on JBOSS 4.2.3, Seam 2.2.1 Final
I am using JOSSO for authentication.
Yes, they're all part of the same session. You're actually creating session scoped beans, not separate sessions.
Easy enough to check though. Create a method in each of the session beans and annotate them with #Destroy, when the annotated bean is destroyed, it will call this method.
#Destroy
public void callMeWhenIDie(){
log.debug("I'm melting, I'm melting" + this.someDefiningCharacteristic);
}
I have a backing session scope bean called WorkSession. When instance of this bean is created I call initialization function (declared with #PostConstruct annotation), which changes current user (I handle user logging with JASS) status in database to ONLINE.
I want to do analogical thing when user logs out (change user status to OFFLINE). It is easy to do this when user presses button "Logout" on web page. The problem is that i have no idea how to detect closed browser or tab in browser.
I see that method with annotation #PreDestroy does not work for this, because it's called by application server garbage collector, right?
I use Glassfish 3.1.2, JPA 2,0 and JSF 2.0.
I see that method with annotation #PreDestroy does not work for this, because it's called by application server garbage collector, right?
It should work just fine. It's absolutely not called by the GC. It's called by the container when the session is destroyed. Perhaps your concrete problem is that you expected that the session is immediately destroyed when the user closes the entire browser. This is thus not true. It's only destroyed when it's timed out in the server side. The default timeout is 30 minutes. So if you wait 30 minutes, then the session will be destroyed and the #PreDestroy of all session (and view) scoped beans will be called.
You can configure the default timeout by <session-config><session-timeout> in web.xml.
See also:
How do servlets work? Instantiation, sessions, shared variables and multithreading - to learn how sessions work "under the covers".
By the way, the term "session disconnect" makes absolutely no sense in web development world.
I want to know about setting and un-setting the session in JSF2.0. Although following some blogs and books (Core JavaServer Faces-3rd Edition), i got to know that using annotation #SessionScoped we can set any manage bean to be in session. I have a loginBean which is #ManagedBean and SessionScoped declared. On the top right corner, my web has login button.
When this session is created (i am not setting it manually, that is why i am confused) and when i gets destroyed? It must be destroyed either by time out or by clicking in logout button only.
JSF uses the Servlet API under the covers. A session scoped managed bean is in essence set as an attribute of the HttpSession. It will be created and set whenever the EL expression referencing the managed bean #{sessionBean} is evaluated for the first time. It will be "removed" from the session whenever the session expires (by either a restart of the client or a timeout in the server) or get invalidated. If you let your logout button call ExternalContext#invalidateSession(), then the session will be invalidated.
If you're familiar with the basic Servlet API, you should already understand how this all works. For an in-depth explanation of the Servlet's HttpSession works under JSF's covers, read this answer: How do servlets work? Instantiation, sessions, shared variables and multithreading.
In jsf 2.0 we can set total class ob as session like i mention
Class_name sm;
ExternalContext extContext = FacesContext.getCurrentInstance().getExternalContext(); extContext.getSessionMap().put("Give name for access this property",sm);
Class_name sm = (Class_name) extContext.getSessionMap().get("Give name for access this property");