I have an include jsp on all my pages which includes js files, css files, etc. This include jsp also refers to the session with "".
On the last page of my application, the action does a session.invalidate on the HttpSession object.
So when the last the last page of my application appears and runs the "", I get the following error since the session is invalidated
2011-10-19 10:30:59,134 WARN com.opensymphony.xwork2.ognl.OgnlValueStack - Caught an exception while evaluating expression '#session.user.isWhatever()' against value stack
java.lang.IllegalStateException: getAttribute: Session already invalidated
at org.apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1062)
at org.apache.catalina.session.StandardSessionFacade.getAttribute(StandardSessionFacade.java:110)
at org.apache.struts2.dispatcher.SessionMap.get(SessionMap.java:165)
at ognl.MapPropertyAccessor.getProperty(MapPropertyAccessor.java:76)
I have tried "#session neq null" to stop the error from appearing but that doesn't work.
Is there anyway/condition to use to stop this error? How does one check if the session is valid in the jsp in Struts 2?
Check for the presence of a known session value--in your case, #session.user. You shouldn't have to do an explicit null check, IIRC (could be wrong). Depending on how things are actually working in your app, you can also check for isNew, although that seems like it shouldn't be necessary.
The session will "never" be null--unless explicitly directed otherwise, just hitting a JSP page will create one.
Related
I wrote a code as follows in JSF facelet(xhtml file)
${cookie}
If I run the xhtml file on a web app server. The below is displayed on the screen.
{JSESSIONID=javax.servlet.http.Cookie#faf91d8}
However, it seems to be the address of where the cookie instance is stored.
I want to see the value(sessionid) in the cookie.
I tried this code, but it did not work.
${cookie[value]}
I tried reading the following specifications in JCP, but I could not find the answer.
https://jcp.org/en/jsr/detail?id=372
Could you please tell me how to properly write a code to display a value in a cookie? I would appreciate your help.
As you can see from what is printed, it looks like a key-value pair and since the spec says it maps to a single cookie,
#{cookie['JSESSIONID']}
is what returns an actual single cookie. But you still need the value of it so
#{cookie['JSESSIONID'].value}
is most likely what you need
See also
http://incepttechnologies.blogspot.com/p/jsf-implicit-objects.html
https://docs.oracle.com/javase/7/docs/api/java/net/HttpCookie.html
In ASP.NET MVC 4, I have a multipage app that does some security checking on the first page, stores the results in a Session variable, then uses OnActionExecuting on every Controller to test the Session variable as I move from page to page. One of the views uses a WebGrid with sortable columns. When I click on the column header to engage the sort, I get a call to the view's default Action, but, in OnActionExecuting, the Session variable is not there. It appears to have created a new session. My logic then treats it as a security failure.
I have not yet found where this click (to sort) is being handled, so that's my first issue - perhaps I could influence what is being passed in. Alternatively, (and ideally), there is a setting in WebGrid that I have missed that would maintain the current Session. I am away from the code at the moment, but those are the things I haven't found yet.
What I am looking for is a way to preserve the Session while using the WebGrid sortable column feature.
Additional Information: In the view, the WebGrid's <th> elements are all anchors, like <a href="/MyController?sort=MyColumnName?sortdir=ASC">
(I could use a better answer, but this worked for me)
Since the value in the heading is actually an anchor, I was able to discover that the QUERY_STRING always contains "sort=". Thus, I could at least check for this and restore the missing security variable to the Session, based on the assumption that, if I am getting this query string, the user has passed the security test before.
(filterContext.RequestContext.HttpContext.Request.Params["QUERY_STRING"].Contains("sort="))
I'm still thinking that WebGrid should not be starting a new session for me, but at least this workaround will get me going.
NOTE FOR FUTURE REFERENCE: We were using the <system.web> setting <sessionState cookieless="true">. Apparently, when WebGrid sets up its links for sorting, it does not detect that setting, thus it does not include the session id in the URL. This is why WebGrid was starting a new session for us.
I recorded a .net application using JMETER. After correlating and playing back it throws the below error. I have seen few posts which says eventvalidation has to be set false. Is there any other way to get rid of this error in Jmeter?
505|error|500|Invalid postback or callback argument.
Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%# Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them.
If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
I guess that you're either missing or passing incorrect ASP.NET Viewstate
Basically it's an input of "hidden" type which is required to store application state and some service data which you application is expecting.
My understanding is that you're either using kind of hard-coded or recorded viewstate value or totally missing it.
I recommend to append Regular Expression Extractor Post Processor (or any suitable kind of post-processors line Beanshell, BSF, XPath - if your application talks XHTML) to extract viewstate value from each request, store it in a variable and add it to every next request.
You need to disable event validation in the config
If the dynamic DropDownList in your page, you can try to set blank to the value of DropDownList in JMeter post data. I think this problem can be solved.
I have a page with an input text component marked as required="true" and having a custom Validator in server side.
Now as a client, I submit the page without the HTML element rendered by that component (this can be easily achieved by removing the element from the DOM tree using browser's builtin DOM element inspector). The form is successfully submitted, without the server side validation of this required component.
Is this as per JSF specification? Is there a way to specify that the validators in the page are to be executed even if the posted page do not contain them?
This is indeed as per the specification. Here's an extract of relevance from UIInput#validate() javadoc (emphasis mine):
Retrieve the submitted value with getSubmittedValue(). If this returns null, and the value of the ALWAYS_PERFORM_VALIDATION_WHEN_REQUIRED_IS_TRUE context-param is true (ignoring case), examine the value of the "required" property. If the value of "required" is true, continue as below. If the value of "required" is false or the required attribute is not set, exit without further processing. If the context-param is not set, or is set to false (ignoring case), exit without further processing. (This indicates that no value was submitted for this component.)
An empty input will send an empty string, not null. A complete absence of the input will send null, not empty string.
You can thus disable the observed behavior by adding the following context parameter:
<context-param>
<param-name>javax.faces.ALWAYS_PERFORM_VALIDATION_WHEN_REQUIRED_IS_TRUE</param-name>
<param-value>true</param-value>
</context-param>
Note that this context parameter is new since JSF 2.3 and backported into Mojarra 2.2.16, 2.1.29-10 and 1.2_15-06. It is not supported in older versions. See also JSFSPEC-1433 and the expert group discussion about this issue.
Whether that is harmful or not depends on the business logic. A decently designed model (business logic and/or data model) which doesn't consider null as expected case would cause a null pointer exception elsewhere, or a SQL constraint violation (NOT NULL), which will usually end up in a HTTP 500 error response. But if the model actually considers null as an expected case, then it's likely a fault in the model. The view (the JSF page), intented to merely present the model, can then do little against it.
If the business logic or data model can really not be altered to consider null as an exceptional case (i.e. never assume/accept the given value as null), and you happen to use JPA, then your best bet is to add a #NotNull on the property. Whilst JSF will bypass validation on it, JPA will still validate it, causing still an exception and a HTTP 500 error. I'd in this case only wonder why the DB column doesn't have a NOT NULL constraint in first place. Alternatively, do class level validation.
Noted should be that MyFaces logs a warning like below on this:
Mar 16, 2016 8:55:52 AM org.apache.myfaces.shared.renderkit.html.HtmlRendererUtils decodeUIInput
WARNING: There should always be a submitted value for an input if it is rendered, its form is submitted, and it was not originally rendered disabled or read-only. You cannot submit a form after disabling an input element via javascript. Consider setting read-only to true instead or resetting the disabled value back to false prior to form submission.
Component : {Component-Path : [Class: javax.faces.component.UIViewRoot,ViewId: /test.xhtml][Class: javax.faces.component.html.HtmlBody,Id: j_id_5][Class: javax.faces.component.html.HtmlForm,Id: j_id_6][Class: javax.faces.component.html.HtmlInputText,Id: j_id_7] Location: /test.xhtml at line 22 and column 33}
What is the execution order of those?
Here is a question about possible f:event event names: List of JSF 2 events?
preRenderComponent
preRenderView
postAddToView
preValidate
postValidate
I want to check if a User is saved in a session bean is logged in and if not redirect to the login site, which needs to occur before view-param conversion phase since the used converter depends on the logged in User. 'preValidate' seems to take place after conversion and so I need an earlier event.
<f:event type="preRenderView" listener="#{beanA.checkLoggedIn()}"/>
<f:viewParam name="param" value="#{beanB.param}" converter="#{beanB.converter}" required="true"/>
I could have put 'checkLoggedIn()' in 'beanB' too, but tried to use a separate request scoped bean just for the check so that I could reuse it easily.
What is the execution order of those?
postAddToView runs right after the component is added to view during view build time (which is usually during restore view phase, but can also be during render response phase, e.g. navigation).
preValidate runs right before the component is to be validated (which is usually during validations phase, but can also be apply request values phase if immediate="true").
postValidate runs right after the component is been validated (which is usually during validations phase, but can also be apply request values phase if immediate="true").
preRenderView runs right before the view is rendered during render response phase.
preRenderComponent runs right before the component is rendered during render response phase.
Click the links to see detailed description in javadoc introduction.
I want to check if a User is saved in a session bean is logged in and if not redirect to the login site, which needs to occur before view-param conversion phase since the used converter depends on the logged in User. 'preValidate' seems to take place after conversion and so I need an earlier event.
You should use a simple servlet filter for this, not a JSF event. I've posted several examples before:
Is there any easy way to preprocess and redirect GET requests?
Are there some issue at inserting some check into template?