Hi Chris, sorry for the late reply In your listener, why don't you dump a stack trace when a session > attribute is removed? That will let you know where the code is that is > removing your attributes. You may be surprised.
This would be very useful, but how would i generate it since theres no exception that's been thrown? Do i just throw an exception? -h On Wed, Aug 25, 2010 at 2:50 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hisham, > > On 8/25/2010 11:07 AM, Hisham wrote: >> Let me rephrase what I said: I am not using any custom cookies, the >> JsessionID cookie gets created by default. > > That makes a lot more sense. > >> So i created an HttpSessionAttributeListener listener. And what i >> observed is truly weird. Once i click on Messages tab, the request >> goes through fine, there are a couple of images that are requested >> that are delivered correctly. After all this has finished, 2 of the >> attributes i have stored in the session are removed. Mind you, i have >> more attributes that DON'T get removed. I did a complete hack that IF >> these other attributes are still present then go ahead and put the 2 >> attributes back into the session - and it works fine now! > > Er, that will sort of subvert your own authorization mechanism, right? > > In your listener, why don't you dump a stack trace when a session > attribute is removed? That will let you know where the code is that is > removing your attributes. You may be surprised. > >> Of course i'm not gonna leave it like this, i still need to figure out >> what the hell is going on! Here is my filter code: >> >> public void doFilter(ServletRequest request, ServletResponse >> response, FilterChain chain) throws IOException, ServletException { >> boolean authorized = false; >> >> HttpServletRequest req = (HttpServletRequest)request; >> HttpServletResponse res = (HttpServletResponse)response; >> HttpSession session = req.getSession(false); >> >> System.out.println(req.getRequestURL()); >> >> if (session != null && session.getAttribute("ub") != null)) { >> >> authorized = true; >> System.out.println("setting authorized = true"); >> chain.doFilter(request, response); >> } >> >> // forward the request to login page >> if (!authorized) { >> System.out.println("kicked someone from >> "+request.getRemoteAddr()); >> res.setHeader("session", "invalid"); >> res.sendError(HttpServletResponse.SC_UNAUTHORIZED, >> "Your session is >> invalid or have expired."); >> } >> } > > Aside from the odd logic above, this looks okay, except, I don't see a > redirect to a login form anywhere, here. You also didn't say what the > URL mapping was for this filter was. Is it "/*"? If so, then you'll > probably not be able to serve your login page unless you're logged-in. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkx1Zg8ACgkQ9CaO5/Lv0PA6HACcDuDEppOaVSyuDrvYqjB68uD5 > Em4AnjyHmIRgcO5ncOAV22CkAPOy18Vp > =SOPc > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org