[GitHub] [openwebbeans] jtnord commented on a change in pull request #34: Workaround Jetty ISE for invalidating sessions

Fri, 14 May 2021 05:58:07 -0700 


jtnord commented on a change in pull request #34:
URL: https://github.com/apache/openwebbeans/pull/34#discussion_r632493311



##########
File path: 
webbeans-web/src/main/java/org/apache/webbeans/web/context/WebContextsService.java
##########
@@ -593,9 +593,17 @@ protected boolean sessionIsExpiring(HttpSession session)
         int maxInactiveInterval = session.getMaxInactiveInterval();
         if (maxInactiveInterval > 0)
         {
-            long inactiveSince = 
TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - 
session.getLastAccessedTime());
-            if (inactiveSince >= maxInactiveInterval)
+            try 
             {
+                long inactiveSince = 
TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - 
session.getLastAccessedTime());
+                if (inactiveSince >= maxInactiveInterval)
+                {
+                    return true;
+                }
+            }
+            catch (IllegalStateException e) 
+            {
+                // Jetty will throw an ISE if you attempt to query the last 
accessed time of a session that is being invalidated
                 return true;

Review comment:
       @rmannibucau I was not clear, let me try again.
   
   If the session is being "invalidated" (aka then about to be invalid) then 
you are correct `getLastAccedTime()` should not throw an exception as you say.
   However the method that is being patched here is as follows: 
   
   
https://github.com/apache/openwebbeans/blob/e9332767af5abd81867b21b8a4d10718733fb188/webbeans-web/src/main/java/org/apache/webbeans/web/context/WebContextsService.java#L588-L603
   
   The javadoc for this method *clearly* states (with some typos) 
   
   > @return {@code true} if the sessino is currently expiring or has already 
expired
   
   thus - either this javaodoc comment is wrong - as it must never be called by 
a session that has **already** expired (aka has already been invalidated) .
   or
   the code is buggy as stated as if called with a session that has already 
expired, then it will never return `true` but is guaranteed by the 
specification to throw an `IllegalArgumentException` for every implementation 
that adheres to the specification.
   or
   I am completely missing something else




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to