Re: [OT] Session Timeout & Logged-in-ness

[Ian Tomey]

 
Unfortunately we need this functionality as all the ejb interfaces are secure and need 
to
remove beans when the session ends... should really be in the spec i think as otherwise
there is no way to support this kind of environment (its fine if all your interfaces 
are
insecure..)
 
anyway this is of course the beauty of open source you can dig in and find a 
workaround,
which for the record is:
 
keep a copy of the UserPrincipal object when your object is created... get it from:
 
org.mortbay.http.UserPrincipal userPrincipal = (UserPrincipal)
request.getSession().getAttribute( "org.mortbay.jetty.Auth" );
 
and when you need to be authenticated during object removal call:
 
userPrinciapl.isAuthenticated()

you can't look that object up at the call to valueUnbound() as it may have been unbound
itself..
 
regards
Ian

>>> [EMAIL PROTECTED] 11/06/02 12:32pm >>>

IT> Have an interesting issue here and just wondering if any of you have
IT> the same kind of problem on other containers, or even whether you
IT> think this is working correctly. The servlet spec (2.3) it seems does
IT> not cover this.

IT> On an explicit logout everything works fine. However during the
IT> session timeout i get authentication errors - the principle is null. I
IT> don't know if it the container is designed to be either not 'logged
IT> in' or to be explicitly 'logged out' when the session is being emptied
IT> or whether this is an oversight.

IT> Or do you think it should work like this?

Since it's not covered by the spec it should work in unpredictable way. You
may faced with a situation when the next version of Jetty return you null
even in case of explicit logout. You should not rely on this behavior since
it's not portable.

-- 
Max Kutny

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [OT] Session Timeout & Logged-in-ness

[Max Kutny]

 
 IT> Have an interesting issue here and just wondering if any of you have
 IT> the same kind of problem on other containers, or even whether you
 IT> think this is working correctly. The servlet spec (2.3) it seems does
 IT> not cover this.
 
 IT> On an explicit logout everything works fine. However during the
 IT> session timeout i get authentication errors - the principle is null. I
 IT> don't know if it the container is designed to be either not 'logged
 IT> in' or to be explicitly 'logged out' when the session is being emptied
 IT> or whether this is an oversight.
 
 IT> Or do you think it should work like this?

Since it's not covered by the spec it should work in unpredictable way. You
may faced with a situation when the next version of Jetty return you null
even in case of explicit logout. You should not rely on this behavior since
it's not portable.

-- 
Max Kutny

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

[OT] Session Timeout & Logged-in-ness

[Ian Tomey]

 
Hi all,
 
Have an interesting issue here and just wondering if any of you have the same kind of
problem on other containers, or even whether you think this is working correctly. The
servlet spec (2.3) it seems does not cover this. We are running Jboss 2.4 with Jetty 4
 
I have an object that is placed in the HttpSession that implements
HttpSessionBindingListener. What I would like is when this object is being removed from
the session (which would only be by an explict logout or session timeout) then it goes 
and
does some tidyup on the system - which includes calling remove() on some stateful EJBs
 
On an explicit logout everything works fine. However during the session timeout i get
authentication errors - the principle is null. I don't know if it the container is
designed to be either not 'logged in' or to be explicitly 'logged out' when the 
session is
being emptied or whether this is an oversight.
 
Or do you think it should work like this? Or are other containers 'logged in' at this
point?
 
Cheers
Ian