Re: What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"

2017-09-11 Thread Kwan Lim
Thanks Mark. Makes sense and the configuration change did the trick!

On Mon, Sep 11, 2017 at 10:05 AM, Mark Thomas  wrote:

> On 11/09/17 14:21, Kwan Lim wrote:
> > Thanks Mark. You are correct that I'm using my own application which
> looks
> > like the problem is the NonLoginAuthenticator valve is calling
> > getInternalSession() (via the AuthenticatorBase class's invoke() method).
> > Is there a way to bypass this? I'm guessing the ROOT application bypasses
> > the StandardHostValve? It looks like the code is trying to cache an
> > authenticated Principal on the request which is something we do not need
> > for our app since we do our own authentication.
>
> There are several things going on here.
>
> If a web application is not marked as metadata complete in web.xml OR it
> declares security constraints in web.xml then Tomcat needs an
> authenticator to be present.
>
> The ROOT web application does meet either of these criteria hence no
> Authenticator is configured so nothing tries to access the session.
>
> If either of the above are true and no login configuration is present in
> web.xml, Tomcat automatically adds the NonLoginAuthenticator.
>
> By default, every authenticator checks the session for a cached
> Principal. This is configurable.
>
> You need to explicitly configure the NonLoginAuthentactor and set cache
> to false. Something like the following (untested).
>
> 
>cache="false" />
> 
>
> HTH,
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"

2017-09-11 Thread Mark Thomas
On 11/09/17 14:21, Kwan Lim wrote:
> Thanks Mark. You are correct that I'm using my own application which looks
> like the problem is the NonLoginAuthenticator valve is calling
> getInternalSession() (via the AuthenticatorBase class's invoke() method).
> Is there a way to bypass this? I'm guessing the ROOT application bypasses
> the StandardHostValve? It looks like the code is trying to cache an
> authenticated Principal on the request which is something we do not need
> for our app since we do our own authentication.

There are several things going on here.

If a web application is not marked as metadata complete in web.xml OR it
declares security constraints in web.xml then Tomcat needs an
authenticator to be present.

The ROOT web application does meet either of these criteria hence no
Authenticator is configured so nothing tries to access the session.

If either of the above are true and no login configuration is present in
web.xml, Tomcat automatically adds the NonLoginAuthenticator.

By default, every authenticator checks the session for a cached
Principal. This is configurable.

You need to explicitly configure the NonLoginAuthentactor and set cache
to false. Something like the following (untested).


  


HTH,

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"

2017-09-11 Thread Kwan Lim
Thanks Mark. You are correct that I'm using my own application which looks
like the problem is the NonLoginAuthenticator valve is calling
getInternalSession() (via the AuthenticatorBase class's invoke() method).
Is there a way to bypass this? I'm guessing the ROOT application bypasses
the StandardHostValve? It looks like the code is trying to cache an
authenticated Principal on the request which is something we do not need
for our app since we do our own authentication.

On Mon, Sep 11, 2017 at 8:46 AM, Mark Thomas  wrote:

> On 10/09/17 01:53, Kwan Lim wrote:
> > Hi,
> >
> > I am trying to make a servlet that doesn't extend the session when
> accessed
> > and it looked like the system property "org.apache.catalina.core.
> > StandardHostValve.ACCESS_SESSION" could do job.
> >
> > To test it out I created a simple project in Netbeans 8.1 with Tomcat
> > 8.5.20 on Windows 10. In the project I have 2 servlets: servletA creates
> a
> > session and outputs some HTML, servletB only outputs HTML and doesn't
> call
> > request.getSession().
> >
> > When I request servletA  a session is created and each time I request it
> > again, the last accessed time is updated.
> > When I request servletB which doesn't call getSession(), the last
> accessed
> > time is updated as well.
> >
> > Note: I'm using the out-of-the box server.xml and other configuration
> files
> > and there are no filters that call getSession().
> >
> > If I'm reading the documentation correctly, when set to true is will
> always
> > update the last accessed time even if getSession() wasn't called. By
> > default ACCESS_SESSION is false because STRICT_SERVLET_COMPLIANCE is not
> > set/false. My question is what is the expected behaviour when it's set to
> > false? I was expecting servletB to not update the last accessed time.
>
> I think your test case may be the cause of this. I have performed a
> similar test with the Tomcat ROOT web application monitoring session
> last accessed time via the Manager application and I do not see the
> behaviour you see.
>
> When I call a page that does not call getSession(), the last accessed
> time remains unchanged.
>
> When I call a page that does call getSession(), the last accessed time
> is updated.
>
> Various components can trigger a call to getSession(). I suspect that
> something is doing this that you aren't aware of. Personally I'd use
> remote debugging to put a break point on getSession() and find out what
> is triggering that call.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"

2017-09-11 Thread Mark Thomas
On 10/09/17 01:53, Kwan Lim wrote:
> Hi,
> 
> I am trying to make a servlet that doesn't extend the session when accessed
> and it looked like the system property "org.apache.catalina.core.
> StandardHostValve.ACCESS_SESSION" could do job.
> 
> To test it out I created a simple project in Netbeans 8.1 with Tomcat
> 8.5.20 on Windows 10. In the project I have 2 servlets: servletA creates a
> session and outputs some HTML, servletB only outputs HTML and doesn't call
> request.getSession().
> 
> When I request servletA  a session is created and each time I request it
> again, the last accessed time is updated.
> When I request servletB which doesn't call getSession(), the last accessed
> time is updated as well.
> 
> Note: I'm using the out-of-the box server.xml and other configuration files
> and there are no filters that call getSession().
> 
> If I'm reading the documentation correctly, when set to true is will always
> update the last accessed time even if getSession() wasn't called. By
> default ACCESS_SESSION is false because STRICT_SERVLET_COMPLIANCE is not
> set/false. My question is what is the expected behaviour when it's set to
> false? I was expecting servletB to not update the last accessed time.

I think your test case may be the cause of this. I have performed a
similar test with the Tomcat ROOT web application monitoring session
last accessed time via the Manager application and I do not see the
behaviour you see.

When I call a page that does not call getSession(), the last accessed
time remains unchanged.

When I call a page that does call getSession(), the last accessed time
is updated.

Various components can trigger a call to getSession(). I suspect that
something is doing this that you aren't aware of. Personally I'd use
remote debugging to put a break point on getSession() and find out what
is triggering that call.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org