Hi All, I have a somewhat similar problem. In my application,I have a UserSessionListener class that implements the HttpSessionListener interface. I have to create a stateful session EJB in the sessionCreated() method of my UserSessionListener & remove() the same stateful session EJB in the sessionDestroyed() method of my UserSessionListener. Right now, I am using a simple login jsp that maps to a LoginAction class where a simple authentication check is made against some hardcoded username/password values & depending on the authentication, the forward is to a success/error jsp. [Later on, I shall be incorporating FORM based authentication in conjunction with OiD.] My problem is that the (unauthenticated) session is created whenever the user hits the login page & this invokes the sessionCreated() method in my UserSessionListener which creates the stateful session EJB even though the user is not yet authenticated. How do i avoid this & force the creation of the session only after authenticating the user? Or is there any workaround for this?
Thanks. Sanjay -----Original Message----- From: Nicolas De Loof [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 2:30 PM To: Struts Users Mailing List Subject: Configuring Struts NOT to create (unauthentified) sessions Hy all, I would like Struts NOT to create a session for an unauthentified user. As far as I understand Struts code, I need to set locale="false" in struts-config.xml <controller>. Is they're any ohter Struts mecanism that can create a session (excluding action-mapping declared as scope="session") ? Doesn't the "locale" default value (true) expose lot's of struts application to attack ? (server Out of Memory because to much sessions have been created - isn't this what is called "Deny Of Service" ?) Nico. ____________________________________________________ This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst & Young Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorised to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
