David, it appears that the Servlet Spec. declares that attempting to remove any attribute from an invalid session will result in the IllegalStateException.
http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpSession.html#removeAttribute(java.lang.String) Being the reference implementation, Tomcat 4 of course implements this. From org.apache.catalina.session.StandardSession.java: /** * Remove the object bound with the specified name from this session. If * the session does not have an object bound with this name, this method * does nothing. * <p> * After this method executes, and if the object implements * <code>HttpSessionBindingListener</code>, the container calls * <code>valueUnbound()</code> on the object. * * @param name Name of the object to remove from this session. * @param notify Should we notify interested listeners that this * attribute is being removed? * * @exception IllegalStateException if this method is called on an * invalidated session */ public void removeAttribute(String name, boolean notify) { // Validate our current state if (!expiring && !isValid) throw new IllegalStateException (sm.getString("standardSession.removeAttribute.ise")); ... I've applied the following patch to the Turbine.java in jakarta-turbine-2 repository to correct this behavior: Index: Turbine.java =================================================================== RCS file: /home/cvs/jakarta-turbine-2/src/java/org/apache/turbine/Turbine.java,v retrieving revision 1.14 diff -u -u -r1.14 Turbine.java --- Turbine.java 16 Apr 2002 22:07:07 -0000 1.14 +++ Turbine.java 22 Apr 2002 19:02:51 -0000 @@ -511,10 +511,9 @@ // If a module has set data.acl = null, remove acl from // the session. - if ( data.getACL() == null ) + if ( data.getACL() == null && data.getSession().isValid() ) { - data.getSession().removeValue( - AccessControlList.SESSION_KEY); + data.getSession().removeValue(AccessControlList.SESSION_KEY); } // handle a redirect request Note that I didn't use the try/catch block you suggested, as checking for a valid session is a more correct implementation. Question for turbine-dev: does this fix still apply? If so, where? Thanks, Dan David Vandegrift <[EMAIL PROTECTED]> writes: > I using Tomcat 4. > > There's a little more information about this issue in a post > I made on April 10th. > > > -----Original Message----- > From: Daniel Rall [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 19, 2002 9:05 AM > To: Turbine Users List > Subject: Re: Added try/catch to Turbine.java. Problem? > > > David Vandegrift <[EMAIL PROTECTED]> writes: > >> To get HttpSession.invalidate() to work, I modified my Turbine.java by >> adding the following try/catch block around > data.getSession().removeValue() > > in the doGet() method. >> >> Does anyone see any potential problems with doing this? >> It seems harmless to me. >> >> Without this one cannot invalidate an HttpSession which is important when >> using Container Managed security (logging out for example). >> >> Thanks, >> David >> >> >> --------cut from doGet() ------------------ >> >> // If a module has set data.acl = null, remove acl from >> // the session. >> if ( data.getACL() == null ) >> { >> try <--- new try/catch block >> { >> data.getSession().removeValue( >> AccessControlList.SESSION_KEY); >> } >> catch (IllegalStateException e) { } // do nothing, it's gone >> } > > Huh. What container are you using? -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
