Hi Chris.
Thanks for diagnosing this problem! It appears you're right that it logs
only after the session is invalidated (after the request is complete) on a
logout request. That bug has existed in the code for a very long time,
unnoticed. The AccessLogValve was initially implemented to log only after
the request processing is complete so that the client never needs to wait
for the logging to complete. With the new addition of asynchronous logging,
however, it's quite a bit less important to log only when the request is
complete. It seems like it would help if the access logger could be
configurable to log either before or after handling the request (I'm not
sure logging both before and after makes sense). Your ideas for %Sr and
%{methodName}rm both seem useful as well, though I think the %{methodName}rm
one has potential security & side effect issues. So, I would suggest
implementing your first two ideas. I'm also happy to help you with that, if
you'd like.
Cheers.
--
Jason Brittain
MuleSoft <http://www.mulesoft.com>
On Fri, Nov 13, 2009 at 2:22 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> Amazingly enough, I had my first need to use AccessLogValve today, and
> one of the things I wanted to print was the user's session id. No,
> problem: just add "%S" to the log pattern.
>
> Well, there is one problem: you can't spit-out the session id for logout
> requests because the logic for the AccessLogValve is:
>
> if(enabled)
> invoke next valve
> print log message
> else
> invoke next valve
>
> Note that the request has essentially completed when the log message is
> generated. This makes complete sense as you typically want to log
> /after/ the request so you can do things like find out how many bytes
> were sent, how long the request took, etc.
>
> In my case, I want to have access to the session id before the session
> is invalidated (which happens in the logout servlet).
>
> Another option would be to get the requested session id from the request
> (which can only be done with the current AccessLogValve if the client is
> using cookies), though that can be misleading because anyone can request
> anything... it's not guaranteed to use a useful value.
>
> Anyhow, I was wondering if anyone had any suggestions short of heavily
> modifying the AccessLogValve or developing something from scratch.
>
> I'd also be happy to provide a patch for the AccessLogValve that add any
> or all of the following capabilities:
>
> 1. Allow log before or after request (or both?)
> 2. Add requested session id to standard pattern options (%Sr?)
> or
> 3. Add %{xxx}rm to call ServletRequest.xxx and print the result
> (allows ${getRequestedSessionId}rm
>
> Any comments?
>
> Thanks,
> - -chris
>
