Can I somehow restore the session on JBoss after restart? I want to use it on my development machine.
This is answered in the documentation:
Since JBoss-3.2.6RC1:
The default tomcat session manager will persist sessions. This can
lead to problems when restarting jboss or redeploying a war if the
session contains non-serializable data.
To disable session persistence, you create a WEB-INF/context.xml with
a Manager element that sets the pathname to an empty value:
<Context>
<Manager className="org.apache.catalina.session.StandardManager"
pathname="" ></Manager>
</Context>
JBoss-3.2.5 and earlier do not read the WEB-INF/context.xml file.
JBoss 4.0.3 has this disabled by default. See
/jboss-4.0.3/server/default/deploy/jbossweb-tomcat55.sar/context.xml
All servlet containers will try to keep the session alive between server restarts. But all session objects must be serializable in order for this to work.
Related
I was trying to scan a Webapp hosted in Tomcat and faced some difficulty and later realized even within the same session for an user tomcat changes JSESSIONID (monitored using Fiddler). I could not find any configuration in server.xml as such. Any info on this would be helpful
I would assume Tomcat would do this to defend Session Fixation
I believe default session timeout for Servlet, is 30 minutes.
Can be altered with <session-timeout> in web.xml.
All
I am developing an web application using Tomcat 6.X and My Eclipse.
When i do some changes in existing java files (Java Class, SERVLETS , Filter) , i have to redeploy it to the tomcat server . but, when i redeploy the application the
existing session becomes null .
is there any way that i can persist the existing session between re deployments from the MY ECLISPE.
From Tomcat Docs
Check here for tutorial on JDBC persistence , tomcat-6-session-persistence-through-jdbcstore
FileBased
JDBC Based Store
Restart Persistence
Whenver Catalina is shut down normally and restarted, or when an
application reload is triggered, the
standard Manager implementation will
attempt to serialize all currently
active sessions to a disk file located
via the pathname attribute. All such
saved sessions will then be
deserialized and activated (assuming
they have not expired in the mean
time) when the application reload is
completed.
In order to successfully restore the state of session attributes, all
such attributes MUST implement the
java.io.Serializable interface. You
MAY cause the Manager to enforce this
restriction by including the
element in your web
application deployment descriptor
(/WEB-INF/web.xml).
I'm using Tomcat 6.2 and Spring MVC 2.5. I've noticed that, whilst a user is logged in I can restart Tomcat and the user is able to continue browsing without re-authenticating. This appears to be coming from Tomcat's ability to persist sessions across restarts.
It appears, however, that these persisted sessions do not make it back into the Spring session registry. When retrieving a user's session information from the session registry before the restart I get back information. Post a restart though the sesssion registry has no information on the user.
Have I missed some configuration that would allow Spring to restore these persisted Tomcat sessions after a restart? Failing that, is there a way to kick a user out of the web application without calling sessionInformation.expireNow()?
Try this configuration:
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
...
<property name="alwaysReauthenticate" value="true"/>
</bean>
Are the objects, you want persisted and then restored from the session, serializable?
How can I change the session timeout for the OC4J Enterprise Manager console?
It times out too quickly between deployments in our development environment.
The default session timeout of an application in OC4J is 20 minutes. If you need to change the same for an application, you have to explicitly set the session timeout value in web.xml.
This holds good even for Enterprise Manager as well, which is deployed as the application ascontrol. The web.xml file of ascontrol will be available at $ORACLE_HOME/j2ee/OC4J_INSTANCE/config/applications/ascontrol/ascontrol/WEB-INF/web.xml. You will have to introduce the session-timeout element in this file at the appropriate location (usually at the end), so that the XML is valid. A restart of the OC4J instance is required.
Do note that, this comes with no guarantees, and it is better to confirm via Oracle Support if this configuration change is supported.
Alternatively, you can use admin_client.jar or admin.jar to deploy your application.
I need to prevent Session Fixation, a particular type of session hijacking, in a Java web application running in JBoss. However, it appears that the standard idiom doesn't work in JBoss. Can this be worked around?
This defect (found here) points the way to the solution. The Tomcat instance that runs in JBoss is configured with emptySessionPath="true", rather than "false", which is the default. This can be modified in .../deploy/jboss-web.deployer/server.xml; both the HTTP and AJP connectors have this option.
The feature itself is used to eliminate the context path (eg. "foo" in http://example.com/foo) from being included in the JSESSIONID cookie. Setting it to false will break applications that rely on cross-application authentication, which includes stuff built using some portal frameworks. It didn't negatively affect the application in question, however.
This problem and the specific case in which it occurs is a problem in Tomcat as well as JBoss. Tomcat shares the emptySessionPath="true" effect (and actually JBoss inherits it from Tomcat).
This really seems like a bug in Tomcat and JBoss when you are trying to prevent session fixation attacks but the servlet spec (at least version 2.3) does not actually require the JSESSIONID to be defined or redefined according to any specific logic. Perhaps this has been cleaned up in later versions.
One workaround is to store the client address in the session. A response wrapper should validate the client address set in the session is same as the one accessing the session.
I came to know below code setting snippet from one of the forum. And I added below lines. But when I print the session ID after and before log in into the application it is same. How would I test session Fixation.
D:\jboss-5.1.0.GA\bin\run.cof file and add the below line.
set "JAVA_OPTS=%JAVA_OPTS% -Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=false"
in each context.xml of the jboss applications.
D:\jboss-5.1.0.GA\server\default\deploy\jbossweb.sar\context.xml