I'm using Tomcat 6.2 and Spring MVC 2.5. I've noticed that, whilst a user is logged in I can restart Tomcat and the user is able to continue browsing without re-authenticating. This appears to be coming from Tomcat's ability to persist sessions across restarts.
It appears, however, that these persisted sessions do not make it back into the Spring session registry. When retrieving a user's session information from the session registry before the restart I get back information. Post a restart though the sesssion registry has no information on the user.
Have I missed some configuration that would allow Spring to restore these persisted Tomcat sessions after a restart? Failing that, is there a way to kick a user out of the web application without calling sessionInformation.expireNow()?
Try this configuration:
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
...
<property name="alwaysReauthenticate" value="true"/>
</bean>
Are the objects, you want persisted and then restored from the session, serializable?
Related
I have a JSP-Servlet based Web application where I would like to achieve the following scenario.
I need to set the HTTP session alive time programmatically when I am creating the session.
I need to invalidate the session even though the user is actively using the application, which is why the classic Session Time out configurations in the deployment descriptor and session.setMaxInactiveInterval() will not work for me.
Thus, When I am creating the session, I need to make sure I provide the exact amount of time for which the session will be active.
Let me know how I can achieve this scenario. Thank you.
I am trying to implement a sticky session based load balancing across two Tomcat instances using the Hazelcast Tomcat Web Session Replication. For testing purposes, I have deployed the application on two different Tomcat instances and the load balancing is handled through Apache HTTPD. The jvmroute parameters and the mod-proxy settings are fine and the load balancing has no issues.
The problem is with the session replication across the two instances. When the first server (currently serving the request) goes down the request is sent to the second server. The Hazelcast cluster identifies that the session is through fail-over and is copying the session with the new session id (suffixed with the jvmroute parameter of the second server) - as described in the Hazelcast documentation https://github.com/hazelcast/hazelcast-tomcat-sessionmanager#sticky-sessions-and-tomcat) . However for the failed-over request, the session attributes are getting updated in the older session(failed over jvmroute) and not getting replicated resulting in the failure of the subsequent request.
I have gone through the documentation but unable to find a resolution at this point. I am sure I am missing some setting as this would be a basic setting for a fail over scenario.
Can someone help me out? Please let me know if you need any additional details.
[UPDATE]
After tracing the flow, able to determine that the handleTomcatSessionChange in com.hazelcast.session.HazelcastSessionChangeValve is being called correctly. The request.changeSessionId(newSessionId) call happens and post this if I display the value of the requestedsession id, the value is updated. However, the session id by itself is not updated and this is resulting in the older id in a request.getSession().getId() call.
All
I am developing an web application using Tomcat 6.X and My Eclipse.
When i do some changes in existing java files (Java Class, SERVLETS , Filter) , i have to redeploy it to the tomcat server . but, when i redeploy the application the
existing session becomes null .
is there any way that i can persist the existing session between re deployments from the MY ECLISPE.
From Tomcat Docs
Check here for tutorial on JDBC persistence , tomcat-6-session-persistence-through-jdbcstore
FileBased
JDBC Based Store
Restart Persistence
Whenver Catalina is shut down normally and restarted, or when an
application reload is triggered, the
standard Manager implementation will
attempt to serialize all currently
active sessions to a disk file located
via the pathname attribute. All such
saved sessions will then be
deserialized and activated (assuming
they have not expired in the mean
time) when the application reload is
completed.
In order to successfully restore the state of session attributes, all
such attributes MUST implement the
java.io.Serializable interface. You
MAY cause the Manager to enforce this
restriction by including the
element in your web
application deployment descriptor
(/WEB-INF/web.xml).
Can I somehow restore the session on JBoss after restart? I want to use it on my development machine.
This is answered in the documentation:
Since JBoss-3.2.6RC1:
The default tomcat session manager will persist sessions. This can
lead to problems when restarting jboss or redeploying a war if the
session contains non-serializable data.
To disable session persistence, you create a WEB-INF/context.xml with
a Manager element that sets the pathname to an empty value:
<Context>
<Manager className="org.apache.catalina.session.StandardManager"
pathname="" ></Manager>
</Context>
JBoss-3.2.5 and earlier do not read the WEB-INF/context.xml file.
JBoss 4.0.3 has this disabled by default. See
/jboss-4.0.3/server/default/deploy/jbossweb-tomcat55.sar/context.xml
All servlet containers will try to keep the session alive between server restarts. But all session objects must be serializable in order for this to work.
How can I change the session timeout for the OC4J Enterprise Manager console?
It times out too quickly between deployments in our development environment.
The default session timeout of an application in OC4J is 20 minutes. If you need to change the same for an application, you have to explicitly set the session timeout value in web.xml.
This holds good even for Enterprise Manager as well, which is deployed as the application ascontrol. The web.xml file of ascontrol will be available at $ORACLE_HOME/j2ee/OC4J_INSTANCE/config/applications/ascontrol/ascontrol/WEB-INF/web.xml. You will have to introduce the session-timeout element in this file at the appropriate location (usually at the end), so that the XML is valid. A restart of the OC4J instance is required.
Do note that, this comes with no guarantees, and it is better to confirm via Oracle Support if this configuration change is supported.
Alternatively, you can use admin_client.jar or admin.jar to deploy your application.