How can I change the session timeout for the OC4J Enterprise Manager console?
It times out too quickly between deployments in our development environment.
The default session timeout of an application in OC4J is 20 minutes. If you need to change the same for an application, you have to explicitly set the session timeout value in web.xml.
This holds good even for Enterprise Manager as well, which is deployed as the application ascontrol. The web.xml file of ascontrol will be available at $ORACLE_HOME/j2ee/OC4J_INSTANCE/config/applications/ascontrol/ascontrol/WEB-INF/web.xml. You will have to introduce the session-timeout element in this file at the appropriate location (usually at the end), so that the XML is valid. A restart of the OC4J instance is required.
Do note that, this comes with no guarantees, and it is better to confirm via Oracle Support if this configuration change is supported.
Alternatively, you can use admin_client.jar or admin.jar to deploy your application.
Related
We have a java web application which was hosted in tomcat 8. For session Management , we have been using the memcache which maintains non sticky based sessions. This has been working fine without any issues.
Now there is a requirement to upgrade the tomcat from 8 to tomcat 9 and the upgradation with the necessary jars for the tomcat 9 has been done. After the upgradation, we are facing an issue in the application where the session is becoming null. Some of the link in the app associated with the session are working fine and some of them when clicked gets me logged out of the session. Checking the logs, I see the session object null.
The memcached jars used as part of the tomcat 9 and copied under tomcat9/lib
memcache-session-manager-2.3.2
memcache-session-manager-tc9-2.3.2
jettison-1.1.jar
spymemcached-2.12.0
http-core-4.3
http-core-nio-4.3
we are using the 3rd party Serialization for this use case and they are also copied in the tomcat lib folder
kryo-3.0.3.jar
kryo-serializers-0.37.jar
minlog-1.3.0.jar
msm-kryo-serializer-1.9.3.jar
objenesis-2.1.jar
protobuf-java-2.6.1.jar
reflectasm-1.10.1.jar
With these jars , I am able to see the tomcat startup without any issues.
**<Manager className="de.javakaffee.web.msm.MemcachedBackupSessionManager"
memcachedNodes="n1:ip:port"
lockingMode="auto"
sticky="false"
requestUriIgnorePattern= ".*\.(png|gif|jpg|css|js)$"
sessionBackupAsync= "false"
sessionBackupTimeout= "100"
copyCollectionsForSerialization="false"
transcoderFactoryClass="de.javakaffee.web.msm.serializer.kryo.KryoTranscoderFactory"/>**
Followed the below link for setting up the memcache configuration in my application.
https://github.com/magro/memcached-session-manager/wiki/SetupAndConfiguration
Please help me if i am missing anything in the configuration.
Thanks
Pradeep
Have solved this issue by removing the param **requesturiignore pattern ** from the context.xml as this was creating different sessions.
In a Websphere application we have a requirement for JTA transactions with JMS + Gemfire. Based on product recommendations, we're trying to configure Gemfire as last-resource. There is not enough support/example in the documentation
http://gemfire82.docs.pivotal.io/docs-gemfire/latest/developing/transactions/JTA_transactions_with_GemFire.html#concept_csy_vfb_wk
JTA - Websphere UOW
Resources - JMS, Gemfire (8.2.1)
Can someone publish a sample websphere-ra.xml?
There are no websphere-specific resource deployment descriptors for WebSphere Application Server. Last agent optimization can be configured for a server or for an application. To configure it for a server, in full profile, you enable 'Accept Heuristic Hazard' in the transaction service settings. Example:
https://www.ibm.com/support/knowledgecenter/en/SSAW57_7.0.0/com.ibm.websphere.nd.doc/info/ae/ae/udat_contranserv.html
If you choose instead the application level, you need to use the websphere-specific extensions to the deployment descriptor for applications. The setting is called 'Last participant support'. Example:
https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/lao/tasks/tla_cfap2.html
When correctly configured, the server will allow a single one-phase resource to enlist in a global transaction, and will treat it as the last agent. If more than one one-phase resource is enlisted, you will get an exception. In this specific case, you would need to make sure that the JMS resources are XA-capable so that they will not try to be the last agent.
All
I am developing an web application using Tomcat 6.X and My Eclipse.
When i do some changes in existing java files (Java Class, SERVLETS , Filter) , i have to redeploy it to the tomcat server . but, when i redeploy the application the
existing session becomes null .
is there any way that i can persist the existing session between re deployments from the MY ECLISPE.
From Tomcat Docs
Check here for tutorial on JDBC persistence , tomcat-6-session-persistence-through-jdbcstore
FileBased
JDBC Based Store
Restart Persistence
Whenver Catalina is shut down normally and restarted, or when an
application reload is triggered, the
standard Manager implementation will
attempt to serialize all currently
active sessions to a disk file located
via the pathname attribute. All such
saved sessions will then be
deserialized and activated (assuming
they have not expired in the mean
time) when the application reload is
completed.
In order to successfully restore the state of session attributes, all
such attributes MUST implement the
java.io.Serializable interface. You
MAY cause the Manager to enforce this
restriction by including the
element in your web
application deployment descriptor
(/WEB-INF/web.xml).
Can I somehow restore the session on JBoss after restart? I want to use it on my development machine.
This is answered in the documentation:
Since JBoss-3.2.6RC1:
The default tomcat session manager will persist sessions. This can
lead to problems when restarting jboss or redeploying a war if the
session contains non-serializable data.
To disable session persistence, you create a WEB-INF/context.xml with
a Manager element that sets the pathname to an empty value:
<Context>
<Manager className="org.apache.catalina.session.StandardManager"
pathname="" ></Manager>
</Context>
JBoss-3.2.5 and earlier do not read the WEB-INF/context.xml file.
JBoss 4.0.3 has this disabled by default. See
/jboss-4.0.3/server/default/deploy/jbossweb-tomcat55.sar/context.xml
All servlet containers will try to keep the session alive between server restarts. But all session objects must be serializable in order for this to work.
I need to prevent Session Fixation, a particular type of session hijacking, in a Java web application running in JBoss. However, it appears that the standard idiom doesn't work in JBoss. Can this be worked around?
This defect (found here) points the way to the solution. The Tomcat instance that runs in JBoss is configured with emptySessionPath="true", rather than "false", which is the default. This can be modified in .../deploy/jboss-web.deployer/server.xml; both the HTTP and AJP connectors have this option.
The feature itself is used to eliminate the context path (eg. "foo" in http://example.com/foo) from being included in the JSESSIONID cookie. Setting it to false will break applications that rely on cross-application authentication, which includes stuff built using some portal frameworks. It didn't negatively affect the application in question, however.
This problem and the specific case in which it occurs is a problem in Tomcat as well as JBoss. Tomcat shares the emptySessionPath="true" effect (and actually JBoss inherits it from Tomcat).
This really seems like a bug in Tomcat and JBoss when you are trying to prevent session fixation attacks but the servlet spec (at least version 2.3) does not actually require the JSESSIONID to be defined or redefined according to any specific logic. Perhaps this has been cleaned up in later versions.
One workaround is to store the client address in the session. A response wrapper should validate the client address set in the session is same as the one accessing the session.
I came to know below code setting snippet from one of the forum. And I added below lines. But when I print the session ID after and before log in into the application it is same. How would I test session Fixation.
D:\jboss-5.1.0.GA\bin\run.cof file and add the below line.
set "JAVA_OPTS=%JAVA_OPTS% -Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=false"
in each context.xml of the jboss applications.
D:\jboss-5.1.0.GA\server\default\deploy\jbossweb.sar\context.xml