HTTP session gets created after the pageflow application invalidates it
(logout) and the response is committed, resulting in IllegalStateException
--------------------------------------------------------------------------------------------------------------------------------------------------
Key: BEEHIVE-873
URL: http://issues.apache.org/jira/browse/BEEHIVE-873
Project: Beehive
Type: Bug
Components: NetUI
Versions: v1m1, V1Beta, V1Alpha
Environment: Beehive SVN latest,
Tomcat 5.5.7 and Tomcat 5.5.9
Reporter: Abdessattar Sassi
Attachments: session-patch.txt
The application scenarion is as following:
- A JSP calls an action in a page flow controller that does the logout from the
application.
- The pageflow logout action is as following:
/**
*/
@Jpf.Action(
forwards = {
@Jpf.Forward(name = "success", path = "/bye.html", redirect
= true)
}
)
protected Forward doLogout() {
// Logout but if running with Single Sign-On in the app server, do not
// invalidate all the sessions.
// The current application session will be invalidated manually right
// after the logout.
logout(false);
HttpSession session = getRequest().getSession(false);
if (session != null) {
session.invalidate();
}
return new Forward("success");
}
- The HTTP session get invalidated by the application, it actually also gets
invalidated by the Tomcat server adapter PageFlowValve in logout().
- The request processing in PageFlowrequestProcessor,
private void processInternal( HttpServletRequest request, HttpServletResponse
response )
ends teh processing by calling the DeferredSessionStorageHandler public void
applyChanges( RequestContext context ) method which does the following:
if ( changedAttrs != null )
{
HttpSession session = request.getSession();
- The call to getSession() results in an attempt to create the Session object
again even though the response has been committed by Tomcat. Such conditions
result in an IllegalStateException thrown by Tomcat and an error page to the
user.
A suggested good behavior (to be validated by the beehive developers) is to
obtain the session without creating it and checking if a session exists or not
before applying the changes:
if ( changedAttrs != null )
{
HttpSession session = request.getSession(false);
if ( session != null )
{
A patch to the DeferredSessionStorageHandler class is provided with this issue
report. The patch was tested and now the application works just like expected.
After logout, the bye.html page is displayed and no more session exists in the
Tomcat server after logout.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
