RE: Removing SBs when expiring HttpSessions ... the challenge continues.

Thu, 22 Mar 2001 12:40:40 -0800 

Just a tought: impersonate a role within the SB's method remove instead of
reliying on interactive login:

public void remove() .... {
        //get UserManager
        UserManager um = ic.lookup("java:comp/UserManager");
        um.login("mySecuritySafeUser","thePassWd");
        this.myejbref.remove();
}

I haven't tried this, but I guess it should work, specially if auto-sessions
are on...

HTH,

JP

> -----Original Message-----
> From: Gerald Gutierrez [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 22, 2001 3:05 PM
> To: Orion-Interest
> Subject: Removing SBs when expiring HttpSessions ... the challenge
> continues.
> 
> 
> 
> When an HttpSession expires, it calls valueUnbound() on all 
> session-bound
> variables that implement the HttpSessionBindingListener 
> interface. So this
> provides a way for expiring HTTP sessions to remove session 
> beans that would
> otherwise stay active and eventually consume all resources 
> and cause the
> server to crash.
> 
> The reasonable thing to do is to call ejb.remove() (and whatever other
> methods) within the valueUnbound() method so that the SB can 
> clean up and be
> removed on the event.
> 
> HOWEVER, if the SB is protected by security constraints, 
> calling methods on
> the SB causes either NullPointerExceptions, or SecurityExceptions.
> 
> In my case, I have a HttpSession which has bound an SB, which 
> in turn has a
> reference to an EB. When the session expires, I need to 
> remove the SB, which
> in turn must call a method on the EB. If I attempt to just 
> call sb.remove(),
> the ejbRemove() method is called but a NullPointerException 
> is thrown in the
> EB's wrapper. If I call getCallerPrincipal() in the SB first 
> (which returns
> me the "guest" user), then call the EB, a SecurityException is thrown.
> Ignoring the fact that the different exceptions may be an 
> Orion bug, the
> fact still remains that the "guest" user is calling the SB 
> when calling
> through the valueUnbound() method.
> 
> SO, the question, once again, is: When an HttpSession 
> expires, what's the
> proper way to cleanup and remove the EJBs that are bound to 
> that session?
> 
> 
> 
> Gerald.
> 
>

Reply via email to