[jira] Commented: (SLING-1270) Replace Session.logout from SlingMainServlet
[ https://issues.apache.org/jira/browse/SLING-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12900692#action_12900692 ] Felix Meschberger commented on SLING-1270: -- So this can then be resolved for now. > Replace Session.logout from SlingMainServlet > > > Key: SLING-1270 > URL: https://issues.apache.org/jira/browse/SLING-1270 > Project: Sling > Issue Type: Task > Components: Engine >Affects Versions: Engine 2.0.6 >Reporter: Felix Meschberger >Assignee: Felix Meschberger > Fix For: Engine 2.1.0 > > > The new Commons Auth bundle from SLING-966 registers a ServletRequestListener > to be informed when the request has terminated and the session may be logged > out. Currently, the Http Service implementation does not support such > listeners and the session may not be logged out at all. > As a workaround the Commons Auth bundle implements a Java VM finalize() > method to try to ensure logging the session out. > As a further workaround the SlingMainServlet should - in a finally clause - > logout the session of the request's resource resolver. > The SlingMainServlet configuration should be removed as soon as we can > reasonably be sure of ServletRequestListener support. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: Sling Request Lifecycle events (was: [jira] Commented: (SLING-1270) Replace Session.logout from SlingMainServlet)
On 6 Jan 2010, at 13:01, Felix Meschberger wrote:
> Hi Ian,
>
> On 06.01.2010 11:57, Ian Boston wrote:
>> I agree that we should use the ServletRequestListener support, but I
>> continue to wonder if there isnt a need for a request lifecycle to be
>> exposed by the sling main servlet which would avoid having to a) create a
>> stack of ServletFilters b) bind the SlingMainServlet to other apis' c) bind
>> to the ServletRequestListener which is as you note not always supported ?
>
> We might want to add request lifecycle events to the SlingMainServlet as
> far as the service method is concerned. This would work perfectly fine
> for requests handled through the SlingMainServlet (which is the majority
> of the requests handled by a Sling instance).
>
> Specifically the WebDAV requests to the /dav subtree would not benefit
> from this (unless we add the same lifecycle support there ...)
>
> Still: this would not help in the authentication case because
> authentication is handled outside of the SlingMainServlet before the
> service method is even called. In fact if authentication fails, the
> SlingMainServlet.service method is not called at all.
good point.
>
>>
>> At present we have ServletFilters for a XA Transaction manager and Request
>> Scope Caching, the stack is good in some senses since we can perform try
>> finally but we rely heavily on the programmer knowing exactly what is safe
>> to do.
>
> How about adding a SlingRequestListener interface, which mimicks the
> ServletRequestListener interface:
>
> public interface SlingRequestListener {
>void requestDestroyed(SlingRequestEvent sre);
>void requestInitialized(SlingRequestEvent sre);
> }
>
> public class SlingRequestEvent {
>SlingHttpServletRequest getSlingRequest();
> }
>
> The methods would be called at the same time, the RequestLogger methods
> are called (lines 252 and 363 in trunk SlingMainServlet).
>
> WDYT ?
yes that makes perfect sense, the calls obviously wrapped in try catch to
prevent anything doing bad things on destroy, ie the event is only for
notification purposes and not for flow control etc
Ian
>
> Regards
> Felix
>
>>
>> Ian
>>
>> On 6 Jan 2010, at 10:37, Felix Meschberger (JIRA) wrote:
>>
>>>
>>> [
>>> https://issues.apache.org/jira/browse/SLING-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797052#action_12797052
>>> ]
>>>
>>> Felix Meschberger commented on SLING-1270:
>>> --
>>>
>>> Committed temporary session logout in the SlingMainServlet in Rev. 896372.
>>>
Replace Session.logout from SlingMainServlet
Key: SLING-1270
URL: https://issues.apache.org/jira/browse/SLING-1270
Project: Sling
Issue Type: Task
Components: Engine
Affects Versions: Engine 2.0.6
Reporter: Felix Meschberger
Assignee: Felix Meschberger
Fix For: Engine 2.1.0
The new Commons Auth bundle from SLING-966 registers a
ServletRequestListener to be informed when the request has terminated and
the session may be logged out. Currently, the Http Service implementation
does not support such listeners and the session may not be logged out at
all.
As a workaround the Commons Auth bundle implements a Java VM finalize()
method to try to ensure logging the session out.
As a further workaround the SlingMainServlet should - in a finally clause
- logout the session of the request's resource resolver.
The SlingMainServlet configuration should be removed as soon as we can
reasonably be sure of ServletRequestListener support.
>>>
>>> --
>>> This message is automatically generated by JIRA.
>>> -
>>> You can reply to this email to add a comment to the issue online.
>>>
>>
>>
Sling Request Lifecycle events (was: [jira] Commented: (SLING-1270) Replace Session.logout from SlingMainServlet)
Hi Ian,
On 06.01.2010 11:57, Ian Boston wrote:
> I agree that we should use the ServletRequestListener support, but I continue
> to wonder if there isnt a need for a request lifecycle to be exposed by the
> sling main servlet which would avoid having to a) create a stack of
> ServletFilters b) bind the SlingMainServlet to other apis' c) bind to the
> ServletRequestListener which is as you note not always supported ?
We might want to add request lifecycle events to the SlingMainServlet as
far as the service method is concerned. This would work perfectly fine
for requests handled through the SlingMainServlet (which is the majority
of the requests handled by a Sling instance).
Specifically the WebDAV requests to the /dav subtree would not benefit
from this (unless we add the same lifecycle support there ...)
Still: this would not help in the authentication case because
authentication is handled outside of the SlingMainServlet before the
service method is even called. In fact if authentication fails, the
SlingMainServlet.service method is not called at all.
>
> At present we have ServletFilters for a XA Transaction manager and Request
> Scope Caching, the stack is good in some senses since we can perform try
> finally but we rely heavily on the programmer knowing exactly what is safe to
> do.
How about adding a SlingRequestListener interface, which mimicks the
ServletRequestListener interface:
public interface SlingRequestListener {
void requestDestroyed(SlingRequestEvent sre);
void requestInitialized(SlingRequestEvent sre);
}
public class SlingRequestEvent {
SlingHttpServletRequest getSlingRequest();
}
The methods would be called at the same time, the RequestLogger methods
are called (lines 252 and 363 in trunk SlingMainServlet).
WDYT ?
Regards
Felix
>
> Ian
>
> On 6 Jan 2010, at 10:37, Felix Meschberger (JIRA) wrote:
>
>>
>>[
>> https://issues.apache.org/jira/browse/SLING-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797052#action_12797052
>> ]
>>
>> Felix Meschberger commented on SLING-1270:
>> --
>>
>> Committed temporary session logout in the SlingMainServlet in Rev. 896372.
>>
>>> Replace Session.logout from SlingMainServlet
>>>
>>>
>>>Key: SLING-1270
>>>URL: https://issues.apache.org/jira/browse/SLING-1270
>>>Project: Sling
>>> Issue Type: Task
>>> Components: Engine
>>> Affects Versions: Engine 2.0.6
>>> Reporter: Felix Meschberger
>>> Assignee: Felix Meschberger
>>>Fix For: Engine 2.1.0
>>>
>>>
>>> The new Commons Auth bundle from SLING-966 registers a
>>> ServletRequestListener to be informed when the request has terminated and
>>> the session may be logged out. Currently, the Http Service implementation
>>> does not support such listeners and the session may not be logged out at
>>> all.
>>> As a workaround the Commons Auth bundle implements a Java VM finalize()
>>> method to try to ensure logging the session out.
>>> As a further workaround the SlingMainServlet should - in a finally clause -
>>> logout the session of the request's resource resolver.
>>> The SlingMainServlet configuration should be removed as soon as we can
>>> reasonably be sure of ServletRequestListener support.
>>
>> --
>> This message is automatically generated by JIRA.
>> -
>> You can reply to this email to add a comment to the issue online.
>>
>
>
Re: [jira] Commented: (SLING-1270) Replace Session.logout from SlingMainServlet
Felix, I agree that we should use the ServletRequestListener support, but I continue to wonder if there isnt a need for a request lifecycle to be exposed by the sling main servlet which would avoid having to a) create a stack of ServletFilters b) bind the SlingMainServlet to other apis' c) bind to the ServletRequestListener which is as you note not always supported ? At present we have ServletFilters for a XA Transaction manager and Request Scope Caching, the stack is good in some senses since we can perform try finally but we rely heavily on the programmer knowing exactly what is safe to do. Ian On 6 Jan 2010, at 10:37, Felix Meschberger (JIRA) wrote: > >[ > https://issues.apache.org/jira/browse/SLING-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797052#action_12797052 > ] > > Felix Meschberger commented on SLING-1270: > -- > > Committed temporary session logout in the SlingMainServlet in Rev. 896372. > >> Replace Session.logout from SlingMainServlet >> >> >>Key: SLING-1270 >>URL: https://issues.apache.org/jira/browse/SLING-1270 >>Project: Sling >> Issue Type: Task >> Components: Engine >> Affects Versions: Engine 2.0.6 >> Reporter: Felix Meschberger >> Assignee: Felix Meschberger >>Fix For: Engine 2.1.0 >> >> >> The new Commons Auth bundle from SLING-966 registers a >> ServletRequestListener to be informed when the request has terminated and >> the session may be logged out. Currently, the Http Service implementation >> does not support such listeners and the session may not be logged out at all. >> As a workaround the Commons Auth bundle implements a Java VM finalize() >> method to try to ensure logging the session out. >> As a further workaround the SlingMainServlet should - in a finally clause - >> logout the session of the request's resource resolver. >> The SlingMainServlet configuration should be removed as soon as we can >> reasonably be sure of ServletRequestListener support. > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. >
[jira] Commented: (SLING-1270) Replace Session.logout from SlingMainServlet
[ https://issues.apache.org/jira/browse/SLING-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797052#action_12797052 ] Felix Meschberger commented on SLING-1270: -- Committed temporary session logout in the SlingMainServlet in Rev. 896372. > Replace Session.logout from SlingMainServlet > > > Key: SLING-1270 > URL: https://issues.apache.org/jira/browse/SLING-1270 > Project: Sling > Issue Type: Task > Components: Engine >Affects Versions: Engine 2.0.6 >Reporter: Felix Meschberger >Assignee: Felix Meschberger > Fix For: Engine 2.1.0 > > > The new Commons Auth bundle from SLING-966 registers a ServletRequestListener > to be informed when the request has terminated and the session may be logged > out. Currently, the Http Service implementation does not support such > listeners and the session may not be logged out at all. > As a workaround the Commons Auth bundle implements a Java VM finalize() > method to try to ensure logging the session out. > As a further workaround the SlingMainServlet should - in a finally clause - > logout the session of the request's resource resolver. > The SlingMainServlet configuration should be removed as soon as we can > reasonably be sure of ServletRequestListener support. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
