-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lynckmeister,
On 2/10/2009 12:34 PM, lynckmeister wrote: > i have the problem that if my session timeouts i 've been redirected to the > loginpage ( from the secured area). If i relogin in i get some null-pointer > exceptions in my application ( first the orchestra framework has a problem ) This is not surprising, as your session state has most likely been reset. If you want users to be able to resume their sessions after a session timeout, you need to provide enough information in the request to either restore the session state, or to indicate to the user that they need to start their process over after the re-login. > i investigated , and it seems to be the problem , that the realm stores the > request of the original call. if the user relogons now, the first request > seems to be substituted. Correct. This follows section 12.5.3 of the servlet specification: " When a user attempts to access a protected web resource, the container checks the user’s authentication. If the user is authenticated and possesses authority to access the resource, the requested web resource is activated and a reference to it is returned. If the user is not authenticated, all of the following steps occur: 1. The login form associated with the security constraint is sent to the client and the URL path triggering the authentication is stored by the container. 2. The user is asked to fill out the form, including the username and password fields. 3. The client posts the form back to the server. 4. The container attempts to authenticate the user using the information from the form. 5. If authentication fails, the error page is returned using either a forward or a re-direct, and the status code of the response is set to 200. 6. If authentication succeeds, the authenticated user’s principal is checked to see if it is in an authorized role for accessing the resource. 7. If the user is authorized, the client is redirected to the resource using the stored URL path. " > in my sessionfilter , im trying to check if the > session is invalid, but its not, b/c there is already a new valid session > after login. Instead of checking for a non-null session, maybe you should check for an object that you put in there -- something like SESSION_IS_VALID. Tomcat will definitely create the new session for you, but it won't store any attributes in there, so you can always add your own. This is what we do in our application. On each request, we look for an object in the session attributes called "USER". If it's in there, we do nothing and let the request proceed as usual. If it's not in there, we perform a formal "login", get user preferences from the database, etc. and stuff them into the session. Then, we allow the request to proceed as usual. > Is there a possibility to affect this behavior, of that the realm just leads > me > to the login page and nothing more ? See above. Maybe that technique will work for you. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmR44YACgkQ9CaO5/Lv0PBK0ACffke/TykyTmUW36eRXSziSDcb fUwAn1tpn5WlYsgM1T7JT6yJBARzqXF1 =B+0O -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org