-----Ursprüngliche Nachricht----- Von: Konstantin Kolinko <knst.koli...@gmail.com> Gesendet: Mo 14.05.2012 15:00 Betreff: Re: Manager activeSessions and customized error page An: Tomcat Users List <users@tomcat.apache.org>; > 2012/5/14 Thomas Rohde <t...@ordix.de>: > > Hi! > > > > I configured the Manager's maxActiveSessions attribute in context.xml. If > > the > configured value is exceeded an IllegalStateException "createSession: Too > many > active sessions" is thrown in ManagerBase class. In our application we catch > this exception around httpServletRequest.getSession(true) and redirect to an > customized error page. Works! > > > > Now I activated form based authentication via securiy constraint in > > web.xml. > If I try to open the web application with my browser by sending the first > request, the response is empty (status 200 OK). > > > > Is there any way to map a static customized error page in this scenario? > > > > It depends on where ErrorReportValve is in the request processing > chain in your situation. There were several changes to that (read: > fixes) in different Tomcat 7.0.x versions. You did not wrote which > version you do use.
Sorry! I tested with 7.0.8. > > If it is reproducible in latest 7.0.27, feel free to create a bug > report and attach a simple sample web application + steps to > reproduce. > > It might be that it is already reproducible with the standard example > app [1], but I have not tried. > > [1] http://localhost:8080/examples/jsp/security/protected/index.jsp Now I tried with the standard example and 7.0.27. I get the default 500 error page. Would be great to have a possibiltiy to make a distinguish between this error and any other error. > > > If not: Is there any other approach to limit the number of sessions? > > I think it is possible with a Filter, Valve or with a SessionListener. > It should be also be possible with a custom o.a.c.Manager. > YMMV. A Filter was my first approach. But the filter is invoked after authentication has taken place. And for authentication a session is needed. ;-) A HttpSessionListener is invoked AFTER a session is created. It seems that every approach has some ugly pitfalls. :( > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org