HttpSession security
This might be a really stupid question, but is there anything I need to do to securely store data in a user's session? I need to store sensitive data in memory across a user's session in order for that data to be accessible across JSPs. Is it OK to store that data using session.setAttribute(), or do I need to do something else, like encrypt the data before storing it in memory?
Thanks.
Yes, you are right. Most of the issues require some hacker or evil employee gaining access to the servers/network in question. And yes your two-way encryption key needs to be stored on that very same server/network.
My original answer was more hypothetical than practical. Security isn't my strongest area either. Before I read your original question it never occurred to me to encrypt session data but you got me thinking about a bunch of what-ifs.
I think it boils down to under normal circumstances no one from the outside should be able to see the session data. But if a hacker breaks through the firewall they might be able to sniff packet data or get into a database and see the session state in either of those two places. It's possible (I suppose) they could use an exploit that caused the web/app server to core and they could read that looking for juicy data.
It's unlikely, though possible, that they could discover your two-way key and make use of it if you were encrypting the data.
Of course if you have someone that gets this far you probably have bigger issues anyway.
Interesting.
Similar Messages
-
Weblogic.servlet.security.ServletAuthentication.week() throws 'HttpSession in invalid'
+In our web app, we supply a form to accept the user info and login the
user. The following is the program.
String uid = (String )request.getParameter( "username" ) ;
String pwd = (String )request.getParameter( "password" ) ;
ServletAuthentication.logout( request ) ;
request.getSession().invalidate();
HttpSession session = request.getSession( true ) ;
session.setAttribute( ..... ) ;
int auth = ServletAuthentication.weak( uid, pwd, request ) ;
+But an exception of "java.lang.IllegalStateException: HttpSession is
invalid" is thrown by the last statement. What's wrong with the above
program?
Thanks for any help!
+In our web app, we supply a form to accept the user info and login the
user. The following is the program.
String uid = (String )request.getParameter( "username" ) ;
String pwd = (String )request.getParameter( "password" ) ;
ServletAuthentication.logout( request ) ;
request.getSession().invalidate();
HttpSession session = request.getSession( true ) ;
session.setAttribute( ..... ) ;
int auth = ServletAuthentication.weak( uid, pwd, request ) ;
+But an exception of "java.lang.IllegalStateException: HttpSession is
invalid" is thrown by the last statement. What's wrong with the above
program?
Thanks for any help!
-
How can i deal with java.security.AccessControlException?
Hi all, I need to implement JavaMail using Servlet and deploy throught J2EE deployment tool. But when i test out the servlet i will always encounter this exception thrown. How can i solve this?
java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write)
This is the servlet i am testing. Please advise. Thanks in advance!
* @(#)JavaMailServlet.java 1.3 99/12/06
* Copyright 1998, 1999 Sun Microsystems, Inc. All Rights Reserved.
* This software is the proprietary information of Sun Microsystems, Inc.
* Use is subject to license terms.
import java.io.*;
import java.util.*;
import java.text.*;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.mail.*;
import javax.mail.internet.*;
import javax.activation.*;
* This is a servlet that demonstrates the use of JavaMail APIs
* in a 3-tier application. It allows the user to login to an
* IMAP store, list all the messages in the INBOX folder, view
* selected messages, compose and send a message, and logout.
* <p>
* Please note: This is NOT an example of how to write servlets!
* This is simply to show that JavaMail can be used in a servlet.
* <p>
* For more information on this servlet, see the
* JavaMailServlet.README.txt file.
* <p>
* For more information on servlets, see
* * http://java.sun.com/products/java-server/servlets/index.html
* @author Max Spivak
public class JavaMailServlet extends HttpServlet implements SingleThreadModel {
String protocol = "POP3";
String mbox = "INBOX";
* This method handles the "POST" submission from two forms: the
* login form and the message compose form. The login form has the
* following parameters: <code>hostname</code>, <code>username</code>,
* and <code>password</code>. The <code>send</code> parameter denotes
* that the method is processing the compose form submission.
public void doPost(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
// get the session
HttpSession ssn = req.getSession(true);
String send = req.getParameter("send");
String host = req.getParameter("hostname");
String user = req.getParameter("username");
String passwd = req.getParameter("password");
URLName url = new URLName(protocol, host, -1, mbox, user, passwd);
ServletOutputStream out = res.getOutputStream();
res.setContentType("text/html");
out.println("<html><body bgcolor=\"#CCCCFF\">");
if (send != null) {
// process message sending
send(req, res, out, ssn);
} else {
// initial login
// create
MailUserData mud = new MailUserData(url);
ssn.putValue("javamailservlet", mud);
try {
Properties props = System.getProperties();
System.out.println("url");
props.put("mail.smtp.host", host);
Session session = Session.getDefaultInstance(props, null);
session.setDebug(false);
Store store = session.getStore(url);
store.connect();
Folder folder = store.getDefaultFolder();
if (folder == null)
throw new MessagingException("No default folder");
folder = folder.getFolder(mbox);
if (folder == null)
throw new MessagingException("Invalid folder");
folder.open(Folder.READ_WRITE);
int totalMessages = folder.getMessageCount();
Message[] msgs = folder.getMessages();
FetchProfile fp = new FetchProfile();
fp.add(FetchProfile.Item.ENVELOPE);
folder.fetch(msgs, fp);
// track who logged in
System.out.println("Login from: " + store.getURLName());
// save stuff into MUD
mud.setSession(session);
mud.setStore(store);
mud.setFolder(folder);
// splash
out.print("<center>");
out.print("<font face=\"Arial,Helvetica\" font size=+3>");
out.println("<b>Welcome to JavaMail!</b></font></center><p>");
// folder table
out.println("<table width=\"50%\" border=0 align=center>");
// folder name column header
out.print("<tr><td width=\"75%\" bgcolor=\"#ffffcc\">");
out.print("<font face=\"Arial,Helvetica\" font size=-1>");
out.println("<b>FolderName</b></font></td><br>");
// msg count column header
out.print("<td width=\"25%\" bgcolor=\"#ffffcc\">");
out.print("<font face=\"Arial,Helvetica\" font size=-1>");
out.println("<b>Messages</b></font></td><br>");
out.println("</tr>");
// folder name
out.print("<tr><td width=\"75%\" bgcolor=\"#ffffff\">");
out.print("<a href=\"" + HttpUtils.getRequestURL(req) + "\">" +
"Inbox" + "</a></td><br>");
// msg count
out.println("<td width=\"25%\" bgcolor=\"#ffffff\">" +
totalMessages + "</td>");
out.println("</tr>");
out.println("</table");
} catch (Exception ex) {
out.println(ex.toString());
} finally {
out.println("</body></html>");
out.close();
* This method handles the GET requests for the client.
public void doGet (HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
HttpSession ses = req.getSession(false); // before we write to out
ServletOutputStream out = res.getOutputStream();
MailUserData mud = getMUD(ses);
if (mud == null) {
res.setContentType("text/html");
out.println("<html><body>Please Login (no session)</body></html>");
out.close();
return;
if (!mud.getStore().isConnected()) {
res.setContentType("text/html");
out.println("<html><body>Not Connected To Store</body></html>");
out.close();
return;
// mux that takes a GET request, based on parameters figures
// out what it should do, and routes it to the
// appropriate method
// get url parameters
String msgStr = req.getParameter("message");
String logout = req.getParameter("logout");
String compose = req.getParameter("compose");
String part = req.getParameter("part");
int msgNum = -1;
int partNum = -1;
// process url params
if (msgStr != null) {
// operate on message "msgStr"
msgNum = Integer.parseInt(msgStr);
if (part == null) {
// display message "msgStr"
res.setContentType("text/html");
displayMessage(mud, req, out, msgNum);
} else if (part != null) {
// display part "part" in message "msgStr"
partNum = Integer.parseInt(part);
displayPart(mud, msgNum, partNum, out, res);
} else if (compose != null) {
// display compose form
compose(mud, res, out);
} else if (logout != null) {
// process logout
try {
mud.getFolder().close(false);
mud.getStore().close();
ses.invalidate();
out.println("<html><body>Logged out OK</body></html>");
} catch (MessagingException mex) {
out.println(mex.toString());
} else {
// display headers
displayHeaders(mud, req, out);
/* main method to display messages */
private void displayMessage(MailUserData mud, HttpServletRequest req,
ServletOutputStream out, int msgNum)
throws IOException {
out.println("<html>");
out.println("<HEAD><TITLE>JavaMail Servlet</TITLE></HEAD>");
out.println("<BODY bgcolor=\"#ccccff\">");
out.print("<center><font face=\"Arial,Helvetica\" ");
out.println("font size=\"+3\"><b>");
out.println("Message " + (msgNum+1) + " in folder " +
mud.getStore().getURLName() +
"/INBOX</b></font></center><p>");
try {
Message msg = mud.getFolder().getMessage(msgNum);
// first, display this message's headers
displayMessageHeaders(mud, msg, out);
// and now, handle the content
Object o = msg.getContent();
//if (o instanceof String) {
if (msg.isMimeType("text/plain")) {
out.println("<pre>");
out.println((String)o);
out.println("</pre>");
//} else if (o instanceof Multipart){
} else if (msg.isMimeType("multipart/*")) {
Multipart mp = (Multipart)o;
int cnt = mp.getCount();
for (int i = 0; i < cnt; i++) {
displayPart(mud, msgNum, mp.getBodyPart(i), i, req, out);
} else {
out.println(msg.getContentType());
} catch (MessagingException mex) {
out.println(mex.toString());
out.println("</BODY></html>");
out.close();
* This method displays a message part. <code>text/plain</code>
* content parts are displayed inline. For all other parts,
* a URL is generated and displayed; clicking on the URL
* brings up the part in a separate page.
private void displayPart(MailUserData mud, int msgNum, Part part,
int partNum, HttpServletRequest req,
ServletOutputStream out)
throws IOException {
if (partNum != 0)
out.println("<p><hr>");
try {
String sct = part.getContentType();
if (sct == null) {
out.println("invalid part");
return;
ContentType ct = new ContentType(sct);
if (partNum != 0)
out.println("<b>Attachment Type:</b> " +
ct.getBaseType() + "<br>");
if (ct.match("text/plain")) {
// display text/plain inline
out.println("<pre>");
out.println((String)part.getContent());
out.println("</pre>");
} else {
// generate a url for this part
String s;
if ((s = part.getFileName()) != null)
out.println("<b>Filename:</b> " + s + "<br>");
s = null;
if ((s = part.getDescription()) != null)
out.println("<b>Description:</b> " + s + "<br>");
out.println("<a href=\"" +
HttpUtils.getRequestURL(req) +
"?message=" +
msgNum + "&part=" +
partNum + "\">Display Attachment</a>");
} catch (MessagingException mex) {
out.println(mex.toString());
* This method gets the stream from for a given msg part and
* pushes it out to the browser with the correct content type.
* Used to display attachments and relies on the browser's
* content handling capabilities.
private void displayPart(MailUserData mud, int msgNum,
int partNum, ServletOutputStream out,
HttpServletResponse res)
throws IOException {
Part part = null;
try {
Message msg = mud.getFolder().getMessage(msgNum);
Multipart mp = (Multipart)msg.getContent();
part = mp.getBodyPart(partNum);
String sct = part.getContentType();
if (sct == null) {
out.println("invalid part");
return;
ContentType ct = new ContentType(sct);
res.setContentType(ct.getBaseType());
InputStream is = part.getInputStream();
int i;
while ((i = is.read()) != -1)
out.write(i);
out.flush();
out.close();
} catch (MessagingException mex) {
out.println(mex.toString());
* This is a utility message that pretty-prints the message
* headers for message that is being displayed.
private void displayMessageHeaders(MailUserData mud, Message msg,
ServletOutputStream out)
throws IOException {
try {
out.println("<b>Date:</b> " + msg.getSentDate() + "<br>");
Address[] fr = msg.getFrom();
if (fr != null) {
boolean tf = true;
out.print("<b>From:</b> ");
for (int i = 0; i < fr.length; i++) {
out.print(((tf) ? " " : ", ") + getDisplayAddress(fr));
tf = false;
out.println("<br>");
Address[] to = msg.getRecipients(Message.RecipientType.TO);
if (to != null) {
boolean tf = true;
out.print("<b>To:</b> ");
for (int i = 0; i < to.length; i++) {
out.print(((tf) ? " " : ", ") + getDisplayAddress(to[i]));
tf = false;
out.println("<br>");
Address[] cc = msg.getRecipients(Message.RecipientType.CC);
if (cc != null) {
boolean cf = true;
out.print("<b>CC:</b> ");
for (int i = 0; i < cc.length; i++) {
out.print(((cf) ? " " : ", ") + getDisplayAddress(cc[i]));
cf = false;
out.println("<br>");
out.print("<b>Subject:</b> " +
((msg.getSubject() !=null) ? msg.getSubject() : "") +
"<br>");
} catch (MessagingException mex) {
out.println(msg.toString());
* This method displays the URL's for the available commands and the
* INBOX headerlist
private void displayHeaders(MailUserData mud,
HttpServletRequest req,
ServletOutputStream out)
throws IOException {
SimpleDateFormat df = new SimpleDateFormat("EE M/d/yy");
out.println("<html>");
out.println("<HEAD><TITLE>JavaMail Servlet</TITLE></HEAD>");
out.println("<BODY bgcolor=\"#ccccff\"><hr>");
out.print("<center><font face=\"Arial,Helvetica\" font size=\"+3\">");
out.println("<b>Folder " + mud.getStore().getURLName() +
"/INBOX</b></font></center><p>");
// URL's for the commands that are available
out.println("<font face=\"Arial,Helvetica\" font size=\"+3\"><b>");
out.println("<a href=\"" +
HttpUtils.getRequestURL(req) +
"?logout=true\">Logout</a>");
out.println("<a href=\"" +
HttpUtils.getRequestURL(req) +
"?compose=true\" target=\"compose\">Compose</a>");
out.println("</b></font>");
out.println("<hr>");
// List headers in a table
out.print("<table cellpadding=1 cellspacing=1 "); // table
out.println("width=\"100%\" border=1>"); // settings
// sender column header
out.println("<tr><td width=\"25%\" bgcolor=\"ffffcc\">");
out.println("<font face=\"Arial,Helvetica\" font size=\"+1\">");
out.println("<b>Sender</b></font></td>");
// date column header
out.println("<td width=\"15%\" bgcolor=\"ffffcc\">");
out.println("<font face=\"Arial,Helvetica\" font size=\"+1\">");
out.println("<b>Date</b></font></td>");
// subject column header
out.println("<td bgcolor=\"ffffcc\">");
out.println("<font face=\"Arial,Helvetica\" font size=\"+1\">");
out.println("<b>Subject</b></font></td></tr>");
try {
Folder f = mud.getFolder();
int msgCount = f.getMessageCount();
Message m = null;
// for each message, show its headers
for (int i = 1; i <= msgCount; i++) {
m = f.getMessage(i);
// if message has the DELETED flag set, don't display it
if (m.isSet(Flags.Flag.DELETED))
continue;
// from
out.println("<tr valigh=middle>");
out.print("<td width=\"25%\" bgcolor=\"ffffff\">");
out.println("<font face=\"Arial,Helvetica\">" +
((m.getFrom() != null) ?
m.getFrom()[0].toString() :
"" ) +
"</font></td>");
// date
out.print("<td nowrap width=\"15%\" bgcolor=\"ffffff\">");
out.println("<font face=\"Arial,Helvetica\">" +
df.format((m.getSentDate()!=null) ?
m.getSentDate() : m.getReceivedDate()) +
"</font></td>");
// subject & link
out.print("<td bgcolor=\"ffffff\">");
out.println("<font face=\"Arial,Helvetica\">" +
"<a href=\"" +
HttpUtils.getRequestURL(req) +
"?message=" +
i + "\">" +
((m.getSubject() != null) ?
m.getSubject() :
"<i>No Subject</i>") +
"</a>" +
"</font></td>");
out.println("</tr>");
} catch (MessagingException mex) {
out.println("<tr><td>" + mex.toString() + "</td></tr>");
mex.printStackTrace();
out.println("</table>");
out.println("</BODY></html>");
out.flush();
out.close();
* This method handles the request when the user hits the
* <i>Compose</i> link. It send the compose form to the browser.
private void compose(MailUserData mud, HttpServletResponse res,
ServletOutputStream out)
throws IOException {
res.setContentType("text/html");
out.println(composeForm);
out.close();
* This method processes the send request from the compose form
private void send(HttpServletRequest req, HttpServletResponse res,
ServletOutputStream out, HttpSession ssn)
throws IOException {
String to = req.getParameter("to");
String cc = req.getParameter("cc");
String subj = req.getParameter("subject");
String text = req.getParameter("text");
try {
MailUserData mud = getMUD(ssn);
if (mud == null)
throw new Exception("trying to send, but not logged in");
Message msg = new MimeMessage(mud.getSession());
InternetAddress[] toAddrs = null, ccAddrs = null;
if (to != null) {
toAddrs = InternetAddress.parse(to, false);
msg.setRecipients(Message.RecipientType.TO, toAddrs);
} else
throw new MessagingException("No \"To\" address specified");
if (cc != null) {
ccAddrs = InternetAddress.parse(cc, false);
msg.setRecipients(Message.RecipientType.CC, ccAddrs);
if (subj != null)
msg.setSubject(subj);
URLName u = mud.getURLName();
msg.setFrom(new InternetAddress(u.getUsername() + "@" +
u.getHost()));
if (text != null)
msg.setText(text);
Transport.send(msg);
out.println("<h1>Message sent successfully</h1></body></html>");
out.close();
} catch (Exception mex) {
out.println("<h1>Error sending message.</h1>");
out.println(mex.toString());
out.println("<br></body></html>");
// utility method; returns a string suitable for msg header display
private String getDisplayAddress(Address a) {
String pers = null;
String addr = null;
if (a instanceof InternetAddress &&
((pers = ((InternetAddress)a).getPersonal()) != null)) {
addr = pers + " "+"<"+((InternetAddress)a).getAddress()+">";
} else
addr = a.toString();
return addr;
// utility method; retrieve the MailUserData
// from the HttpSession and return it
private MailUserData getMUD(HttpSession ses) throws IOException {
MailUserData mud = null;
if (ses == null) {
return null;
} else {
if ((mud = (MailUserData)ses.getValue("javamailservlet")) == null){
return null;
return mud;
public String getServletInfo() {
return "A mail reader servlet";
* This is the HTML code for the compose form. Another option would
* have been to use a separate html page.
private static String composeForm = "<HTML><HEAD><TITLE>JavaMail Compose</TITLE></HEAD><BODY BGCOLOR=\"#CCCCFF\"><FORM ACTION=\"/servlet/JavaMailServlet\" METHOD=\"POST\"><input type=\"hidden\" name=\"send\" value=\"send\"><P ALIGN=\"CENTER\"><B><FONT SIZE=\"4\" FACE=\"Verdana, Arial, Helvetica\">JavaMail Compose Message</FONT></B><P><TABLE BORDER=\"0\" WIDTH=\"100%\"><TR><TD WIDTH=\"16%\" HEIGHT=\"22\"> <P ALIGN=\"RIGHT\"><B><FONT FACE=\"Verdana, Arial, Helvetica\">To:</FONT></B></TD><TD WIDTH=\"84%\" HEIGHT=\"22\"><INPUT TYPE=\"TEXT\" NAME=\"to\" SIZE=\"30\"> <FONT SIZE=\"1\" FACE=\"Verdana, Arial, Helvetica\"> (separate addresses with commas)</FONT></TD></TR><TR><TD WIDTH=\"16%\"><P ALIGN=\"RIGHT\"><B><FONT FACE=\"Verdana, Arial, Helvetica\">CC:</FONT></B></TD><TD WIDTH=\"84%\"><INPUT TYPE=\"TEXT\" NAME=\"cc\" SIZE=\"30\"> <FONT SIZE=\"1\" FACE=\"Verdana, Arial, Helvetica\"> (separate addresses with commas)</FONT></TD></TR><TR><TD WIDTH=\"16%\"><P ALIGN=\"RIGHT\"><B><FONT FACE=\"Verdana, Arial, Helvetica\">Subject:</FONT></B></TD><TD WIDTH=\"84%\"><INPUT TYPE=\"TEXT\" NAME=\"subject\" SIZE=\"55\"></TD></TR><TR><TD WIDTH=\"16%\"> </TD><TD WIDTH=\"84%\"><TEXTAREA NAME=\"text\" ROWS=\"15\" COLS=\"53\"></TEXTAREA></TD></TR><TR><TD WIDTH=\"16%\" HEIGHT=\"32\"> </TD><TD WIDTH=\"84%\" HEIGHT=\"32\"><INPUT TYPE=\"SUBMIT\" NAME=\"Send\" VALUE=\"Send\"><INPUT TYPE=\"RESET\" NAME=\"Reset\" VALUE=\"Reset\"></TD></TR></TABLE></FORM></BODY></HTML>";
* This class is used to store session data for each user's session. It
* is stored in the HttpSession.
class MailUserData {
URLName url;
Session session;
Store store;
Folder folder;
public MailUserData(URLName urlname) {
url = urlname;
public URLName getURLName() {
return url;
public Session getSession() {
return session;
public void setSession(Session s) {
session = s;
public Store getStore() {
return store;
public void setStore(Store s) {
store = s;
public Folder getFolder() {
return folder;
public void setFolder(Folder f) {
folder = f;You posted a thousand lines of badly-formatted code and didn't have the sense to say which one had the exception.
My guess is that it was this one:Session session = Session.getDefaultInstance(props, null);because that happened to me. I fixed it by calling getInstance instead of getDefaultInstance.
However if that isn't the problem, how about spending a few seconds to post a less useless question? -
How do i get a list of httpsessions currently active in container
what is the object that i can interact with to get a listing of active httpsessions
within my application context (servlet container) at any given time? i know i
can setup a listener, is this the only way? is there now direct api?
thanks
I replied to this question in another email thread...
"Vinod Mehra" <[email protected]> wrote in message
news:<[email protected]>...
> Here is a jsp to give you an idea. Unfortunately the session timeout
> (max-inactive-interval) is not exposed in the runtime mbean. So you will
> have to hardcode it for now. If you want it be exposed please ask support
> for a patch.
>
> <%@ page import="weblogic.management.runtime.ServletSessionRuntimeMBean,
> weblogic.management.MBeanHome,
> weblogic.management.Admin,
> java.util.Date,
> java.util.Set,
> java.util.Iterator,
> weblogic.servlet.security.ServletAuthentication,
> weblogic.management.runtime.WebAppComponentRuntimeMBean"
%>
> <pre>
> <%!
> private static final long TIME_OUT = 10; // seconds
> %>
> <%
> // login as system user
> // FIXME: don't hardcode username/passwords
> ServletAuthentication.weak("system", "gumby1234", request, response);
>
> MBeanHome home = Admin.getInstance().getMBeanHome();
> if (home != null) {
> Set mbeanSet = home.getMBeansByType("ServletSessionRuntime");
> Iterator mbeanIterator = null;
> mbeanIterator = mbeanSet.iterator();
> while (mbeanIterator.hasNext()) {
> ServletSessionRuntimeMBean runtime =
(ServletSessionRuntimeMBean)mbeanIterator.next();
> WebAppComponentRuntimeMBean parent = (WebAppComponentRuntimeMBean)
runtime.getParent();
> out.print("ContextPath: " + parent.getContextRoot() +
> " LastAccessedTime: " + new
Date(runtime.getTimeLastAccessed()));
> if (hasSessionExpired(runtime)) {
> out.println(" <b>Invalidating expired session!!</b>");
> runtime.invalidate();
> } else {
> out.println(" Session is still good");
> }
> }
> }
> %>
> <%!
> private boolean hasSessionExpired(ServletSessionRuntimeMBean runtime) {
> return (runtime.getTimeLastAccessed() < (System.currentTimeMillis() -
TIME_OUT * 1000));
> }
> %>
>
> hth,
> Vinod.
>
"Randheer Gehlot" <[email protected]> wrote in message
news:[email protected]...
>
> Vinod,
> This class "ServletSessionRuntimeMBean" does'nt give you list of
all
> the active sessions in memory. Is there any class which holds list of all
active
> sessions in memory ?
>
> Thanks..
> "Vinod Mehra" <[email protected]> wrote:
> >If you have session monitoring turned on ...
> >
> >weblogic.xml:
> >
> > <container-descriptor>
> > <session-monitoring-enabled>false</session-monitoring-enabled>
> > </container-descriptor>
> >
> >... then you should be able to lookup the runtime mbeans
> >(ServletSessionRuntimeMBean).
> >
> >This is what the admin console also uses.
> >
> >--Vinod.
> >
> >"ke" <[email protected]> wrote in message news:[email protected]...
> >>
> >> what is the object that i can interact with to get a listing of active
> >httpsessions
> >> within my application context (servlet container) at any given time?
> > i
> >know i
> >> can setup a listener, is this the only way? is there now direct api?
> >>
> >> thanks
> >
> >
>
-
ADF security logout not working
Hi,
Using ADF Faces and JDeveloper 11.1.1.1.0 (5407).
I have a secure ADF application, my login is working fine, however once I attempt to perform a logout using methods indicated in both the Fusion Developer's Guide and various blog posts my application begins to act strangely.
Using the Forms based authentication I have login.html and error.html setup and working.
I have a home.jspx (unsecured, no bindings whatsoever) as my landing page, and welcome.jspx as my successful authentication redirect page, both on my adfc-config diagram and with a control flow case 'login' between them.
In my jazn-data.xml file I have granted the 'authenticated-role' access to the welcome page.
The web.xml file includes the login.html and error.html files listed.
The above works, I can login and am successfully redirected to the welcome page with a user account I have specified, and if I use wrong login information I am redirected to error.html.
Now, I have tried 2 methods to get LOGOUT working properly and both are not working.
Firstly and most simply I tried using the following on my welcome page:
<af:commandNavigationItem text="Logout" id="cni1" destination="/adfAuthentication?logout=true&end_url=faces/home.jspx"/>When I click the link, this does redirect me to the home page and there are no warnings/errors in the server log.
However... when I then click on the Login link on the home page that should prompt me to login again, the home page just flickers and nothing happens. Again no warnings/errors in logs.
I am then forever stuck on the home page.
The second method I tried involves using a backing bean, which I have registered in my adfc-config.xml file with 'request' scope.
On my welcome.jspx:
<af:commandLink text="Logout" id="gl1" action="#{loginBean.doLogout}"/>My link calls the doLogout() method in my backing bean containing:
import java.io.IOException;
import javax.faces.context.ExternalContext;
import javax.faces.context.FacesContext;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public String doLogout() throws IOException {
ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
HttpSession session = (HttpSession)ectx.getSession(false);
session.invalidate();
response.sendRedirect("home.jspx");
return null;
}The application DOES redirect me to home.jspx however I get the following error in the logs:
java.lang.IllegalStateException: Cannot forward a response that is already committed
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:122)
at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:410)
at org.apache.myfaces.trinidad.context.ExternalContextDecorator.dispatch(ExternalContextDecorator.java:44)
at org.apache.myfaces.trinidad.context.ExternalContextDecorator.dispatch(ExternalContextDecorator.java:44)
at org.apache.myfaces.trinidad.context.ExternalContextDecorator.dispatch(ExternalContextDecorator.java:44)
Truncated. see log file for complete stacktrace
AND...the same thing happens as with my other attempt, I am stuck on the home page and clicking the login link just flickers the page.
I feel as if I have followed the Fusion Developer's Guide on how to do this down to a T, however I am not getting a working solution.
Any help would be greatly appreciated.
Thankyou,
Matthew.I have had a few developments...
I found out that after I have been redirected to home.jspx where my Login link just refreshes the page on click... if I instead manually change the end of the URL in the address bar of my browser to /welcome.jspx, then it works...I get prompted to login again. This proves that I am actually being logged out, if I change the URL manually before I click my logout link (calling the logout method) it does not request for me to log in again.
So it seems that the problem lies with my action reference on my login link.
<af:commandLink text="Enter" id="cl1" action="login" inlineStyle="font-size:small;"/>the action 'login' works UNTIL i logout, then it does not work anymore...
Second to this, I tried a different LOGIN method using:
<af:commandNavigationItem text="Login" id="cni1" inlineStyle="font-size:small; text-decoration:none;"
destination="/adfAuthentication?success_url=faces/welcome.jspx"/>When using this way to login, I can login, logout AND LOG BACK IN successfully...
However as soon as I click on ANY component that uses a control flow case it just refreshes the page.
re-proving from the first example that the problem is that control flow cases stop working after a logout.
so basically, once I log out and then try to navigate a control flow case, the page I am on just refreshes and the navigation does not occur.
Surely someone now can elaborate on this.
Regards,
Matthew. -
When i try to run my jsp i get "File Download Security Warning"
Hi,
I have created a jsp file which is called UpdateEmpDetails1.jsp
This jsp file picks up the employee id of the employee and transfers it to the backend servlet called UpdateEmpDetails1.java. The backend servlet looks up the table stored in the database and pulls up all the information stored corresponding to the employee id.Then the servlet stores the information in a session object and forwards it to the UpdateEmpDetails2.jsp
I display the information which has been forwarded by the servlet in the HTML fields of UpdateEmpDetails2.jsp.
Here the manager can also update the information. When he clicks on submit, the second serlvet UpdateEmpDetails2.java which is linked to UpdateEmpDetails2.jsp picks up the updated information and updates the database. The servlet also displays the message "Your information has been updated". But here is the real problem
The session variables are being transferred perfectly to the jsp file UpdateEmpDetails2.jsp.
But when i make any changes to this file and click on submit I get File Download Security Warning. It Says:
File Download Security Warning
Do you want to save this file
Name UpdateEmpDetails2
Type UnknownFileType
From LocalHost
Then I get another file which says
FileDownload
Getting FIle Information
UpdateEmpDetails2 from localhost
Estimated time left
Download to:
Transfer rate:
Close this dialog box when download is complete
I am just simply not able to update the employee information in the database due to this message.this is what i am trying to do:
my UpdateEmpDetails1.jsp is as follows:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional //EN">
<html>
<head>
<title>UpdateEmpDetails1.jsp</title>
<link REL=STYLESHEET
HREF="JSP-Styles.css"
TYPE="text/css">
</head>
<body BGCOLOR="lightyellow" text="black">
<h2 align="left"><font color="black">Update Employee Details Page</font></h2>
<form action="UpdateEmpDetails2" Method="Get">
<h2 align="left">Please enter the Employee ID of the employee whose details you want to edit</h2>
<table width=50% align="center">
<tr><td>Employee ID : </td>
<td><INPUT TYPE="TEXT" name="employeeid"><br></td></tr>
<tr><td><center><INPUT TYPE="SUBMIT" VALUE="SUBMIT"></center></td></tr>
<tr><td><center><INPUT TYPE="RESET" VALUE="RESET"></center></td></tr>
</table>
</form>
</body>
</html>
my update EmpDetails1.java is as follows:
package com.update;
import com.database.*;
import java.io.*;
import java.sql.*;
import javax.servlet.http.*;
import javax.servlet.*;
public class UpdateEmpDetails1 extends HttpServlet
public void doGet(HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException
HttpSession session = request.getSession();
String X = request.getParameter("employeeid");
System.out.println("Employee ID:" + X);
//Establishing the jdbc connection
try
Database db = new Database();
Connection con = db.useConnection();
String query = "Select * from employees where employeeid=?";
PreparedStatement stat = con.prepareStatement(query);
System.out.println(stat);
stat.setString(1,X);
ResultSet rs = stat.executeQuery();
while(rs.next())
String A = rs.getString("employeeid");
String B = rs.getString("firstname");
String C = rs.getString("lastname");
String D = rs.getString("gender");
String E = rs.getString("dateofbirth");
String F = rs.getString("address");
String G = rs.getString("postalcode");
String H = rs.getString("phone");
String I = rs.getString("mobile");
String J = rs.getString("designation");
String K = rs.getString("joindate");
String L = rs.getString("leavedate");
String M = rs.getString("email");
String N = rs.getString("qualification");
String O = rs.getString("empstatus");
System.out.println("comparison successful");
session.setAttribute("employeeid",A);
session.setAttribute("firstname", B);
session.setAttribute("lastname", C);
session.setAttribute("gender", D);
session.setAttribute("dateofbirth", E);
session.setAttribute("address", F);
session.setAttribute("postalcode", G);
session.setAttribute("phone", H);
session.setAttribute("mobile", I);
session.setAttribute("designation", J);
session.setAttribute("joindate", K);
session.setAttribute("leavedate", L);
session.setAttribute("email", M);
session.setAttribute("qualification", N);
session.setAttribute("empstatus", O);
String url="/UpdateEmpDetails2.jsp";
RequestDispatcher dis = request.getRequestDispatcher("/UpdateEmpDetails2.jsp");
System.out.println("Dispatching" + dis);
dis.forward(request, response);
catch(Exception e)
System.out.println(e);
my UpdateEmpDetails2.jsp is as follows:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>UpdateEmpDetails2.jsp</title>
<link REL=STYLESHEET
HREF="JSP-Styles.css"
TYPE="text/css">
</head>
<body BGCOLOR="lightblue" text="black">
<h1 align="center"><font color="black">Update Employee Details Page</font></h1>
<form action="UpdateEmpDetails2" Method="Get">
<table width=50% align="center">
<tr><td>EMPLOYEE ID:</td>
<td><INPUT TYPE = "HIDDEN" name="employeeid" value=<%=session.getAttribute("employeeid")%> ></td></tr>
<tr><td>FIRST NAME :</td>
<td><INPUT TYPE = "TEXT" name="firstname" value=<%=session.getAttribute("firstname")%> ></td></tr>
<tr><td>LAST NAME :</td>
<td><INPUT TYPE = "TEXT" name="lastname" value=<%=session.getAttribute("lastname")%> ><br></td></tr>
<tr><td>GENDER :</td>
<td><INPUT TYPE = "TEXT" name="gender" value=<%=session.getAttribute("gender")%> ><br></td></tr>
<tr><td>DATE OF BIRTH (IN MM/DD/YYYY FORMAT) :</td>
<td><INPUT TYPE = "TEXT" name="dateofbirth" value=<%=session.getAttribute("dateofbirth")%> ><br></td><tr>
<tr><td>ADDRESS :</td>
<td><INPUT TYPE = "TEXT" name="address" value=<%=session.getAttribute("address")%> ><br></td></tr>
<tr><td>POSTALCODE:</td>
<td><INPUT TYPE = "TEXT" name="postalcode" value=<%=session.getAttribute("postalcode")%>><br></td></tr>
<tr><td>PHONE:</td>
<td><INPUT TYPE = "TEXT" name="phone" value=<%=session.getAttribute("phone")%> ><br></td></tr>
<tr><td>MOBILE:</td>
<td><INPUT TYPE = "TEXT" name="mobile" value=<%=session.getAttribute("mobile")%> ><br></td></tr>
<tr><td>DESIGNATION : </td>
<td><INPUT TYPE="TEXT" name="designation" value=<%=session.getAttribute("designation")%> > <br></td></tr>
<tr><td>JOIN DATE:</td>
<td><INPUT TYPE = "TEXT" name="joindate" value=<%=session.getAttribute("joindate")%> ><br></td></tr>
<tr><td>LEAVE DATE:</td>
<td><INPUT TYPE = "TEXT" name="leavedate" value=<%=session.getAttribute("leavedate")%> > <br></td></tr>
<tr><td>EMPLOYEE EMAIL:</td>
<td><INPUT TYPE = "TEXT" name="email" value=<%=session.getAttribute("email")%> ><br></td></tr>
<tr><td>EMPLOYEE QUALIFICATION:</td>
<td><INPUT TYPE = "TEXT" name="qualification" value=<%=session.getAttribute("qualification")%> > <br></td></tr>
<tr><td>EMPLOYEE STATUS:</td>
<td><INPUT TYPE = "TEXT" name="empstatus" value=<%=session.getAttribute("empstatus")%> > <br></td></tr>
<tr><td><center><INPUT TYPE="SUBMIT" VALUE="SUBMIT"></center></td></tr>
<tr><td><center><INPUT TYPE="RESET" VALUE="RESET"></center></td></tr>
</table>
</form>
</body>
</html>
my UpdateEmpDetails2.java is as follows:
package com.update;
import java.io.*;
import java.sql.*;
import javax.servlet.http.*;
import javax.servlet.*;
import com.database.*;
public class UpdateEmpDetails2 extends HttpServlet
public void doGet(HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException
PrintWriter out = response.getWriter();
response.setContentType("texthtml");
String A = request.getParameter("employeeid");
out.println(A);
String B = request.getParameter("firstname");
out.println(B);
String C = request.getParameter("lastname");
out.println(C);
String D = request.getParameter("gender");
out.println(D);
String E = request.getParameter("dateofbirth");
out.println(E);
String F = request.getParameter("address");
out.println(F);
String G = request.getParameter("postalcode");
out.println(G);
String H = request.getParameter("phone");
out.println(H);
String I = request.getParameter("mobile");
out.println(I);
String J = request.getParameter("designation");
out.println(J);
String K = request.getParameter("joindate");
out.println(K);
String L = request.getParameter("leavedate");
out.println(L);
String M = request.getParameter("email");
out.println(M);
String N = request.getParameter("qualification");
out.println(N);
String O = request.getParameter("empstatus");
out.println(O);
try
Database db = new Database();
Connection con = db.useConnection();
String query= "update employees set employeeid=?,firstname=?,lastname=?,gender=?,dateofbirth=?,address=?,postalcode=?,phone=?,mobile=?,designation=?,joindate=?,leavedate=?,email=?,qualification=? where employeeid=?";
PreparedStatement stat = con.prepareStatement(query);
stat.setString(1, B);
stat.setString(2, C);
stat.setString(3, D);
stat.setString(4, E);
stat.setString(5, F);
stat.setString(6, G);
stat.setString(7, H);
stat.setString(8, I);
stat.setString(9, J);
stat.setString(10, K);
stat.setString(11, L);
stat.setString(12, M);
stat.setString(13, N);
stat.setString(14, O);
stat.setString(15, A);
System.out.println(stat);
int i = stat.executeUpdate();
if (i!= 0)
System.out.println("The record has been updated");
else
System.out.println("Sorry ! failure");
ResultSet rs = stat.executeQuery("select * from employees");
System.out.println(rs);
while(rs.next())
out.print("<table border='1'>");
out.println(rs.getString(1) + "<br>");
out.println(rs.getString(2) + "<br>");
out.println(rs.getString(3) + "<br>");
out.println(rs.getString(4) + "<br>");
out.println(rs.getString(5) + "<br>");
out.println(rs.getString(6) + "<br>");
out.println(rs.getString(7) + "<br>");
out.println(rs.getString(8) + "<br>");
out.println(rs.getString(9) + "<br>");
out.println(rs.getString(10) + "<br>");
out.println(rs.getString(11) + "<br>");
out.println(rs.getString(12) + "<br>");
out.println(rs.getString(13) + "<br>");
out.println(rs.getString(14) + "<br>");
out.println(rs.getString(15) + "<br>");
out.print("<br>");
catch (Exception e)
System.out.println(e);
e.printStackTrace();
Now as soon as i click on the submit button of the first jsp i get "File Download security warning message"
I am new to jsp and i am not able to troubleshoot this -
Security & Servlet engine and ejb container on different servers
When you have the servlet container and the ejb container on different physical servers,
how is the rmi connection meant to to be done while still maintaining the seucrity
propagation from servlet to ejb tier?
Assume that my user is already authenticated (forms) on the servlet tier. Do we then
create a dedicated connection (InitialContext + url/username/password properties)
to the ejb tier and store this connection in the HttpSession? (basically authenticating
a 2nd time)
OR,
can the servlet container make a generic connection to the ejb container, and pass
the users security context to the ejb tier transparantly?
-Sam
Nick Minutello <[email protected]> wrote:
> Assuming that web container security is being employed, I guess the fundamental question
> is: Is it necessary to create a "connection" (ie. an InitialConext) per user, or
> can a "global" initial context be shared (in the end, the TCP connection is shared
> anyway)?
It doesn't create a 'connection' per user - when you use JNDI authentication (specifying
principal and credentials when constructing InitialContext) it associates security info
with the current thread for the duration of the request. If you cache InitialContext and
use it later on some other thread it will not do anything.
> Does it really matter?
No ;-)
> Thanks,
> Nick
> "Dimitri I. Rakitine" <[email protected]> wrote:
>>Nick Minutello <[email protected]> wrote:
>>
>>
>>> OK, so when I create the InitialContext, I just specify the URL (to call
>>the remote
>>> EJB container). The user ID and credentials are mapped automatically.
>>
>>> I obviously also need to cache the initialContext variable in my HTTPSession
>>object?
>>
>>> What would happen if I had one InitialContext for the whole servlet engine
>>- and
>>> each thread used that. Would the thread (security) context still get passed
>>- or
>>> would the credentials for the original connection get used?
>>
>>If you use web-app security, container will associate security info with
>>the current
>>thread before invoking your servlet. If you do not use it and cache InitialContext,
>>
>>then the current user will always be 'guest' (except for the very first
>>time when
>>application calls 'new InitialContext()' with username/password.
>>
>>
>>> Thankyou.
>>> -Sam
>>
>>
>>> "Vinod Mehra" <[email protected]> wrote:
>>>>
>>>>"Sam the bad cat" <[email protected]> wrote in message
>>>>news:[email protected]...
>>>>>
>>>>>
>>>>> When you have the servlet container and the ejb container on different
>>>>physical servers,
>>>>> how is the rmi connection meant to to be done while still maintaining
>>>>the
>>>>seucrity
>>>>> propagation from servlet to ejb tier?
>>>>>
>>>>> Assume that my user is already authenticated (forms) on the servlet
>>tier.
>>>>Do we then
>>>>> create a dedicated connection (InitialContext + url/username/password
>>>>properties)
>>>>> to the ejb tier and store this connection in the HttpSession? (basically
>>>>authenticating
>>>>> a 2nd time)
>>>>>
>>>>> OR,
>>>>> can the servlet container make a generic connection to the ejb container,
>>>>and pass
>>>>> the users security context to the ejb tier transparantly?
>>>>
>>>>If the user has logged in already, ie the authenticated user is already
>>>>in
>>>>the execute
>>>>thread, the identity should be propgated to the ejb tier transparantly,
>>>>when
>>>>you create the
>>>>new initial context.
>>>>
>>>>--Vinod.
>>>>
>>>>
>>>>>
>>>>> -Sam
>>>>>
>>>>>
>>>>
>>>>
>>
>>--
>>Dimitri
>>
Dimitri
-
When I run the project in IntelliJ IDEA (12.1.4), everything looks fine until I get this message:
<Notice> <Security> <BEA-090078> <User weblogic in security realm myrealm has had 50 invalid login attempts, locking account for 1 minutes.>
I changed the parameters (50 attempts and 1 minute) in the admin console, but I have no idea where in the project this is coming from or where the password for user weblogic would be. It keeps showing up in the output window after the requisite minute is up.
I'm an absolute beginner with WebLogic and I had this project land in my lap with zero support and little documentation. I'm a bit out of my element, programming being my strong(er) suit, not recreating development environments.
Please help. Thanks in advance.Are they using the system for the entire time? Or does this happen after
several minutes idle time (5 minutes)?
Which WLS version and Service Pack?
Wayne Scott
Rupendra Bandyopadhyay wrote:
> I have configured a login-config page for my web application. The system
> works fine, but after about 20-30 minutes of use, the users are suddenly
> redirected to the login page. After they re-authenticate themselves, they are
> sent to the web page they requested for. Is this happening due to a loss of
> session (HttpSession) in the weblogic server ? How can I prevent this from
> happenning ?
>
> Thank you, Rupendra _______________________ Echostar Communications -
Redirect between https and http in same context, loosing httpsession ??
I'm using tomcat 3.2.1 with apache, and I'm trying to do the following:
1. Have a login page that logs the user in over secure connection (https).
2. The login servlet that authenticates the login creates a httpsession object, and then redirects the user to a following page,
BUT the user should be be redirected to use Http connection instead of https(for speed/processing time concern)
3 . The user would from now on be associated by the accompaning HttpSession object created by the login servlet. Everything is within the same webapp
When I redirect, I use absolute paths: sendRedirect("http://<server-ip>/servlet/....... )
BUT, it turns out that I somehow loose the httpsession object. Tomcat sees this redirect as a new connection.?!?
I know it is possible somehow from what bits and pieces I have read, except I have yet to see an exact example or explanation of
problem with redirect using absolute URL path.
please helptry redirecting with encoding..
response.sendRedirect(response.encodeRedirectURL("http://machine/welcome.jsp"));if this doesn't work.. attach the session id ...
String url = "http://server/welcome.jsp"+";jsessionid="+session.getId();
response.sendRedirect(url);bye -
Does introduction of HADB add any security issues?
Did the introduction of HADB for providing reliable state introduce any
security issues? If so, what options are available for the user?Firstly the application tier would typically run behind the DMZ, so it
would have the same protection as any other business logic running in
this tier. Additionally, if highly sensitive data is stored in
HttpSession then the HADB tier can be pushed further into the corporate
network (i.e. behind further layers of protection). -
hi ! well my servlet app in done, but Im worried about security and how sensible data can be reached by people who shouldnt be accessing it.
So my question is, wich is the best way to ensure that the data will not be readed by someone else? I have crypted things like database fields, but Im interested in the data that is being handled by the server and the client and possible attacks.
All recomendations are welcome.
Thanks!dunno if u did it but first thing to do is prevent sql injection ie forbiding usernames password and all other form feild or in fact any stringish data u accept form clients to start with unwanted chars like (' or " or ;) and end with things like sql comment mark (i think its --).
next thing that can come in handy is forbiding HttpSession to be created in all servlets exept in login servlet. this is done by:
HtttpSession session=request.getSession(false);
this disables HttpSession to be created but still making if avaliable if it is created some time earlier (depeniding on session-timout tag in web.xml, default is 10 or 30 minutes).
hope i helped -
HttpSession is invalid error on weblogic server 12.1.2
Hello,
We are using weblogic server 12.1.2. We have 6 J2EE applications are installed on that weblogic server. we are seeing "HttpSession is invalid". Here is the stack trace.
<BEA-100025> <An unexpected error occurred in the HTTP session timeout callback while deleting sessions.
java.lang.IllegalStateException: HttpSession is invalid
at weblogic.servlet.internal.session.SessionData.getInternalAttribute(SessionData.java:650)
at weblogic.servlet.internal.session.SessionData.getInternalAttribute(SessionData.java:645)
at weblogic.servlet.internal.session.SessionData.hasSavedPostData(SessionData.java:865)
at weblogic.servlet.internal.session.SessionContext$SavePostSessionInvalidator.shouldIgnoreChecking(SessionContext.java:767)
at weblogic.servlet.internal.session.SessionContext$SessionInvalidator.cleanupExpiredSessions(SessionContext.java:699)
at weblogic.servlet.internal.session.SessionContext$SessionInvalidator$1.run(SessionContext.java:620)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
at weblogic.servlet.internal.session.SessionContext$SessionInvalidator.timerExpired(SessionContext.java:615)
at weblogic.timers.internal.TimerImpl.run(TimerImpl.java:304)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:550)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:295)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:254)
Any Idea why we are getting this error?subscribed.
-
WebLogic 9.1 Security Providers Issue
I have created custom Authentication and Authorization security providers
using the sample code, SampleSecurityProviders.zip, found on the dev2dev
site. I used the MBean maker to create the MBean JAR file and installed it
in the WL_HOME/server/lib/mbeantypes folder. I used the console application
to set-up a new security realm, configured it to use my custom security
providers, marked it as the default realm and re-started my WLS instance.
The WLS instance starts-up without any problems and I am able to log-in to
the console application without incident. Trace messages I added to my
custom security providers indicate they are being utilized. The console
application functions normally until I try to log out. A dialog box is
displayed with the message: " Internal server error The server encountered
an unexpected condition which prevented it from fulfilling the request." and
the log out operation fails. The server log file contains the following
stack trace:
####<Mar 7, 2006 8:58:18 AM MST> <Error> <HTTP> <cosilrsc> <RSeriesServer>
<[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default
(self-tuning)'> <<WLS Kernel>> <> <> <1141747098863> <BEA-101020>
<[weblogic.servlet.internal.WebAppServletContext@10eb27d - name: 'console',
context-path: '/console'] Servlet failed with Exception
java.lang.IllegalStateException: HttpSession is invalid
at
weblogic.servlet.internal.session.SessionData.getAttribute(SessionData.java:369)
at
org.apache.beehive.netui.script.common.BundleMap.retrieveUserLocale(BundleMap.java:261)
at
org.apache.beehive.netui.script.common.BundleMap.entrySet(BundleMap.java:131)
at java.util.AbstractMap.toString(AbstractMap.java:584)
at java.lang.String.valueOf(String.java:2577)
at java.lang.StringBuilder.append(StringBuilder.java:116)
at
org.apache.beehive.netui.pageflow.scoping.internal.AttributeContainer.getSerializableAttrs(AttributeContainer.java:101)
at
org.apache.beehive.netui.pageflow.scoping.internal.ScopedRequestImpl.persistAttributes(ScopedRequestImpl.java:439)
at
com.bea.portlet.adapter.scopedcontent.PersistedRequestAttributes.persistAttributes(PersistedRequestAttributes.java:61)
at
com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.persistRequestAttributes(ScopedContentCommonSupport.java:758)
at
com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:235)
at
com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:102)
at
com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:338)
at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:401)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:665)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at
com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:677)
at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:151)
at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:206)
at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:146)
at
com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:327)
at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:190)
at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:156)
at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:141)
at
com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:124)
at
weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:225)
at
weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:127)
at
weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:272)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at
weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:26)
at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3151)
at
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at
weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:1973)
at
weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1880)
at
weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1310)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:179)
>
I suspect the problem has something to do with the way I have implemented my
security providers but after several days of analysis I have been unable to
pinpoint a cause. When I switch the security realm default back to the
security realm created by the domain wizard the problem goes away.
If anyone can provide some insight into how my custom security providers
might introduce this problem and how I might go about debugging the issue I
would appreciate it very much. Thank you.Weblogic 9.x supports only JDK 1.5 ? Now, Iam trying to perform same build using Weblogic 8.1 SP5 and Iam not able to find javax.jms.ConnectionFactory in weblogic.jar, where as in Weblogic 9.x 'weblogic.jar' javax.jms.ConnectionFactory' is found.
code snippet:
String url = "t3://" + hostName + ":" + hostPort;
Environment environment = new Environment();
environment.setProviderUrl( url );
environment.setInitialContextFactory( weblogic.jndi.WLInitialContextFactory );
Context context = environment.getInitialContext();
ConnectionFactory factory = (ConnectionFactory)context.lookup( "..." );
Connection theConnection = factory.createConnection();
Iam using SUN JDK 1.4.2.11 ( even did try Weblogic JDK). I have weblogic.jar and JDK/tools.jar included in my classpath.
What other jar files we need to included in my classpath to make this code to work in weblogic 8.1SP5 ? -
HttpSession and Model Controller
I have login information in a httpsession. How i can pass this value to model controller from my uix page/data action?. I use custom dml operations (doDML/doSelect).
IDE Jdev 9.0.5 - DB Oracle 9iRamon,
In my situation; I am implementing the Dynamic JDBC Credentials that require subclassing the HttpSessionCookieImpl. See if the following helps....
I created an instance variable in the class that overrides the HttpSessionCookieImpl. Then in the second constructor:
public DynamicJDBCHttpSessionCookieImpl(java.lang.String applicationId, // line 2 java.lang.String sessionId, ApplicationPool pool, java.security.Principal userPrincipal, javax.servlet.http.HttpServletRequest request) { super(applicationId, sessionId, pool, userPrincipal, request);
classVar = request.getSession(); }, I pull the HttpSession from the request and store it to the class variable. I now have a handle to the instantiated session from anywhere in the model during that user's session.
--Connie -
Secure AJAX calls made from a JSR 168 portlet
I am investigating methods to secure AJAX calls made from a JSR 168 portlet to a servlet using the Direct Web Remoting framework (DWR) and Weblogic Portal. The portlet can have more than one instance and different entitlements depending on the desktop it is available from. The Portal has several desktops and does not require the user to authenticate for some of the desktops.
So far the only method I have come up with is to pass a token from the portlet to the servlet which indicates the entitlements the user should have to access the documents from the portlet and check in the servlet if the User has the appropriate global roles to access the documents.no , that doesn't work, the token passed can be modified by a malicious user (unless the token is random or signed)
You need to store the desktop(s) the user is on in probably the HttpSession and read that from the servlet and make the decisions accordingly.
regards
deepak
Maybe you are looking for
-
Hey, i've been here before in December with close to the same problem (the error then was different). This time my error number has changed to 4280 and when I attempt to burn a CD, it will try to burn the first song and quit after about 5-10 seconds.
-
When I ask Siri "What time is it", it replies, "Sorry [me], I don't know the time in 105 - 201 5 Ave W." I don't understand why it can't simply look at the clock on the phone and tell me the time. As if this isn't frustrating enough, I can't even get
-
I have lost half of my capture scratch and need to recapture with FCE3.5 I did Capture Clip in the beginning. How can I recapture these clips? Thank you for any advice.
-
Why can't I open Adobe Reader after I download it? The screen is just completely black. Says something about signing the end user agreement ...
-
Recurring events in outlook not showing on iPhone
Hi, Trust you all are well. I have outlook 2010 with exchange 2003 + iPhone 5. I have recurring calendar events setup in my outlook calendar, when I edit a recurring event in my outlook the updated request does not sync with my iPhone and does not fo