You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Brian Stansberry <br...@wanconcepts.com> on 2003/11/24 19:45:53 UTC
RE: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti
cator SingleSignOnEntry.java AuthenticatorBase.java
BasicAuthenticator.java DigestAuthenticator.java
FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic
At 11:56 AM 11/24/2003 -0600, you wrote:
>I have tried applying the patch, and I found three problems with it.
>First, its removal of a session from the SingleSignOnEntry object causes
>an IndexOutOfBounds exception. Second, the method for determining
>whether the user explicitly logged out or whether a session timed out
>doesn't scale one of the numbers correctly (i.e. comparing millisecond
>values to seconds). I have fixed the patch, but I don't have a diff of
>it yet (I'm new to helping with this project). Finally, the patch
>doesn't synchronize on 'reverse' when removing an entry from it.
I also looked at the code for StandardSession.getLastAccessedTime() and it looks as if it will throw an IllegalStateException if the session is expired. So that would break the algorithm used in the 9077 patch.
BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify throwing an IllegalStateException for a call to getLastAccessedTime(). It looks as if the exception throw was added in response to bug 15967, which stated that the javadoc does specify the exception, but I'm looking at the javadoc for both Servlet 2.3 and 2.4, and in both cases it's not specified.
Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel: (510) 894-0114 x 116
Fax: (510) 797-3005
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti
cator SingleSignOnEntry.java AuthenticatorBase.java
BasicAuthenticator.java DigestAuthenticator.java
FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic
Posted by Brian Stansberry <br...@wanconcepts.com>.
At 02:08 PM 11/24/2003 -0500, you wrote:
>Brian Stansberry wrote:
>>
>>BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify throwing an IllegalStateException for a call to getLastAccessedTime(). It looks as if the exception throw was added in response to bug 15967, which stated that the javadoc does specify the exception, but I'm looking at the javadoc for both Servlet 2.3 and 2.4, and in both cases it's not specified.
>Hum...look at:
>
>>http://java.sun.com/j2ee/1.4/docs/api/index.html
>
><quote>
>
>>
>> getLastAccessedTime
>>
>>public long *getLastAccessedTime*()
>>
>> [.....]
>>
>> *Returns:*
>> a |long| representing the last time the client sent a request
>> associated with this session, expressed in milliseconds since
>> 1/1/1970 GMT *Throws:*
>> |IllegalStateException
>> <http://java.sun.com/j2se/1.4/docs/api/java/lang/IllegalStateException.html>|
>> - if this method is called on an invalidated session
></quote>
Oh, OK. The Servlet 2.4 javadoc I was looking at was downloaded from the JSR-154 Proposed Final Draft 3 web page (http://jcp.org/aboutJava/communityprocess/first/jsr154/index3.html). The throws tag is not included there. Hopefully they'll make this clear when they issue the final J2EE 1.4 spec.
Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel: (510) 894-0114 x 116
Fax: (510) 797-3005
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti
cator SingleSignOnEntry.java AuthenticatorBase.java
BasicAuthenticator.java DigestAuthenticator.java
FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic
Posted by Brian Stansberry <br...@wanconcepts.com>.
At 08:21 PM 11/24/2003 +0100, Remy wrote:
>Brian Stansberry wrote:
>>At 11:56 AM 11/24/2003 -0600, Luke Nelson wrote:
>>
>>>I have tried applying the patch, and I found three problems with
>>>it. First, its removal of a session from the SingleSignOnEntry
>>>object causes an IndexOutOfBounds exception. Second, the method
>>>for determining whether the user explicitly logged out or whether a
>>>session timed out doesn't scale one of the numbers correctly (i.e.
>>>comparing millisecond values to seconds). I have fixed the patch,
>>>but I don't have a diff of it yet (I'm new to helping with this
>>>project). Finally, the patch doesn't synchronize on 'reverse' when
>>>removing an entry from it.
>>
>>I also looked at the code for StandardSession.getLastAccessedTime()
>>and it looks as if it will throw an IllegalStateException if the
>>session is expired. So that would break the algorithm used in the
>>9077 patch.
>>BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify
>>throwing an IllegalStateException for a call to
>>getLastAccessedTime(). It looks as if the exception throw was added
>>in response to bug 15967, which stated that the javadoc does specify
>>the exception, but I'm looking at the javadoc for both Servlet 2.3
>>and 2.4, and in both cases it's not specified.
>
>Can you address those issues ASAP ? (incl the array out of bounds and the sync issue)
Sure; I'm starting on it now. However, Jean-Francois found a HttpSession javadoc that specifies throwing an IllegalStateException in getLastAccessedTime(). If that is in the final spec, the 9077 patch algorithm will not work. I'll work on it anyway in case the exception's not in the final spec.
As a backup, I've attached a patch that restores your earlier removal of the logout code.
Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel: (510) 894-0114 x 116
Fax: (510) 797-3005
Re: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator
SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java
DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java
SSLAuthentic
Posted by Jean-Francois Arcand <jf...@apache.org>.
Brian Stansberry wrote:
>At 11:56 AM 11/24/2003 -0600, you wrote:
>
>
>>I have tried applying the patch, and I found three problems with it.
>>First, its removal of a session from the SingleSignOnEntry object causes
>>an IndexOutOfBounds exception. Second, the method for determining
>>whether the user explicitly logged out or whether a session timed out
>>doesn't scale one of the numbers correctly (i.e. comparing millisecond
>>values to seconds). I have fixed the patch, but I don't have a diff of
>>it yet (I'm new to helping with this project). Finally, the patch
>>doesn't synchronize on 'reverse' when removing an entry from it.
>>
>>
>
>I also looked at the code for StandardSession.getLastAccessedTime() and it looks as if it will throw an IllegalStateException if the session is expired. So that would break the algorithm used in the 9077 patch.
>
>BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify throwing an IllegalStateException for a call to getLastAccessedTime(). It looks as if the exception throw was added in response to bug 15967, which stated that the javadoc does specify the exception, but I'm looking at the javadoc for both Servlet 2.3 and 2.4, and in both cases it's not specified.
>
Hum...look at:
> http://java.sun.com/j2ee/1.4/docs/api/index.html
<quote>
>
> getLastAccessedTime
>
>public long *getLastAccessedTime*()
>
> [.....]
>
> *Returns:*
> a |long| representing the last time the client sent a request
> associated with this session, expressed in milliseconds since
> 1/1/1970 GMT
> *Throws:*
> |IllegalStateException
> <http://java.sun.com/j2se/1.4/docs/api/java/lang/IllegalStateException.html>|
> - if this method is called on an invalidated session
>
</quote>
-- Jeanfrancois
>
>
>Brian Stansberry
>WAN Concepts, Inc.
>www.wanconcepts.com
>Tel: (510) 894-0114 x 116
>Fax: (510) 797-3005
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: [5.0] J2EE release
Posted by Sam Ewing <ja...@yahoo.com>.
Hi Remy,
How close is 5.0.15 to a non-beta Tomcat release?
Thanks,
/s
--- Remy Maucherat <re...@apache.org> wrote:
> Sun has released the new J2EE RI, but not the
> specifications (no wonder
> they are first with an implementation ...). Assuming
> the specs are also
> released today, I will tag 5.0.15 tomorrow.
>
> R�my
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> tomcat-dev-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
[5.0] J2EE release
Posted by Remy Maucherat <re...@apache.org>.
Sun has released the new J2EE RI, but not the specifications (no wonder
they are first with an implementation ...). Assuming the specs are also
released today, I will tag 5.0.15 tomorrow.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti
cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java
DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java
SSLAuthentic
Posted by Remy Maucherat <re...@apache.org>.
Brian Stansberry wrote:
> At 11:56 AM 11/24/2003 -0600, you wrote:
>
>> I have tried applying the patch, and I found three problems with
>> it. First, its removal of a session from the SingleSignOnEntry
>> object causes an IndexOutOfBounds exception. Second, the method
>> for determining whether the user explicitly logged out or whether a
>> session timed out doesn't scale one of the numbers correctly (i.e.
>> comparing millisecond values to seconds). I have fixed the patch,
>> but I don't have a diff of it yet (I'm new to helping with this
>> project). Finally, the patch doesn't synchronize on 'reverse' when
>> removing an entry from it.
>
>
> I also looked at the code for StandardSession.getLastAccessedTime()
> and it looks as if it will throw an IllegalStateException if the
> session is expired. So that would break the algorithm used in the
> 9077 patch.
>
> BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify
> throwing an IllegalStateException for a call to
> getLastAccessedTime(). It looks as if the exception throw was added
> in response to bug 15967, which stated that the javadoc does specify
> the exception, but I'm looking at the javadoc for both Servlet 2.3
> and 2.4, and in both cases it's not specified.
Can you address those issues ASAP ? (incl the array out of bounds and
the sync issue)
Thanks,
Remy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org