You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by micleva <Va...@ext.ec.europa.eu> on 2015/08/03 14:56:00 UTC
can't disable session support (JSESSIONID is always created)
Hi,I have an applet which uses CXF to connect to some Web_Services.The
problem is that even if I don't specifically enable session support, after
the first call to my Web-Service, all other sub-subsequent calls will have a
JSESSIONID. I have tried this with cxf version 2.6.16 and 2.7.16, same
result on both (I can't upgrade now to a higher version than 2.x)The big
issue here is that if I change the user (web-service authentication user)
while the applet is still up and running, the same session is used and the
new authentication credentials are ignored by the server since the server
thinks it's on the same session (due to the JSESSIONID).Is there a way to
clear the JSESSIONID when the web-service user changes in my application?
Somehow I would like to invalidate the originally created session so that a
new sessoin will be created for the new user.Thanks a lot
--
View this message in context: http://cxf.547215.n5.nabble.com/can-t-disable-session-support-JSESSIONID-is-always-created-tp5759638.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: can't disable session support (JSESSIONID is always created)
Posted by micleva <Va...@ext.ec.europa.eu>.
Just in case someone is interested about the solution.. in fact it has
nothing to do with CXF
The problem appears due to how HttpConnection works. It uses a cookie
manager which manages the cookies for each connection.
The simplest solution is to define your own cookie manager and to set it as
default cookiemanager at init time:
CookieManager.setDefault(MyCookieManager.init());
Now you will get full control over what cookies are sent for what
connection.
Hope this helps someone else as well.
Cheers
--
View this message in context: http://cxf.547215.n5.nabble.com/can-t-disable-session-support-JSESSIONID-is-always-created-tp5759638p5759947.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: can't disable session support (JSESSIONID is always created)
Posted by micleva <Va...@ext.ec.europa.eu>.
That works ok on jee server but on on An Applet.
What I need is to obtain the WebServiceContext programmatically, something
like this:
> SomeUtil.getWebserviceContext()
--
View this message in context: http://cxf.547215.n5.nabble.com/can-t-disable-session-support-JSESSIONID-is-always-created-tp5759638p5759717.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: can't disable session support (JSESSIONID is always created)
Posted by John Baker <jb...@dryfish.org.uk>.
Inject request into your WS and get the session:
@Context
protected HttpServletRequest request;
On Tue, Aug 4, 2015, at 10:37 AM, micleva wrote:
> well it should be disabled by default.
> However, the behavior it looks like is not.
>
> Indeed it is the Applet who sets the JSESSIONID but in my opinion, if I
> specifically say to CXF to disable session management, they should
> guarantee
> that after each call, the session is invalidated.
>
> Now putting that aside, I would like to find out is how to obtain the
> HttpSession that CXF is using to make the requests so that I can manually
> invalidate the session. Do you know how I can obtain the HttpSession so
> that
> I can invalidate it?
>
> Thanks
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/can-t-disable-session-support-JSESSIONID-is-always-created-tp5759638p5759667.html
> Sent from the cxf-user mailing list archive at Nabble.com.
Re: can't disable session support (JSESSIONID is always created)
Posted by micleva <Va...@ext.ec.europa.eu>.
well it should be disabled by default.
However, the behavior it looks like is not.
Indeed it is the Applet who sets the JSESSIONID but in my opinion, if I
specifically say to CXF to disable session management, they should guarantee
that after each call, the session is invalidated.
Now putting that aside, I would like to find out is how to obtain the
HttpSession that CXF is using to make the requests so that I can manually
invalidate the session. Do you know how I can obtain the HttpSession so that
I can invalidate it?
Thanks
--
View this message in context: http://cxf.547215.n5.nabble.com/can-t-disable-session-support-JSESSIONID-is-always-created-tp5759638p5759667.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: can't disable session support (JSESSIONID is always created)
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi, the client-side session support is disabled by default in CXF as far as I
know, and if it is enabled then it sends the cookies back to the
server.Perhaps it is the browser/applet itself that sends cookies back...
Sergey
--
View this message in context: http://cxf.547215.n5.nabble.com/can-t-disable-session-support-JSESSIONID-is-always-created-tp5759638p5759666.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: can't disable session support (JSESSIONID is always created)
Posted by micleva <Va...@ext.ec.europa.eu>.
Hi,Yes, you are right, CXF is used only as a client and JSESSIONID seems to
be set indeed by the HttpSession.However, what I find strange is that even
if I try to disable it manually at web-service level by using: Client
wsClient = ClientProxy.getClient(proxyObject);
wsClient.getRequestContext().put(Message.MAINTAIN_SESSION, false);the
JSESSIONID is still passed.Now if CXF gives the possibility to say if you
want to maintain or not the session I think it should really behave like
that.If I run any CXF client in an Applet and I try to disable the
JSESSIONID like I mentioned above, it is not working.Do you have any
suggestion on how I can manually invalidate the HttpSession used by CXF
behind?
--
View this message in context: http://cxf.547215.n5.nabble.com/can-t-disable-session-support-JSESSIONID-is-always-created-tp5759638p5759663.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: can't disable session support (JSESSIONID is always created)
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
AFAIK JSESSIONID is controlled by a servlet container, possibly by
HttpSession, CXF does not itself set JSESSIONID, and if I understand it
right CXF is only used as a client, right ?
Cheers, Sergey
On 03/08/15 13:56, micleva wrote:
> Hi,I have an applet which uses CXF to connect to some Web_Services.The
> problem is that even if I don't specifically enable session support, after
> the first call to my Web-Service, all other sub-subsequent calls will have a
> JSESSIONID. I have tried this with cxf version 2.6.16 and 2.7.16, same
> result on both (I can't upgrade now to a higher version than 2.x)The big
> issue here is that if I change the user (web-service authentication user)
> while the applet is still up and running, the same session is used and the
> new authentication credentials are ignored by the server since the server
> thinks it's on the same session (due to the JSESSIONID).Is there a way to
> clear the JSESSIONID when the web-service user changes in my application?
> Somehow I would like to invalidate the originally created session so that a
> new sessoin will be created for the new user.Thanks a lot
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/can-t-disable-session-support-JSESSIONID-is-always-created-tp5759638.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com