You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chew Kok Hoor <ko...@gmail.com> on 2023/04/02 12:44:03 UTC
Accessing Tomcat Sessions
Hi,
As part of a way to prevent concurrent login, and to re-assign a
session back to a request based on JWT token (for clients that cannot pass
us cookies), we need to access to the 'findSession' and 'findSessions' in
org.apache.catalina.Manager.
Is it true the only way to get the manager using
ServletContext.getManager() is by using privileged="true" in the
context.xml?
Are there any implications in setting privileged="true" if we have full
control to restrict what servlets or jsp or codes are running in our webapp?
Thanks.
Regards,
Kok Hoor
Re: Accessing Tomcat Sessions
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Chew Kok,
On 4/5/23 20:31, Chew Kok Hoor wrote:
> Thanks for your suggestion. Do you have any url reference / resource
> related to getting JMX from within the same JVM?
>
> I am currently accessing from a servlet when verifying sessions.
You need to know how to access the JMX management system in general.
That's pretty easy:
MBeanServer server = MBeanServerFactory.findMBeanServer(null).get(0);
ObjectName thingToLookUp = new ObjectName("....");
ObjectInstance bean = server.getObjectInstance(thinkToLookUp);
Now you just need to know the JMX MBean "object name" you want to look
up. You can try "Catalina:type=Manager,host=localhost,context=/" if you
want to get the session manager for the "localhost" host and the "/"
(ROOT) context.
The ObjectInstance depends upon the thing you are pulling out of the
MBean server. You should be able to poke-around in the ObjectInstance to
figure out what to do next.
Sometimes you don't need to get the object itself, you can call one of
its exposed operations. For example, the Manager exposes an operation
called "expireSession" which takes a String session id. You can call it
like this:
server.invoke(thingToLookUp, "expireSession", new Object[] {
"mySessionId" }, new String[] { "java.lang.String" });
This particular operation doesn't return anything, but others do.
To discover more about what's available in the Tomcat management tree, I
recommend using a JMX client such as VisualVM or similar. Just connect
to any running instance and you can browse the tree, look at the
metadata (which defines all attributes and operations, including all the
"object names" you need for things), etc.
If you use the JMXProxyServlet, which is a part of the Manager web
application, you can use HTTP to make JMX calls via HTTP to other
servers. So for example if you want to expire an HttpSession on another
server, you can do it via HTTP.
Hope that helps,
-chris
> On Thu, Apr 6, 2023, 1:56 AM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> Mark and Chew Kok,
>>
>> On 4/3/23 12:47, Mark Thomas wrote:
>>> On 02/04/2023 13:44, Chew Kok Hoor wrote:
>>>> Hi,
>>>>
>>>> As part of a way to prevent concurrent login, and to re-assign a
>>>> session back to a request based on JWT token (for clients that cannot
>>>> pass
>>>> us cookies), we need to access to the 'findSession' and 'findSessions'
>> in
>>>> org.apache.catalina.Manager.
>>>>
>>>> Is it true the only way to get the manager using
>>>> ServletContext.getManager() is by using privileged="true" in the
>>>> context.xml?
>>>
>>> There is no ServletContext.getManager() method.
>>>
>>> privileged is use to control access to Servlets that implement
>>> ContainerServlet.
>>>
>>> The ContainerServlet interface is one way to access Tomcat's internals.
>>> Another option is reflection.
>>
>> You can also get sessions via JMX within the same JVM.
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Accessing Tomcat Sessions
Posted by Chew Kok Hoor <ko...@gmail.com>.
Hi Chris,
Thanks for your suggestion. Do you have any url reference / resource
related to getting JMX from within the same JVM?
I am currently accessing from a servlet when verifying sessions.
Thanks.
Regards,
Kok Hoor
On Thu, Apr 6, 2023, 1:56 AM Christopher Schultz <
chris@christopherschultz.net> wrote:
> Mark and Chew Kok,
>
> On 4/3/23 12:47, Mark Thomas wrote:
> > On 02/04/2023 13:44, Chew Kok Hoor wrote:
> >> Hi,
> >>
> >> As part of a way to prevent concurrent login, and to re-assign a
> >> session back to a request based on JWT token (for clients that cannot
> >> pass
> >> us cookies), we need to access to the 'findSession' and 'findSessions'
> in
> >> org.apache.catalina.Manager.
> >>
> >> Is it true the only way to get the manager using
> >> ServletContext.getManager() is by using privileged="true" in the
> >> context.xml?
> >
> > There is no ServletContext.getManager() method.
> >
> > privileged is use to control access to Servlets that implement
> > ContainerServlet.
> >
> > The ContainerServlet interface is one way to access Tomcat's internals.
> > Another option is reflection.
>
> You can also get sessions via JMX within the same JVM.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Accessing Tomcat Sessions
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark and Chew Kok,
On 4/3/23 12:47, Mark Thomas wrote:
> On 02/04/2023 13:44, Chew Kok Hoor wrote:
>> Hi,
>>
>> As part of a way to prevent concurrent login, and to re-assign a
>> session back to a request based on JWT token (for clients that cannot
>> pass
>> us cookies), we need to access to the 'findSession' and 'findSessions' in
>> org.apache.catalina.Manager.
>>
>> Is it true the only way to get the manager using
>> ServletContext.getManager() is by using privileged="true" in the
>> context.xml?
>
> There is no ServletContext.getManager() method.
>
> privileged is use to control access to Servlets that implement
> ContainerServlet.
>
> The ContainerServlet interface is one way to access Tomcat's internals.
> Another option is reflection.
You can also get sessions via JMX within the same JVM.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Accessing Tomcat Sessions
Posted by Mark Thomas <ma...@apache.org>.
On 02/04/2023 13:44, Chew Kok Hoor wrote:
> Hi,
>
> As part of a way to prevent concurrent login, and to re-assign a
> session back to a request based on JWT token (for clients that cannot pass
> us cookies), we need to access to the 'findSession' and 'findSessions' in
> org.apache.catalina.Manager.
>
> Is it true the only way to get the manager using
> ServletContext.getManager() is by using privileged="true" in the
> context.xml?
There is no ServletContext.getManager() method.
privileged is use to control access to Servlets that implement
ContainerServlet.
The ContainerServlet interface is one way to access Tomcat's internals.
Another option is reflection.
>
> Are there any implications in setting privileged="true" if we have full
> control to restrict what servlets or jsp or codes are running in our webapp?
If the code is trusted then allowing setting privileged="true" does not
introduce additional risk. It just makes it a little easier to do some
things.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org