You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Chew Kok Hoor <ko...@gmail.com> on 2023/04/02 12:44:03 UTC

Accessing Tomcat Sessions

Hi,

    As part of a way to prevent concurrent login, and to re-assign a
session back to a request based on JWT token (for clients that cannot pass
us cookies), we need to access to the 'findSession' and 'findSessions' in
org.apache.catalina.Manager.

    Is it true the only way to get the manager using
ServletContext.getManager() is by using privileged="true" in the
context.xml?

    Are there any implications in setting privileged="true" if we have full
control to restrict what servlets or jsp or codes are running in our webapp?

Thanks.

Regards,
    Kok Hoor

Re: Accessing Tomcat Sessions

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Chew Kok,

On 4/5/23 20:31, Chew Kok Hoor wrote:
> Thanks for your suggestion. Do you have any url reference / resource 
> related to getting JMX from within the same JVM?
> 
> I am currently accessing from a servlet when verifying sessions.

You need to know how to access the JMX management system in general. 
That's pretty easy:

MBeanServer server = MBeanServerFactory.findMBeanServer(null).get(0);

ObjectName thingToLookUp = new ObjectName("....");

ObjectInstance bean = server.getObjectInstance(thinkToLookUp);

Now you just need to know the JMX MBean "object name" you want to look 
up. You can try "Catalina:type=Manager,host=localhost,context=/" if you 
want to get the session manager for the "localhost" host and the "/" 
(ROOT) context.

The ObjectInstance depends upon the thing you are pulling out of the 
MBean server. You should be able to poke-around in the ObjectInstance to 
figure out what to do next.

Sometimes you don't need to get the object itself, you can call one of 
its exposed operations. For example, the Manager exposes an operation 
called "expireSession" which takes a String session id. You can call it 
like this:

server.invoke(thingToLookUp, "expireSession", new Object[] { 
"mySessionId" }, new String[] { "java.lang.String" });

This particular operation doesn't return anything, but others do.

To discover more about what's available in the Tomcat management tree, I 
recommend using a JMX client such as VisualVM or similar. Just connect 
to any running instance and you can browse the tree, look at the 
metadata (which defines all attributes and operations, including all the 
"object names" you need for things), etc.

If you use the JMXProxyServlet, which is a part of the Manager web 
application, you can use HTTP to make JMX calls via HTTP to other 
servers. So for example if you want to expire an HttpSession on another 
server, you can do it via HTTP.

Hope that helps,
-chris

> On Thu, Apr 6, 2023, 1:56 AM Christopher Schultz <
> chris@christopherschultz.net> wrote:
> 
>> Mark and Chew Kok,
>>
>> On 4/3/23 12:47, Mark Thomas wrote:
>>> On 02/04/2023 13:44, Chew Kok Hoor wrote:
>>>> Hi,
>>>>
>>>>       As part of a way to prevent concurrent login, and to re-assign a
>>>> session back to a request based on JWT token (for clients that cannot
>>>> pass
>>>> us cookies), we need to access to the 'findSession' and 'findSessions'
>> in
>>>> org.apache.catalina.Manager.
>>>>
>>>>       Is it true the only way to get the manager using
>>>> ServletContext.getManager() is by using privileged="true" in the
>>>> context.xml?
>>>
>>> There is no ServletContext.getManager() method.
>>>
>>> privileged is use to control access to Servlets that implement
>>> ContainerServlet.
>>>
>>> The ContainerServlet interface is one way to access Tomcat's internals.
>>> Another option is reflection.
>>
>> You can also get sessions via JMX within the same JVM.
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Accessing Tomcat Sessions

Posted by Chew Kok Hoor <ko...@gmail.com>.

Hi Chris,

    Thanks for your suggestion. Do you have any url reference / resource
related to getting JMX from within the same JVM?

    I am currently accessing from a servlet when verifying sessions.

Thanks.

Regards,
    Kok Hoor

On Thu, Apr 6, 2023, 1:56 AM Christopher Schultz <
chris@christopherschultz.net> wrote:

> Mark and Chew Kok,
>
> On 4/3/23 12:47, Mark Thomas wrote:
> > On 02/04/2023 13:44, Chew Kok Hoor wrote:
> >> Hi,
> >>
> >>      As part of a way to prevent concurrent login, and to re-assign a
> >> session back to a request based on JWT token (for clients that cannot
> >> pass
> >> us cookies), we need to access to the 'findSession' and 'findSessions'
> in
> >> org.apache.catalina.Manager.
> >>
> >>      Is it true the only way to get the manager using
> >> ServletContext.getManager() is by using privileged="true" in the
> >> context.xml?
> >
> > There is no ServletContext.getManager() method.
> >
> > privileged is use to control access to Servlets that implement
> > ContainerServlet.
> >
> > The ContainerServlet interface is one way to access Tomcat's internals.
> > Another option is reflection.
>
> You can also get sessions via JMX within the same JVM.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Accessing Tomcat Sessions

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Mark and Chew Kok,

On 4/3/23 12:47, Mark Thomas wrote:
> On 02/04/2023 13:44, Chew Kok Hoor wrote:
>> Hi,
>>
>>      As part of a way to prevent concurrent login, and to re-assign a
>> session back to a request based on JWT token (for clients that cannot 
>> pass
>> us cookies), we need to access to the 'findSession' and 'findSessions' in
>> org.apache.catalina.Manager.
>>
>>      Is it true the only way to get the manager using
>> ServletContext.getManager() is by using privileged="true" in the
>> context.xml?
> 
> There is no ServletContext.getManager() method.
> 
> privileged is use to control access to Servlets that implement 
> ContainerServlet.
> 
> The ContainerServlet interface is one way to access Tomcat's internals. 
> Another option is reflection.

You can also get sessions via JMX within the same JVM.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Accessing Tomcat Sessions

Posted by Mark Thomas <ma...@apache.org>.

On 02/04/2023 13:44, Chew Kok Hoor wrote:
> Hi,
> 
>      As part of a way to prevent concurrent login, and to re-assign a
> session back to a request based on JWT token (for clients that cannot pass
> us cookies), we need to access to the 'findSession' and 'findSessions' in
> org.apache.catalina.Manager.
> 
>      Is it true the only way to get the manager using
> ServletContext.getManager() is by using privileged="true" in the
> context.xml?

There is no ServletContext.getManager() method.

privileged is use to control access to Servlets that implement 
ContainerServlet.

The ContainerServlet interface is one way to access Tomcat's internals. 
Another option is reflection.

> 
>      Are there any implications in setting privileged="true" if we have full
> control to restrict what servlets or jsp or codes are running in our webapp?

If the code is trusted then allowing setting privileged="true" does not 
introduce additional risk. It just makes it a little easier to do some 
things.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org