You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@turbine.apache.org by Daniel Rall <dl...@finemaltcoding.com> on 2002/04/22 21:05:38 UTC
Re: Added try/catch to Turbine.java. Problem?
David, it appears that the Servlet Spec. declares that attempting to
remove any attribute from an invalid session will result in the
IllegalStateException.
http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpSession.html#removeAttribute(java.lang.String)
Being the reference implementation, Tomcat 4 of course implements
this. From org.apache.catalina.session.StandardSession.java:
/**
* Remove the object bound with the specified name from this session. If
* the session does not have an object bound with this name, this method
* does nothing.
* <p>
* After this method executes, and if the object implements
* <code>HttpSessionBindingListener</code>, the container calls
* <code>valueUnbound()</code> on the object.
*
* @param name Name of the object to remove from this session.
* @param notify Should we notify interested listeners that this
* attribute is being removed?
*
* @exception IllegalStateException if this method is called on an
* invalidated session
*/
public void removeAttribute(String name, boolean notify) {
// Validate our current state
if (!expiring && !isValid)
throw new IllegalStateException
(sm.getString("standardSession.removeAttribute.ise"));
...
I've applied the following patch to the Turbine.java in
jakarta-turbine-2 repository to correct this behavior:
Index: Turbine.java
===================================================================
RCS file: /home/cvs/jakarta-turbine-2/src/java/org/apache/turbine/Turbine.java,v
retrieving revision 1.14
diff -u -u -r1.14 Turbine.java
--- Turbine.java 16 Apr 2002 22:07:07 -0000 1.14
+++ Turbine.java 22 Apr 2002 19:02:51 -0000
@@ -511,10 +511,9 @@
// If a module has set data.acl = null, remove acl from
// the session.
- if ( data.getACL() == null )
+ if ( data.getACL() == null && data.getSession().isValid() )
{
- data.getSession().removeValue(
- AccessControlList.SESSION_KEY);
+ data.getSession().removeValue(AccessControlList.SESSION_KEY);
}
// handle a redirect request
Note that I didn't use the try/catch block you suggested, as checking
for a valid session is a more correct implementation.
Question for turbine-dev: does this fix still apply? If so, where?
Thanks, Dan
David Vandegrift <dv...@bluearc.com> writes:
> I using Tomcat 4.
>
> There's a little more information about this issue in a post
> I made on April 10th.
>
>
> -----Original Message-----
> From: Daniel Rall [mailto:dlr@finemaltcoding.com]
> Sent: Friday, April 19, 2002 9:05 AM
> To: Turbine Users List
> Subject: Re: Added try/catch to Turbine.java. Problem?
>
>
> David Vandegrift <dv...@bluearc.com> writes:
>
>> To get HttpSession.invalidate() to work, I modified my Turbine.java by
>> adding the following try/catch block around
> data.getSession().removeValue()
> > in the doGet() method.
>>
>> Does anyone see any potential problems with doing this?
>> It seems harmless to me.
>>
>> Without this one cannot invalidate an HttpSession which is important when
>> using Container Managed security (logging out for example).
>>
>> Thanks,
>> David
>>
>>
>> --------cut from doGet() ------------------
>>
>> // If a module has set data.acl = null, remove acl from
>> // the session.
>> if ( data.getACL() == null )
>> {
>> try <--- new try/catch block
>> {
>> data.getSession().removeValue(
>> AccessControlList.SESSION_KEY);
>> }
>> catch (IllegalStateException e) { } // do nothing, it's gone
>> }
>
> Huh. What container are you using?
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Added try/catch to Turbine.java. Problem?
Posted by Daniel Rall <dl...@finemaltcoding.com>.
Daniel Rall <dl...@finemaltcoding.com> writes:
> Note that I didn't use the try/catch block you suggested, as checking
> for a valid session is a more correct implementation.
Turned out that the HttpSession::isValid() method was
Catalina-internal, hidden behind its HttpSessionFacade class and not
part of the servlet spec. I've switched to the try/catch suggested by
David (ugh, bad servlet api, bad).
> Question for turbine-dev: does this fix still apply? If so, where?
I've found a few spots in jakarta-turbine-3 where this check is
appropriate and patched them.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Added try/catch to Turbine.java. Problem?
Posted by Daniel Rall <dl...@finemaltcoding.com>.
Daniel Rall <dl...@finemaltcoding.com> writes:
> Note that I didn't use the try/catch block you suggested, as checking
> for a valid session is a more correct implementation.
Turned out that the HttpSession::isValid() method was
Catalina-internal, hidden behind its HttpSessionFacade class and not
part of the servlet spec. I've switched to the try/catch suggested by
David (ugh, bad servlet api, bad).
> Question for turbine-dev: does this fix still apply? If so, where?
I've found a few spots in jakarta-turbine-3 where this check is
appropriate and patched them.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>