You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Pierrick Terrettaz <to...@electronet.ch> on 2008/02/21 18:49:05 UTC

realm login and user session are not the same

Hi,

I've a problem with tomcat server 5.5.

When a user logs in through the realm authentification FORM method in the
website, the username and login are well checked but the user come in with the
session of an other user with roles of this other user. This happens randomly
with on user sessions who are not even more connected.

in tomcat_dir/conf/web.xml the session time out is set to 30min

Does anyone already have a such session problem ?

Pierrick

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: realm login and user session are not the same

Posted by Pierrick Terrettaz <to...@electronet.ch>.

Since we clean the threadlocal after each requests, the issue is solved.
We used a main filter which encapsulates the request processing and at  
the end of the filter, we set the threadlocal to null.

something like :

public void doFilter(..) throws .. {
     HttpServletRequest req = (HttpServletRequest) request;

     // set threadLocal at each request
     PrincipalStore.set(req.getUserPrincipal());

     // call the filter chain
     filterChain.doFilter(request, response);

     // clean the thread local
     PrincipalStore.set(null);
}

- Pierrick

Le 21 févr. 08 à 21:23, Pierrick Terrettaz a écrit :

> Currently we don't clean the threadlocal after the request processing.
> I will try and see if it works better.
>
> Thanks
>
> Pierrick


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: realm login and user session are not the same

Posted by Pierrick Terrettaz <to...@electronet.ch>.


Caldarale, Charles R a écrit :
>> From: Pierrick Terrettaz [mailto:tomcat@electronet.ch] 
>> Subject: Re: realm login and user session are not the same
>>
>> We are also using a ThreadLocal static reference in a class 
>> to store the request.getUserPrincipal() to give the current
>> username to beans which are not access to the request :
> 
> Depending on the logic of your application, that may or may not be a
> problem.  All ThreadLocal fields should be cleared out whenever
> processing for a given request is complete, otherwise you may be
> inadvertently sharing data across requests as well as introducing
> redeployment problems.
> 
>  - Chuck

Currently we don't clean the threadlocal after the request processing.
I will try and see if it works better.

Thanks

Pierrick

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: realm login and user session are not the same

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Pierrick Terrettaz [mailto:tomcat@electronet.ch] 
> Subject: Re: realm login and user session are not the same
> 
> We are also using a ThreadLocal static reference in a class 
> to store the request.getUserPrincipal() to give the current
> username to beans which are not access to the request :

Depending on the logic of your application, that may or may not be a
problem.  All ThreadLocal fields should be cleared out whenever
processing for a given request is complete, otherwise you may be
inadvertently sharing data across requests as well as introducing
redeployment problems.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: realm login and user session are not the same

Posted by Pierrick Terrettaz <to...@electronet.ch>.


Caldarale, Charles R a écrit :
>> From: Pierrick Terrettaz [mailto:tomcat@electronet.ch] 
>> Subject: realm login and user session are not the same
>>
>> When a user logs in through the realm authentification 
>> FORM method in the website, the username and login are 
>> well checked but the user come in with the session of 
>> an other user with roles of this other user.
> 
> This is almost certainly a problem in your webapp.  It's usually caused
> by storing request- or session-specific references in the wrong scope
> (e.g., placing a reference to the current request in a servlet instance
> or static field).
> 
>  - Chuck
> 

We will check in our code if there is any such references.

We are also using a ThreadLocal static reference in a class to store the
request.getUserPrincipal() to give the current username to beans which are not
access to the request :

public final class PrincipalStore
{
    private static final ThreadLocal store = new ThreadLocal();

    public static java.security.Principal get()
    {
        return (java.security.Principal)store.get();
    }

    public static void set(final java.security.Principal principal)
    {
        store.set(principal);
    }
}

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: realm login and user session are not the same

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Pierrick Terrettaz [mailto:tomcat@electronet.ch] 
> Subject: realm login and user session are not the same
> 
> When a user logs in through the realm authentification 
> FORM method in the website, the username and login are 
> well checked but the user come in with the session of 
> an other user with roles of this other user.

This is almost certainly a problem in your webapp.  It's usually caused
by storing request- or session-specific references in the wrong scope
(e.g., placing a reference to the current request in a servlet instance
or static field).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org