dcsimg
HttpSession Object gets overwritten in IE Browser.
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   amar_kumar
Posted On:   Saturday, November 20, 2004 04:59 AM

Hi, We have a problem in our application which uses JAAS and Struts. The problem is Browser specific, it works fine with Mozilla / Netscape, but gives an error with IE and Opera browsers. After Logging in when the user is a valid user a Http Session Object gets created, Then the privileges of the user are being checked with JAAS Filters and the application loads all the workspaces for that user. This works fine with Mozilla/Netscape Browsers. But this gives error with IE Browsers as the HttpSession Object is overwritten and the EUserDelegate object returns null. There are three files here - LoginContext.java, EIndexAction.java and Struts-Config.xml. The Fl   More>>

Hi,

We have a problem in our application which uses JAAS and Struts. The problem is Browser specific,
it works fine with Mozilla / Netscape, but gives an error with IE and Opera browsers.


After Logging in when the user is a valid user a Http Session Object gets created, Then the privileges of
the user are being checked with JAAS Filters and the application loads all the workspaces for that user.
This works fine with Mozilla/Netscape Browsers. But this gives error with IE Browsers as the
HttpSession Object is overwritten and the EUserDelegate object returns null.



There are three files here - LoginContext.java, EIndexAction.java and Struts-Config.xml.


The Flow is that when a user logs in the JAAS mechanism checks whether the user is a valid user or not,
this is done in LoginContext.java - doFilter method. After this the default load methods of IndexAction.java
are called and then redirected to LoginContext.java through the Struts-Config.xml file.




LoginContext.java

------------------


//we assume that the login context is stored in session oncethe user is logged in



EIUserDelegate eUserDelegate = (EIUserDelegate)
httpRequest.getSession().getAttribute(this.sUserDelegateKey)



The eUserDelegate object in LoginContext.java returns a null when using IE Bowsers as the
HttpSession Object is overwritten , but works fine in Mozilla browsers

----------------------------------------------------------


This is the source code for LoginContext.java - Method doFilter()



***********************************************************

As part of a chain, this filter will be called first and ensure that the user has the right credentials
to the page he wants to access. If the user is not authorized to access the page, he is redirected
to the error page, else the request processed and the page displayed.



Note: It needs to be mentioned that this filter assumes that the user needs to be authenticated & authorized to access the given page.
Pages that do not need these mechanisms must ensure that this filterwill not be used when accessing that page.

************************************************************

			
LoginContext.java - doFilter().

@param request the servlet request
@param response the servlet response
@param filterChain the chain this filter is a part of

public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain filterChain)
throws java.io.IOException, javax.servlet.ServletException {

//check to see if a login context is present in session.if it is, we assume that the user
has already logged in and proceed to authorize the user, else we redirect the user to
the login page {access denied - authentication req page?}


HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;

//we assume that the login context is stored in session once
//the user is logged in
EIUserDelegate eUserDelegate = (EIUserDelegate) httpRequest.getSession().getAttribute(this.sUserDelegateKey);

if (eUserDelegate == null || eUserDelegate.getLoginContext() == null) {
//redirect to login page
super.dispatchToLogin(httpRequest, httpResponse);
}else{
synchronized(this){
LoginContext lContext = null;

try{
lContext = eUserDelegate.getLoginContext();
lContext.login();
}catch(LoginException lEx){
lEx.printStackTrace();
super.dispatchToLogin(httpRequest, httpResponse);
return;
}//end catch

//get the subject
Subject subject = lContext.getSubject();

EPrivilegedExceptionAction ePA = new EPrivilegedExceptionAction(eUserDelegate.getRoleID(), httpRequest.getRequestURI());

if(EServerDetector.isJBoss()){
try {
Subject.doAs(subject, ePA);
}catch(PrivilegedActionException pEx){
pEx.printStackTrace();
//log error
//redirect him to the unauthorized page
super.dispatchToAuthError(httpRequest, httpResponse);
return;
}//end catch
}else{
try{
ePA.run();
}catch(Exception ex){
ex.printStackTrace();
//log error
//redirect him to the unauthorized page
//System.out.println(" < < < < < < < < < < < < Redirecting to error page >>>>>>>>>");
super.dispatchToAuthError(httpRequest, httpResponse);
return;
}//end catch
}
}//end sync

//the last page visited
this.setLastPageVisited(httpRequest);

//call the next filter in the chain
filterChain.doFilter(request, response);

}//end else

}//end doFilter

------------------------------------------------------------


IndexAction.java

/**
*Renders the tree to the user and returns a mapping that is identified by actionmapping received as the argument
*
*@param mapping the actionmapping name. An object form bean is returned
*@return mapping for form bean defined in action mapping of struts-config.xml file
*@see
*@see
*/
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {

this.loadPortlets(request);
super.loadPageSettings(request);

//return mapping to success page
return mapping.findForward(SUCCESS);
}// end perform

-----------------------------------------------------------
Struts-congig.xml




type="com.edge.action.ELoginAction"
name="loginform"
scope="request"
validate="false"
>









---------------------------------------------------------


Any Help would be greatly appreciated.

Thanks.    <<Less

Re: HttpSession Object gets overwritten in IE Browser.

Posted By:   Christopher_Koenigsberg  
Posted On:   Sunday, November 21, 2004 07:25 AM

There are definitely known bugs in IE, at least for some versions/patchlevels, where it does lose the session cookie and create a new one, so the user is no longer logged in to a web app. I don't know about Opera having any similar bug, so yours may be a different problem.


Search microsoft.com, and you will find this IE session cookie problem. We were going nuts for a long time, because it is random. Once in a while someone using IE will suddenly get a "you are not logged in!" error from some of our web applications. It just seems to be a feature, with no workaround, of being tied to Microsoft and IE.
About | Sitemap | Contact