What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"

Kwan Lim
Hi,

I am trying to make a servlet that doesn't extend the session when accessed
and it looked like the system property "org.apache.catalina.core.
StandardHostValve.ACCESS_SESSION" could do job.

To test it out I created a simple project in Netbeans 8.1 with Tomcat
8.5.20 on Windows 10. In the project I have 2 servlets: servletA creates a
session and outputs some HTML, servletB only outputs HTML and doesn't call
request.getSession().

When I request servletA  a session is created and each time I request it
again, the last accessed time is updated.
When I request servletB which doesn't call getSession(), the last accessed
time is updated as well.

Note: I'm using the out-of-the box server.xml and other configuration files
and there are no filters that call getSession().

If I'm reading the documentation correctly, when set to true is will always
update the last accessed time even if getSession() wasn't called. By
default ACCESS_SESSION is false because STRICT_SERVLET_COMPLIANCE is not
set/false. My question is what is the expected behaviour when it's set to
false? I was expecting servletB to not update the last accessed time.

Thanks,
Kwan
Reply | Threaded
Open this post in threaded view
|

Re: What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"

Mark Thomas-2
On 10/09/17 01:53, Kwan Lim wrote:

> Hi,
>
> I am trying to make a servlet that doesn't extend the session when accessed
> and it looked like the system property "org.apache.catalina.core.
> StandardHostValve.ACCESS_SESSION" could do job.
>
> To test it out I created a simple project in Netbeans 8.1 with Tomcat
> 8.5.20 on Windows 10. In the project I have 2 servlets: servletA creates a
> session and outputs some HTML, servletB only outputs HTML and doesn't call
> request.getSession().
>
> When I request servletA  a session is created and each time I request it
> again, the last accessed time is updated.
> When I request servletB which doesn't call getSession(), the last accessed
> time is updated as well.
>
> Note: I'm using the out-of-the box server.xml and other configuration files
> and there are no filters that call getSession().
>
> If I'm reading the documentation correctly, when set to true is will always
> update the last accessed time even if getSession() wasn't called. By
> default ACCESS_SESSION is false because STRICT_SERVLET_COMPLIANCE is not
> set/false. My question is what is the expected behaviour when it's set to
> false? I was expecting servletB to not update the last accessed time.

I think your test case may be the cause of this. I have performed a
similar test with the Tomcat ROOT web application monitoring session
last accessed time via the Manager application and I do not see the
behaviour you see.

When I call a page that does not call getSession(), the last accessed
time remains unchanged.

When I call a page that does call getSession(), the last accessed time
is updated.

Various components can trigger a call to getSession(). I suspect that
something is doing this that you aren't aware of. Personally I'd use
remote debugging to put a break point on getSession() and find out what
is triggering that call.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"

Kwan Lim
Thanks Mark. You are correct that I'm using my own application which looks
like the problem is the NonLoginAuthenticator valve is calling
getInternalSession() (via the AuthenticatorBase class's invoke() method).
Is there a way to bypass this? I'm guessing the ROOT application bypasses
the StandardHostValve? It looks like the code is trying to cache an
authenticated Principal on the request which is something we do not need
for our app since we do our own authentication.

On Mon, Sep 11, 2017 at 8:46 AM, Mark Thomas <[hidden email]> wrote:

> On 10/09/17 01:53, Kwan Lim wrote:
> > Hi,
> >
> > I am trying to make a servlet that doesn't extend the session when
> accessed
> > and it looked like the system property "org.apache.catalina.core.
> > StandardHostValve.ACCESS_SESSION" could do job.
> >
> > To test it out I created a simple project in Netbeans 8.1 with Tomcat
> > 8.5.20 on Windows 10. In the project I have 2 servlets: servletA creates
> a
> > session and outputs some HTML, servletB only outputs HTML and doesn't
> call
> > request.getSession().
> >
> > When I request servletA  a session is created and each time I request it
> > again, the last accessed time is updated.
> > When I request servletB which doesn't call getSession(), the last
> accessed
> > time is updated as well.
> >
> > Note: I'm using the out-of-the box server.xml and other configuration
> files
> > and there are no filters that call getSession().
> >
> > If I'm reading the documentation correctly, when set to true is will
> always
> > update the last accessed time even if getSession() wasn't called. By
> > default ACCESS_SESSION is false because STRICT_SERVLET_COMPLIANCE is not
> > set/false. My question is what is the expected behaviour when it's set to
> > false? I was expecting servletB to not update the last accessed time.
>
> I think your test case may be the cause of this. I have performed a
> similar test with the Tomcat ROOT web application monitoring session
> last accessed time via the Manager application and I do not see the
> behaviour you see.
>
> When I call a page that does not call getSession(), the last accessed
> time remains unchanged.
>
> When I call a page that does call getSession(), the last accessed time
> is updated.
>
> Various components can trigger a call to getSession(). I suspect that
> something is doing this that you aren't aware of. Personally I'd use
> remote debugging to put a break point on getSession() and find out what
> is triggering that call.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"

Mark Thomas-2
On 11/09/17 14:21, Kwan Lim wrote:
> Thanks Mark. You are correct that I'm using my own application which looks
> like the problem is the NonLoginAuthenticator valve is calling
> getInternalSession() (via the AuthenticatorBase class's invoke() method).
> Is there a way to bypass this? I'm guessing the ROOT application bypasses
> the StandardHostValve? It looks like the code is trying to cache an
> authenticated Principal on the request which is something we do not need
> for our app since we do our own authentication.

There are several things going on here.

If a web application is not marked as metadata complete in web.xml OR it
declares security constraints in web.xml then Tomcat needs an
authenticator to be present.

The ROOT web application does meet either of these criteria hence no
Authenticator is configured so nothing tries to access the session.

If either of the above are true and no login configuration is present in
web.xml, Tomcat automatically adds the NonLoginAuthenticator.

By default, every authenticator checks the session for a cached
Principal. This is configurable.

You need to explicitly configure the NonLoginAuthentactor and set cache
to false. Something like the following (untested).

<Context>
  <Valve className="org.apache.catalina.authenticator.NonLoginAuthenticator"
    cache="false" />
</Context>

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"

Kwan Lim
Thanks Mark. Makes sense and the configuration change did the trick!

On Mon, Sep 11, 2017 at 10:05 AM, Mark Thomas <[hidden email]> wrote:

> On 11/09/17 14:21, Kwan Lim wrote:
> > Thanks Mark. You are correct that I'm using my own application which
> looks
> > like the problem is the NonLoginAuthenticator valve is calling
> > getInternalSession() (via the AuthenticatorBase class's invoke() method).
> > Is there a way to bypass this? I'm guessing the ROOT application bypasses
> > the StandardHostValve? It looks like the code is trying to cache an
> > authenticated Principal on the request which is something we do not need
> > for our app since we do our own authentication.
>
> There are several things going on here.
>
> If a web application is not marked as metadata complete in web.xml OR it
> declares security constraints in web.xml then Tomcat needs an
> authenticator to be present.
>
> The ROOT web application does meet either of these criteria hence no
> Authenticator is configured so nothing tries to access the session.
>
> If either of the above are true and no login configuration is present in
> web.xml, Tomcat automatically adds the NonLoginAuthenticator.
>
> By default, every authenticator checks the session for a cached
> Principal. This is configurable.
>
> You need to explicitly configure the NonLoginAuthentactor and set cache
> to false. Something like the following (untested).
>
> <Context>
>   <Valve className="org.apache.catalina.authenticator.
> NonLoginAuthenticator"
>     cache="false" />
> </Context>
>
> HTH,
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>