Author |
Message |
26/03/2008 10:10:47
|
heyl
Power User
Joined: 10/01/2008 09:41:55
Messages: 267
Location: Ettlingen
Offline
|
Hi Björn,
do servlets run in a different session than the CaptainCasa application?
If not, how can I get the common session id?
I want to to check if a file download servlet is running in the same session than the caller before file download is allowed.
I used the session id in our Casabac application to do that, but here I get two different session ids.
This is how I determine the session ids:
CaptainCasa:
HttpSessionAccess.getCurrentHttpSession(FacesContext.getCurrentInstance()).getId()
Servlet:
HttpServletRequest req;
req.getSession().getId();
Frauke
|
|
|
26/03/2008 13:06:35
|
CaptainCasa
Power User
Joined: 21/11/2007 12:23:06
Messages: 5520
Offline
|
Hi,
the answer is quite tricky:
when running in browser (applet or webstart) then the sessionid is automatically added - the servlet will be called in the same http session (jssessionid).
When running in stand alone environment there is no automatic appending of the right sessionid. If you need to force the session id to be the same as the applciation around then append
";jsessionid=" + sessionId to your URL.
Björn
|
Björn Müller, CaptainCasa GmbH |
|
|
26/03/2008 13:58:11
|
heyl
Power User
Joined: 10/01/2008 09:41:55
Messages: 267
Location: Ettlingen
Offline
|
Hi Björn,
I tried it, but it does not work. The session id from the HttpServletRequest is still different.
Just to be sure I got you right:
I append the session id to the URL and then the servlet's HttpServletRequest will receive the session id from this?
Additionally this throws up a problem I had before:
if I append the session id to the URL, the file name (of the download servlet) will not be extracted correctly (see post "File download with servlet").
Frauke
|
|
|
26/03/2008 14:10:07
|
CaptainCasa
Power User
Joined: 21/11/2007 12:23:06
Messages: 5520
Offline
|
...yes, appending the sessionid in the way described will select the correct session on server side... I am not 1000% expert on this, but it works exactly this way in a little example that I use...
Example URL, embedded in form:
<form id="_id0" method="post" action="/demos/faces/workplace/workplace.jsp;jsessionid=F054133D15BE3375C3B5183B9FB0324B" enctype="application/x-www-form-urlencoded">
Please check the client log: switch the log level to "all", (start parameter: loglevel=ALL) and compare the session ids that are sent from the normal processing with the one that you send.
Björn
PS: yes, the file download currently would take over this ";jsessionid=...". This something we can fix.
|
Björn Müller, CaptainCasa GmbH |
|
|
26/03/2008 17:24:55
|
heyl
Power User
Joined: 10/01/2008 09:41:55
Messages: 267
Location: Ettlingen
Offline
|
Hi Björn,
I checked the client log as you said and the session IDs are the same.
But still the Servlet gets an other one.
Is the call
HttpServletRequest req;
req.getSession().getId();
in the servlet correct? Or does it provide som other ID?
Frauke
|
|
|
26/03/2008 17:34:00
|
CaptainCasa
Power User
Joined: 21/11/2007 12:23:06
Messages: 5520
Offline
|
...yes the call is correct.
I am "at the end of my Latin" currently... (English for runaways)
I think the most important issue is, that it is working in a webstart/applet environment, so it would be good to make sure that this scenario is working...
Björn
|
Björn Müller, CaptainCasa GmbH |
|
|
26/03/2008 17:47:26
|
heyl
Power User
Joined: 10/01/2008 09:41:55
Messages: 267
Location: Ettlingen
Offline
|
Well ok,....
as a kind of security check we only allow file download if the servlet and the application are running within the same session.
The only chance I see in the moment is to switch off this check.....
but that also affects our casabac application.
... but sure works for all cases.
Maybe you will have some enlightments later?
Frauke
|
|
|
26/03/2008 17:57:29
|
CaptainCasa
Power User
Joined: 21/11/2007 12:23:06
Messages: 5520
Offline
|
|
Björn Müller, CaptainCasa GmbH |
|
|
|