CODEWITHSUNDEEP
glassfishhttpsessionrealm
kouzouigh
kouzouigh

Reputation: 93

Glassfish create more than one http session in realm authentication

I have a question about realm authentication, where glassfish create more than one http session. Here's an example

Web.xml:

<security-constraint>
    <web-resource-collection>
      <web-resource-name>AllPages</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>user</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>FileRealm</realm-name>
  </login-config>
<security-constraint>

glassfish-web.xml:

  <security-role-mapping>
    <role-name>user</role-name>
    <group-name>users</group-name>
  </security-role-mapping>

login.jsp:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Welcome Page</title>
</head>
<body>
<p>You have successfully logged into the application.</p>
<a href="./home.jsp">go to home</a>
</body>
</html>

SessionListener:

@WebListener public class SessionListener implements HttpSessionListener {

public void sessionCreated(HttpSessionEvent arg0) {

System.out.println("Session created id:"+arg0.getSession().getId());
}

public void sessionDestroyed(HttpSessionEvent arg0) {

  System.out.println("Session destroyed id:"+arg0.getSession().getId());

}

}

When I authenticate, glassfish create a new session:

INFO: Session created id:29c5d904db0e40b9cfbdac40aa5e

And when I click on "go to home" link or refresh the page, glassfish create another http session:

INFO: Session created id:2a67270137e38c150bf3690e2e46

And I also noticed that glassfish never destroy the first created session.

Thank's for your help

Upvotes: 0

Views: 1200

Answers (1)

Piotr Filiciak
Piotr Filiciak

Reputation: 91

This is probably a Glassfish Bug. Try add context.xml to your META-INF directory with this option:

<?xml version='1.0' encoding='utf-8'?>
<Context>
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
changeSessionIdOnAuthentication="false" />
</Context>

or (in case web form authentication):

<?xml version='1.0' encoding='utf-8'?>
<Context>
<Valve className="org.apache.catalina.authenticator.FormAuthenticator"
changeSessionIdOnAuthentication="false" />
</Context>

This should (temporary) solve your problem!

Upvotes: 2

Related Questions