I am working on an Eclipse RAP application (RCP as web application). After the servlet container has invalidated the HttpSession (session timeout, setMaxInactiveInterval exceeded) the following exception is thrown when clicking on the application in the browser:
java.lang.NullPointerException
at org.eclipse.rap.rwt.internal.service.LifeCycleServiceHandler.service(LifeCycleServiceHandler.java:66)
at org.eclipse.rap.rwt.engine.RWTServlet.handleValidRequest(RWTServlet.java:135)
...
So I implemented a javax.servlet.Filter that detects the situation and should now redirect somewhere to display a "session timeout, please reload" message.
My preferred solution for the "session timeout" warning would be a simple HTML5 page with a link back to the application. But I don't know how to integrate HTML5 pages with a RAP application (and whether that is a good idea to start with). Also I am not clear how and where the redirect should happen.
For redirecting I tried two variations in the Filter.
The first one gives me "Error: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data":
httpServletResponse.sendRedirect("/myapp");
And this one "java.lang.IllegalStateException: Invalid thread access
at org.eclipse.rap.rwt.RWT.checkContext(RWT.java:704)"
UrlLauncher launcher = RWT.getClient().getService(UrlLauncher.class);
launcher.openURL("http://www.eclipse.org/");
So I am probably really going down the wrong path here...
Does anybody know of a standard way to deal with HTTP session timeout situations in an Eclipse RAP application?
Is the HTTP session the correct place to deal with this or should I be looking at org.eclipse.rap.rwt.service.UISession, or something else?
How can I redirect to the home of the application if it lives on an URL like "http://127.0.0.1:50045/myapp"?
Can I easily integrate simple HTML5 pages with a RAP application (pages in same Eclipse project, deployed in same WAR, available on same host)? Or will this be a tedious task that does not come out of the box?
First off, a NullPointerException should never happen during normal operations, please file a bug including the RAP version and a stacktrace.
Just a guess, the problem may be caused by invalidating the session from within the request processing. If this is the case, it may help to use the HttpSession method setMaxInactiveInterval with a small timeout instead.
The problem with redirects is that a RAP application sends background (a.k.a. Ajax) requests to the server and expects JSON responses in return. If your filter redirects to some other page, the RAP client receives an HTML page instead of JSON. In order to redirect the browser to another page, you should send a JSON response to the client that includes this redirect (see bug 388249):
{"head": {"redirect": "http://www.myurl.com/"}}
To integrate other HTML5 pages in your RAP application, consider the Browser widget.
System.exit(0) if you want termination to be fluid - then modify your application specific shutdown hooks/exit code response to notify as you please.
Java based RAP/RCP:
try{
HttpSessionCollector.terminationQueue.remove(RWT.getUISession().getId());
RWT.getUISession().getHttpSession().invalidate();
System.exit(0);
}catch(Exception ex){
ex.printStackTrace();
System.out.println("failed to terminate session. adding user back to sessions list");
HttpSessionCollector.add();
}
Related
We are using form-based auth in our GWT application and I'm currently struggling a lot with session timeout.
If the user is logged in and performs an action that will trigger a request for a static resource AFTER the session has timed out, then the login page is shown and when the user logs in again, then only the image resource is shown to the user. An example is if the user hovers the mouse over a button, and the button need to fetch a icon which is shown on mouse over.
It is logical that this will happen, since the login page was triggered by the request for the image, but it is not really the behavior that we want. It would much better that the user is redirected to the page he was on, or alternatively another page.
How can this be handled in a better way? As I understand it is very difficult to change the redirect url, which j_security_check uses to redirect the user after successful login.
The way I solve it is to only protect the HTML host page with a <security-constraint>. Static resources (images, stylesheets, GWT scripts) aren't protected at all, and AJAX endpoints (GWT-RPC, RequestFactoryServlet, or other endpoints called using AJAX from the app) only check the presence of a user Principal in the request (this can be done in a servlet filter, or a RequestFactory ServiceLayerDecorator), and return an error otherwise (but do not trigger the login page).
You can see an example web.xml here with the code to handle the security in RequestFactory here (and the code to handle the response on the client-side here). For GWT-RPC, you'd probably do that using a servlet filter and a custom RpcRequestBuilder or a base AsyncCallback<?> implementation.
I have developed one application and facing issue with security stuff.
My application is running in doPost method which doesn't explicit the URL in browser. If I'm trying to change the doPost to doGet (using webdeveloper tools-->Forms), my application's URL will be displaying explicitly. So I need to throw an error/stop app response, If user tries to change the forms from doPost to doGet ?
I suppose the question here is: Why do you regard it as a security issue, that the URL might be displayed in the browser?
In case you don't want the user to have access to the URL or other request data, you probably have fundamental design problem, as the user can track the post request using the developer tools.
In case you don't want somebody else than the user to see the URL and thus think it should not be displayed in the browser, I would not worry, as the user has to actively and consciously "mess" with your application to achieve this behavior.
In general it is probably a good idea to throw errors and prevent the request from being processed if your front end does not behave as expected.
Is there a way to go to a url without redirecting to it? Basically I want to call a url from within my application in the background so it can logout a reliant party.
Appreciate the help.
What you are trying to do does not compete us to answer as it's directly related to your own Authentication implementation.
A normal ASP.NET Authentication based in Forms Authentication you will need always to lunch the url from a browser as it is there that relies the Authentication given.
You can give yourself a try by opening your website and log in into it, after that, open other browser brand (not browser window) into your application url... you will see that you also need to login again as the Authentication is hook up into the first browser.
It's Up to you as Application Architect to make this by implementing another way of authentication, normally in this kind'a cases, this happend when consuming web services where you need a authentication code first (given by calling a Login method) and that code is always needed to be appended to the body or header of any call to the system.
This way you can easily remove the authentication code and all procedure calls will fail.
As said, this is not up to us, it's up to you to create the correct Authentication Layer.
from your comment
it's as simple as using WebClient object
WebClient client = new WebClient ();
string reply = client.DownloadString (address);
If you wish to transfer to a new url request you can still use
Server.TransferRequest()
The problem with this is that by not using a redirect the browsers address bar will not reflect the fact that you have moved their request to another URL.
To have the client visit a given URL in the background you should either make an AJAX call to it or possibly have an image with an src of your logout url (though you'd have to make sure that you return a FileResult of your image too). This is how most analytics packages call to their relevant urls in the background.
The problem here though is that neither is 100% reliable, turn off javascript or images on your browser and these results fail.
From what you've said I think what you're after is for a user to continue to any of a variety of pages rather than a specific logout page. If this is indeed the case your best solution is in fact a double redirect.
Have your application redirect to your logout url but before hand put the url of the page you want them to go to into tempdata. Then in the actionresult for the logout page you can do your logging out as required and return a redirect to the url from tempdata.
I need to include some secure (BASIC authentication) application.
when I open the application URL in the browser, the browser asks me to enter your credentials ...
what I know is that:
The browser ask the server to get
some URL -- the url of the app
The server checks the request header
for the Authentication header and
didn't find it
The server sends 401 to the
browser back
The browser interpret this response
code into a message dialog that
shows to me asking me to enter the
username/password to send back to
the server in the Authentication
request header
So far... so good, I can write some page (in JSP) that send this required http request header to the request that is calling this page..
So I'll call this application through my page..
The problem here is, this application (in fact a GWT application) contains a reference to some Javascript and CSS files that is coming from the server that hosts this application. the application page that I import looks like:
<html>
<link href="http://application_host/cssfile.css" />
<link href="http://application_host/javascriptfile.js" />
.....
</html>
So, again I found the application asks me for the authentication crenditals for the css and js files!
I am thinking of many solutions but don't know the applicability of each
One solution is to ask the browser
(via Javascript) to send the request
header (Authentication) when he
asks the server for the js and css
files
please give me your opinions about that... and any other suggestions will be very welcomed.
Thanks.
I think you're running into some weirdness with how your server is configured. Authentication happens in context of a authentication realm. Your assets should either be in the same authentication realm as your page, or (more likely) should not require authentication at all. The browser should be caching credentials for the given realm, and not prompt for them again.
See the protocol example on http://en.wikipedia.org/wiki/Basic_access_authentication
Judging from your story, something tells me your problem is with the authentication method itsef. Not how to implement it. Why do you want to bother with the request header so much?
As far as i know, you can configure your container (ie Tomcat) to force http authentication for certain urls. Your container will make sure that authentication has taken place. No need to set http headers yourself whatsoever.
Perhaps you can explain a bit better what you are trying to achieve, instead of telling implementation details?
Why css & js files are kept in protected area of server? You need to place files into public area of your server. If you don't have public area, so you nead to prpvide for it. how to do it depends from serverside software architecture & configuration.
Why does using Fiddler break my site sometimes on page transitions.
After a server side redirect -- in the http response (as found in Fiddler) I get this:
Object moved
Object moved to here.
The site is an ASP.NET 1.1 / VB.NET 1.1 [sic] site.
Why doesnt Fiddler just go there for me? i dont get it.
I'm fine with this issue when developing but I'm worried that other proxy servers might cause this issue for 'real customers'. Im not even clear exactly what is going on.
That's actually what Response.Redirect does. It sends a 302 - Object moved response to the user-agent. The user-agent then automatically goes to the URL specified in the 302 response. If you need a real server-side redirect without round-tripping to the client, try Server.Transfer.
If you merely constructed the request using the request builder, you're not going to see Fiddler automatically follow the returned redirect.
In contrast, if you are using IE or another browser, it will generally check the redirect header and follow it.
For IE specifically, I believe there's a timing corner case where the browser will fail to follow the redirect in obscure situations. You can often fix this by clicking Tools / Fiddler Options, and enabling both the "Server" and "Client" socket reuse settings.
Thanks user15310, it works with Server.Transfer
Server.Transfer("newpage.aspx", true);
Firstly, transferring to another page using Server.Transfer conserves server resources. Instead of telling the browser to redirect, it simply changes the "focus" on the Web server and transfers the request. This means you don't get quite as many HTTP requests coming through, which therefore eases the pressure on your Web server and makes your applications run faster.
But watch out: because the "transfer" process can work on only those sites running on the server, you can't use Server.Transfer to send the user to an external site. Only Response.Redirect can do that.
Secondly, Server.Transfer maintains the original URL in the browser. This can really help streamline data entry techniques, although it may make for confusion when debugging.
That's not all: The Server.Transfer method also has a second parameter—"preserveForm". If you set this to True, using a statement such as Server.Transfer("WebForm2.aspx", True), the existing query string and any form variables will still be available to the page you are transferring to.
Read more here:
http://www.developer.com/net/asp/article.php/3299641/ServerTransfer-Vs-ResponseRedirect.htm