Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Getting all sessions

 
pavan kumar singaraju
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi
how can i get all the sessions associated with a particular web application running on Apache Tomcat 5.0.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't, as this would be a security risk. Atleast it isn't exposed through the J2EE API...

There are two options:
1) get the Tomcat source caode and find out what other public methods are available.
2) get the Tomcat source, and rewrite it to break open the required functionality.

Note I'm not saying you should do the second point, just that you can. The security aspects should not be discounted.

Sounds like this could become pretty Tomcat specific, I'm moving this to the Apache/Tomcat forum.

Dave
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If this is a requirement for your app, you can implement it yourself using session listeners and a singleton or context scoped map.

  • When your app initializes, instanciate the map and bind to context scope.
  • Using a session listener, add a reference for each session to the map (the sessionID makes a perfect key).
  • Whenever you want to view all the sessions, iterate over the map and pull each one.


  • If you'd like to see an example of this, go to http://simple.souther.us/not-so-simple.html and grab SessionMonitor.war.
     
    David O'Meara
    Rancher
    Posts: 13459
    Android Eclipse IDE Ubuntu
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    You're quite right, the way you've approached it, but the problem I find is that when people start building something like this, they can't help re-inventing session manangement and this is something I find very dangerous.

    Just to state again Ben's is a workable solution, but don't take it any further!

    Dave
     
    Ben Souther
    Sheriff
    Posts: 13411
    Firefox Browser Redhat VI Editor
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Originally posted by David O'Meara:
    You're quite right, the way you've approached it, but the problem I find is that when people start building something like this, they can't help re-inventing session manangement and this is something I find very dangerous.

    Just to state again Ben's is a workable solution, but don't take it any further!

    Dave


    Agreed
    This was actually in the ServletAPI and was removed for security reasons.
    http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpSessionContext.html

    Anytime you build something yourself, you need to weigh the 'benefit vs risk' in doing so. If you're going to add this functionality to a real production app, think hard about what you're exposing and to whom.

    With this same technique, you could choose to expose only a subset from within your session. For example, you could create a userBean with properties that you want to expose and store a reference to that object instead of the session itself. You could also use the "Facade Pattern" to wrap the sessions that you are exposing which would also allow you to limit what methods and properties are exposed.

    In otherwords, building it yourself can be much safer than having the methods exposed as part of the Servlet Spec but it is up to you to understand the risks involved.
     
    Stefan Evans
    Bartender
    Posts: 1717
    10
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    An alternative approach to the SessionListener, is to use a session binding listener.

    A lot of web applications require a login, and put a "user" object in session when login is successful.
    If you make that user object implement "HttpSessionBindingListener" then it will fire an event any time that object is put into a session/removed from a session (ie presumably at Login, and logout/session expiry)

    The most common reason I can think of that people want all the current sessions for is to iterate through and find out if that user is logged in already. A HttpSessionBindingListener may be more appropriate way to handle that requirement.
     
    pavan kumar singaraju
    Greenhorn
    Posts: 5
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    HI All,
    thanks for the good advices and alternatives provided.
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic