I like form-login approach in servlets specification. It's easy to use and is supported by all servlet containers almost the same way. We use tomcat enginge in our development and met one small problem regarding form-login.
Everything works as expected excepting case when user session is timed out and you have to deal with other than Latin encoding (UTF-8 for example).
Forcing Tomcat to use UTF-8 for request data processing is a different long story... In short we use a filter which calls requiest.
setCharacterEncoding("UTF-8") for each request. This solution works great in 99,9% cases, exept this one:
If user tries to POST form data when HttpSession is timed out, posted data apears completely wrong decoded after successful user authorization. In this case servlet data is processed using default Latin charset instead of UTF-8 which is used by browser and which is set in our filter.
What should we do to avoid the situation? I tried to discover the problem i Tomcat source code: when user tries to access to a location he doesn't (yet) authorized, tomcat prcesses such request omitting all configured in web.xml filters. So request's charset encoding remains default which seems correct by security reasons. So I decided just didn't let HttpSession die.
Each page in protected area now contains following javascript:
function execRefresh() {
getXMLDOM("/xml/refresh", emptyFunc);
setTimeout("execRefresh()", 300000);
}
setTimeout("execRefresh()", 300000);
getXMLDOM - is a library function which fetches url data using XMLHttpRequest.
servlet mapped to /xml/refresh does nothing, it just doesn't let HttpSession object die.
As result we don't have to make session timeout too long, but if user closes browser window, session stored resources will be freed by time out.
No comments:
Post a Comment