Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: 2.0.0
-
Fix Version/s: 3.0
-
Component/s: Framework
-
Labels:None
-
Environment:Debian or OpenSUSE, Java SUN or OpenJDK, Glassfish 3.0.1, IceFaces 2.0.0
-
Assignee Priority:P1
-
ICEsoft Forum Reference:
-
Workaround Exists:Yes
-
Workaround Description:
Description
I now have created a smaller project that demonstrates the problem. The realm is based on a MySQL database and created like
==== create realm ==============
sudo /opt/glassfishv3/glassfish/bin/asadmin create-auth-realm --classname com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm --property jaas-context=jdbcRealm:datasource-jndi=card:user-table=employees:user-name-column=userid:password-column=password:group-table=employees:group-name-column=role:digest-algorithm=MD5 userauth
========== end =============
===== web.xml ================
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>com.icesoft.faces.uploadDirectory</param-name>
<param-value>upload</param-value>
</context-param>
<context-param>
<param-name>org.icefaces.strictSessionTimeout</param-name>
<param-value>true</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>Resource Servlet</servlet-name>
<servlet-class>com.icesoft.faces.webapp.CompatResourceServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/icefaces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Resource Servlet</servlet-name>
<url-pattern>/xmlhttp/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
3
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>Secured/client.jsf</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/Secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>userauth</realm-name>
<form-login-config>
<form-login-page>/Open/login.jsp</form-login-page>
<form-error-page>/Open/loginfailed.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Manages the employees</description>
<role-name>MANAGER</role-name>
</security-role>
</web-app>
========== End =============
===== sun-web.xml ============
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/SessionTimeOut</context-root>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
</sun-web-app>
======== End ===============
Now in the Open dir I have 2 files
login.jsp and loginfailed.jsp.
In the Secured dir I have created a client.xhtml that uses a template.xhml
======= client.xhtml =============
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ui:composition xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:icecore="http://www.icefaces.org/icefaces/core"
xmlns:ice="http://www.icesoft.com/icefaces/component"
xmlns:ace="http://www.icefaces.org/icefaces/components"
template="./newICEfacesTemplate.xhtml">
<ui:define name="top">
top
</ui:define>
<ui:define name="left">
left
</ui:define>
<ui:define name="content">
<ice:form id="panelform">
<ice:panelTabSet height="330px">
<ice:panelTab label="First Tab">
<ice:outputText value="First content"/>
</ice:panelTab>
<ice:panelTab label="Second Tab">
<ice:outputText value="Second content"/>
</ice:panelTab>
</ice:panelTabSet>
</ice:form>
</ui:define>
<ui:define name="bottom">
bottom
</ui:define>
</ui:composition>
============== End =============
As you can see in the above web.xml the directory Secured is protected. When I request client.jsp in the browser I am correctly redirected to the login page. After a successful authorization I get the client.jsp page correctly. I have currently set the session time out till only 3 minutes. I have also set the strictSessionTimeout to true. I have no redirect page in case of a session timeout. The problem is shown already without that.
======= Symptom ==========
After 3 minutes of inactivity you can't anymore click on the tabs => the GUI becomes totally unresponsive.
=======================
It is worth mentioning that without the realm I correctly get a popup indicating that the session has expired.
If you want I can share the war file or the source
Cheers,
// Jonas
==== create realm ==============
sudo /opt/glassfishv3/glassfish/bin/asadmin create-auth-realm --classname com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm --property jaas-context=jdbcRealm:datasource-jndi=card:user-table=employees:user-name-column=userid:password-column=password:group-table=employees:group-name-column=role:digest-algorithm=MD5 userauth
========== end =============
===== web.xml ================
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>com.icesoft.faces.uploadDirectory</param-name>
<param-value>upload</param-value>
</context-param>
<context-param>
<param-name>org.icefaces.strictSessionTimeout</param-name>
<param-value>true</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>Resource Servlet</servlet-name>
<servlet-class>com.icesoft.faces.webapp.CompatResourceServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/icefaces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Resource Servlet</servlet-name>
<url-pattern>/xmlhttp/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
3
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>Secured/client.jsf</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/Secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>userauth</realm-name>
<form-login-config>
<form-login-page>/Open/login.jsp</form-login-page>
<form-error-page>/Open/loginfailed.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Manages the employees</description>
<role-name>MANAGER</role-name>
</security-role>
</web-app>
========== End =============
===== sun-web.xml ============
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/SessionTimeOut</context-root>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
</sun-web-app>
======== End ===============
Now in the Open dir I have 2 files
login.jsp and loginfailed.jsp.
In the Secured dir I have created a client.xhtml that uses a template.xhml
======= client.xhtml =============
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ui:composition xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:icecore="http://www.icefaces.org/icefaces/core"
xmlns:ice="http://www.icesoft.com/icefaces/component"
xmlns:ace="http://www.icefaces.org/icefaces/components"
template="./newICEfacesTemplate.xhtml">
<ui:define name="top">
top
</ui:define>
<ui:define name="left">
left
</ui:define>
<ui:define name="content">
<ice:form id="panelform">
<ice:panelTabSet height="330px">
<ice:panelTab label="First Tab">
<ice:outputText value="First content"/>
</ice:panelTab>
<ice:panelTab label="Second Tab">
<ice:outputText value="Second content"/>
</ice:panelTab>
</ice:panelTabSet>
</ice:form>
</ui:define>
<ui:define name="bottom">
bottom
</ui:define>
</ui:composition>
============== End =============
As you can see in the above web.xml the directory Secured is protected. When I request client.jsp in the browser I am correctly redirected to the login page. After a successful authorization I get the client.jsp page correctly. I have currently set the session time out till only 3 minutes. I have also set the strictSessionTimeout to true. I have no redirect page in case of a session timeout. The problem is shown already without that.
======= Symptom ==========
After 3 minutes of inactivity you can't anymore click on the tabs => the GUI becomes totally unresponsive.
=======================
It is worth mentioning that without the realm I correctly get a popup indicating that the session has expired.
If you want I can share the war file or the source
Cheers,
// Jonas
Activity
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Mircea Toma [ mircea.toma ] |
| Attachment | SessionTimeOut.tgz [ 12891 ] |
This is a blocker for any type of deployment with a REALM as the user experience is that the IceFaces application just freezes up. I'd say this is a pretty important thing to fix.
Show
Jonas Arndt
added a comment - This is a blocker for any type of deployment with a REALM as the user experience is that the IceFaces application just freezes up. I'd say this is a pretty important thing to fix.
Can somebody please get back to me on this issue? At least to let me know if there are plans to address this or not. We can't move forward if this is not solved. We have started to look at alternatives, such as PrimFaces and others, but the whole project is done in IceFaces and ready to go. Please get back to me on this.
Show
Jonas Arndt
added a comment - - edited Can somebody please get back to me on this issue? At least to let me know if there are plans to address this or not. We can't move forward if this is not solved. We have started to look at alternatives, such as PrimFaces and others, but the whole project is done in IceFaces and ready to go. Please get back to me on this.
I have the same problem in my project
the pages freezes after session timeout
a reload correct the problem
The application also works with MySQL
no exception appends
Its very important
Show
Bernard Banitz
added a comment - I have the same problem in my project
the pages freezes after session timeout
a reload correct the problem
The application also works with MySQL
no exception appends
Its very important
I had the same problem. I was able to work around it using Icefaces + Spring Security
http://wiki.icefaces.org/display/ICE/Spring+Security
| Salesforce Case | [] | |
| Fix Version/s | 2.1 [ 10241 ] | |
| Assignee Priority | P1 |
| Repository | Revision | Date | User | Message |
| ICEsoft Public SVN Repository | #24948 | Tue Jul 05 07:31:37 MDT 2011 | mircea.toma | |
| Files Changed | ||||
MODIFY
/icefaces2/trunk/icefaces/samples/core/test/session-expiry/src/main/webapp/login.jsp
|
Added test for session expiry in form based authenticated applications. Included workaround login page.
Show
Mircea Toma
added a comment - Added test for session expiry in form based authenticated applications. Included workaround login page.
The application becomes frozen after the session has expired because any subsequent request will have as the response the login page, including AJAX postbacks. Since the login page is not a partial update nothing gets changed in the page.
Show
Mircea Toma
added a comment - The application becomes frozen after the session has expired because any subsequent request will have as the response the login page, including AJAX postbacks. Since the login page is not a partial update nothing gets changed in the page.
The added test case includes a workaround that changes the JSP login page to respond with the HTML form entry markup on HTTP GET requests and with an error XML response in case of a POST request. This way when the session has expired and the user interacts with a the page (not loading it) the XML error response will be interpreted by the ICEfaces bridge and render the session expired popup.
Show
Mircea Toma
added a comment - The added test case includes a workaround that changes the JSP login page to respond with the HTML form entry markup on HTTP GET requests and with an error XML response in case of a POST request. This way when the session has expired and the user interacts with a the page (not loading it) the XML error response will be interpreted by the ICEfaces bridge and render the session expired popup.
Using a JSF login page is not possible because the requests made by the page for the JS resources will also receive the login page markup instead. Any other JSF mechanism will not work since the request does not reach the FacesServlet until the authentication is successful.
Show
Mircea Toma
added a comment - - edited Using a JSF login page is not possible because the requests made by the page for the JS resources will also receive the login page markup instead. Any other JSF mechanism will not work since the request does not reach the FacesServlet until the authentication is successful.
| Workaround Description | There is no work-around |
Respond with the following XML markup when POST requests are received after the session has expired: <partial-response><error><error-name>class org.icefaces.application.SessionExpiredException</error-name><error-message>Session has expired</error-message></error></partial-response> |
| Workaround Exists | [Yes] | |
| Salesforce Case | [] |
| Workaround Description |
Respond with the following XML markup when POST requests are received after the session has expired: <partial-response><error><error-name>class org.icefaces.application.SessionExpiredException</error-name><error-message>Session has expired</error-message></error></partial-response> |
First workaround -- respond with the following XML markup when POST requests are received after the session has expired: <partial-response><error><error-name>class org.icefaces.application.SessionExpiredException</error-name><error-message>Session has expired</error-message></error></partial-response> Second workaround -- enable ICEpush in the application, the page/s will get notified about session expiry and render the popup message |
| Salesforce Case | [] |
Attached the login page that can be used to send the XML error message on postbacks after session is expired.
Show
Mircea Toma
added a comment - Attached the login page that can be used to send the XML error message on postbacks after session is expired.
| Attachment | login.jsp [ 13339 ] |
| Workaround Description |
First workaround -- respond with the following XML markup when POST requests are received after the session has expired: <partial-response><error><error-name>class org.icefaces.application.SessionExpiredException</error-name><error-message>Session has expired</error-message></error></partial-response> Second workaround -- enable ICEpush in the application, the page/s will get notified about session expiry and render the popup message |
First workaround -- respond with the following XML markup when POST requests are received after the session has expired (see attached login page): <partial-response><error><error-name>class org.icefaces.application.SessionExpiredException</error-name><error-message>Session has expired</error-message></error></partial-response> Second workaround -- enable ICEpush in the application, the page/s will get notified about session expiry and render the popup message |
| Salesforce Case | [] |
Marking this issue as "won't fix" since a JSF/ICEfaces solution is not feasible.
Show
Mircea Toma
added a comment - Marking this issue as "won't fix" since a JSF/ICEfaces solution is not feasible.
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Resolution | Won't Fix [ 2 ] |
Hi everybody,
I have (and I'm not the only one) exactly the same issue clicking on panelTab when the session is lost -->the GUI becomes unresponsive.
[window] Error [status: emptyResponse code: 200]: An empty response was received from the server. Check server error logs.
exception ? console.er...ror(formatOutput(category, message));
However, clicking on ice:commandLink or commandButton component, when the session is lost works well!!!! The JsfRedirectStratefy class from spring-secucirty 3, is able detect and redirect to my login page.
Hence, this is only when I click on panelTab component that my application becomes unresponsive.
Could anybody explain in details the workaround by ice push?
thanks
Show
Jean-brice Rougeot
added a comment - Hi everybody,
I have (and I'm not the only one) exactly the same issue clicking on panelTab when the session is lost -->the GUI becomes unresponsive.
[window] Error [status: emptyResponse code: 200] : An empty response was received from the server. Check server error logs.
exception ? console.er...ror(formatOutput(category, message));
However, clicking on ice:commandLink or commandButton component, when the session is lost works well!!!! The JsfRedirectStratefy class from spring-secucirty 3, is able detect and redirect to my login page.
Hence, this is only when I click on panelTab component that my application becomes unresponsive.
Could anybody explain in details the workaround by ice push?
thanks
| Status | Resolved [ 5 ] | Closed [ 6 ] |
This is a dump of the NetBeans project. Note that you'll still need to create the database tables and the MySQL realm