DWR DWR - Users

Handling HTTP session Timeout in DWR

classic Classic list List threaded Threaded
7 messages Options
gunasekaran.d
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Handling HTTP session Timeout in DWR

gunasekaran.d
How to force DWR to check for HTTP session alive for each remote call we make, i tried to handle this by writing DWR filter in the server side and check for HTTP session, if the session has timed out then i am throwing org.directwebremoting.impl.LoginRequiredException back as described in the weblink given below, and then in the javascript side, i have declared a global error handler, but the problem is, the global error handler is not getting called for org.directwebremoting.impl.LoginRequiredException exceptions thrown from the filter, instead the local  exception handler to the DWR call is getting invoked. How to force the DWR to call the global error handler, otherwise i need to handle org.directwebremoting.impl.LoginRequiredException exception in each DWR call exception handler, and this will be tedious. Please help me to solve this, thanks in advance

http://terrajava.blogspot.com/2009/03/handling-dwr-session-timeouts.html
david@butterdev.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Handling HTTP session Timeout in DWR

david@butterdev.com
The purpose of a call level error handler is to handle errors for a
specific call.  If a call level error handler is specified than that is
the handler that will be called when an Exception is thrown on the
server (if an Exception handler is not specified).  If a call level
error handler is not specified than the global handler will be called.  
Specifying a call level error handler and then expecting DWR to call the
call level handler sometimes and the global error handler other times
doesn't make sense.

So how to solve this:

1) If you want to keep things the way they are (throwing Exception,
specifying a call level error handler and a global one) then you can
have all of you could so something like (note this is completely
untested pseudo code just to give you an idea):

Remote.call({
     ..
     errorHandler: function(errorString, exception) {
         handleCallLevelError(errorString, exception,
handleThisCallsErrors);
     }
});

function handleThisCallsErrors(errorString, exception) {
    // Handle this calls errors.
}

// In some common place, so all Remote calls in your system can use it.
function handleCallLevelError(errorString, exception,
callLevelErrorHandler) {
     // First call the global handler to handle the potential
LoginRequiredException.
     globalErrorHandler();
     // No call the callLevelErrorHandler
     callLevelErrorHandler(errorString, exception);
}

2) Your other option is to NOT follow the advice in the article you
posted and when an html/text response is sent back from the server
handle it with DWR's textHtmlHandler:
http://directwebremoting.org/dwr/documentation/browser/errors.html

See the bottom of the page - "Coping with server session expiry"

On 12/22/2011 10:03 PM, gunasekaran.d wrote:

> How to force DWR to check for HTTP session alive for each remote call we
> make, i tried to handle this by writing DWR filter in the server side and
> check for HTTP session, if the session has timed out then i am throwing
> org.directwebremoting.impl.LoginRequiredException back as described in the
> weblink given below, and then in the javascript side, i have declared a
> global error handler, but the problem is, the global error handler is not
> getting called for org.directwebremoting.impl.LoginRequiredException
> exceptions thrown from the filter, instead the local  exception handler to
> the DWR call is getting invoked. How to force the DWR to call the global
> error handler, otherwise i need to handle
> org.directwebremoting.impl.LoginRequiredException exception in each DWR call
> exception handler, and this will be tedious. Please help me to solve this,
> thanks in advance
>
> http://terrajava.blogspot.com/2009/03/handling-dwr-session-timeouts.html
>
> --
> View this message in context: http://dwr.2114559.n2.nabble.com/Handling-HTTP-session-Timeout-in-DWR-tp7120801p7120801.html
> Sent from the DWR - Users mailing list archive at Nabble.com.
>

david@butterdev.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Handling HTTP session Timeout in DWR

david@butterdev.com
"1) If you want to keep things the way they are (throwing Exception,
specifying a call level error handler and a global one) then you can
have all of you could so something like (note this is completely
untested pseudo code just to give you an idea): "

Sorry, this should read:

1) If you want to keep things the way they are (throwing Exception,
specifying a call level error handler and a global one) then you can try
something like (note this is completely untested pseudo code just to
give you an idea):

On 12/22/2011 10:39 PM, David Marginian wrote:

> The purpose of a call level error handler is to handle errors for a
> specific call.  If a call level error handler is specified than that
> is the handler that will be called when an Exception is thrown on the
> server (if an Exception handler is not specified).  If a call level
> error handler is not specified than the global handler will be
> called.  Specifying a call level error handler and then expecting DWR
> to call the call level handler sometimes and the global error handler
> other times doesn't make sense.
>
> So how to solve this:
>
> 1) If you want to keep things the way they are (throwing Exception,
> specifying a call level error handler and a global one) then you can
> have all of you could so something like (note this is completely
> untested pseudo code just to give you an idea):
>
> Remote.call({
>     ..
>     errorHandler: function(errorString, exception) {
>         handleCallLevelError(errorString, exception,
> handleThisCallsErrors);
>     }
> });
>
> function handleThisCallsErrors(errorString, exception) {
>    // Handle this calls errors.
> }
>
> // In some common place, so all Remote calls in your system can use it.
> function handleCallLevelError(errorString, exception,
> callLevelErrorHandler) {
>     // First call the global handler to handle the potential
> LoginRequiredException.
>     globalErrorHandler();
>     // No call the callLevelErrorHandler
>     callLevelErrorHandler(errorString, exception);
> }
>
> 2) Your other option is to NOT follow the advice in the article you
> posted and when an html/text response is sent back from the server
> handle it with DWR's textHtmlHandler:
> http://directwebremoting.org/dwr/documentation/browser/errors.html
>
> See the bottom of the page - "Coping with server session expiry"
>
> On 12/22/2011 10:03 PM, gunasekaran.d wrote:
>> How to force DWR to check for HTTP session alive for each remote call we
>> make, i tried to handle this by writing DWR filter in the server side
>> and
>> check for HTTP session, if the session has timed out then i am throwing
>> org.directwebremoting.impl.LoginRequiredException back as described
>> in the
>> weblink given below, and then in the javascript side, i have declared a
>> global error handler, but the problem is, the global error handler is
>> not
>> getting called for org.directwebremoting.impl.LoginRequiredException
>> exceptions thrown from the filter, instead the local  exception
>> handler to
>> the DWR call is getting invoked. How to force the DWR to call the global
>> error handler, otherwise i need to handle
>> org.directwebremoting.impl.LoginRequiredException exception in each
>> DWR call
>> exception handler, and this will be tedious. Please help me to solve
>> this,
>> thanks in advance
>>
>> http://terrajava.blogspot.com/2009/03/handling-dwr-session-timeouts.html
>>
>> --
>> View this message in context:
>> http://dwr.2114559.n2.nabble.com/Handling-HTTP-session-Timeout-in-DWR-tp7120801p7120801.html
>> Sent from the DWR - Users mailing list archive at Nabble.com.
>>
>
>

gunasekaran.d
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Handling HTTP session Timeout in DWR

gunasekaran.d
Thanks for your reply David

My original intention was to use your second choice of handling HTTP session timeout by textHtmlHandler, but the problem was, the DWR call is getting remoted even after HTTP session timeout, and i am not sure that DWR servlet is checking for HTTP session timeout before remoting the call to java object, can you please tell me if there is any setting for enabling HTTP session timeout check in DWR servlet, that would solve my problem and then i can use textHtmlHandler for routing to login page

I am using websphere app server
david@butterdev.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Handling HTTP session Timeout in DWR

david@butterdev.com
Often the server (container level security) will respond with the login
page (text/html) when a secure call has been attempted after the session
has expired.  The job of the textHtmlHandler is to allow users to handle
this situation.

The fact that the call is making it through to DWR indicates that your
application's security is not set-up properly.  Your application's
security needs to sit in front of DWR.  It is not DWR's job to handle
this, nor do you want it to (their are so many ways and options for
handling application security).  I am not sure how you are handling
security for the rest of your application but it sounds like you haven't
secured dwr (/dwr) otherwise I am not sure why you need a specific
filter just for DWR requests.  So the first thing I would do is look at
your security layer and configuration.

You have several options here (after following my advice in paragraph
one and determining if you even need a specific filter for DWR which I
doubt):

1) Have you filter return text/html, and use the textHtmlHandler.
2) Leave the filter as is, either remove the call level error handler or
handle the session expiration in each call level error handler.
3) Follow the first recommendation in my previous email to get around
the problems with 2.

On 12/22/2011 11:28 PM, gunasekaran.d wrote:

> Thanks for your reply David
>
> My original intention was to use your second choice of handling HTTP session
> timeout by textHtmlHandler, but the problem was, the DWR call is getting
> remoted even after HTTP session timeout, and i am not sure that DWR servlet
> is checking for HTTP session timeout before remoting the call to java
> object, can you please tell me if there is any setting for enabling HTTP
> session timeout check in DWR servlet, that would solve my problem and then i
> can use textHtmlHandler for routing to login page
>
> I am using websphere app server
>
> --
> View this message in context: http://dwr.2114559.n2.nabble.com/Handling-HTTP-session-Timeout-in-DWR-tp7120801p7120872.html
> Sent from the DWR - Users mailing list archive at Nabble.com.
>

gunasekaran.d
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Handling HTTP session Timeout in DWR

gunasekaran.d
As a short term approach, I have gone with the option 1 and solution is working fine, but i need to seriously look at putting a security layer, and regarding adding a security what are the options you recommend?
david@butterdev.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Handling HTTP session Timeout in DWR

david@butterdev.com
This is outside of the scope of DWR.  There are numerous resources on
the web for information on securing a Java web application.

On 12/25/2011 08:49 PM, gunasekaran.d wrote:
> As a short term approach, I have gone with the option 1 and solution is
> working fine, but i need to seriously look at putting a security layer, and
> regarding adding a security what are the options you recommend?
>
> --
> View this message in context: http://dwr.2114559.n2.nabble.com/Handling-HTTP-session-Timeout-in-DWR-tp7120801p7127227.html
> Sent from the DWR - Users mailing list archive at Nabble.com.
>

Loading...
Powered by Nabble See how NAML generates this page