History | Log In     View a printable version of the current page.  
   HOME       BROWSE PROJECT       FIND ISSUES   
    QUICK SEARCH:  
Issue Details (XML | Word | Printable)

Key: UP-1590
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Stephane Bond
Reporter: Stephane Bond
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
uPortal

Portlet / Servlet session sharing

Created: 03/Oct/06 10:06 AM   Updated: 07/Feb/08 06:35 PM
Component/s: None
Affects Version/s: 2.5.3 GA
Fix Version/s: 2.6.0 M1

Original Estimate: Unknown Remaining Estimate: Unknown Time Spent: Unknown
File Attachments: 1. Zip Archive invalidate_portlets_sessions_patch.zip (3 kb)
2. Zip Archive invalidate_portlets_sessions_patch_2.zip (3 kb)
3. Zip Archive invalidate_portlets_sessions_patch_3.zip (3 kb)
4. Zip Archive invalidate_portlets_sessions_patch_4.zip (3 kb)
Issue Links:
Generic Relation
 
This issue relates to:
UP-1942 IllegalStateException in CPortletAdap... Minor Open


 Description  « Hide
JSR-168 allows session attributes sharing between servlets and portlets of a same context (PLT.15.4). This is the recommended way to download files from a portlet and for AJAX communication (see http://developers.sun.com/prodtech/portalserver/reference/techart/ajax-portlets.html).

To make session sharing possible, emptySessionPath="true" must be present in server.xml and portlet session attributes must be set with PortletSession.APPLICATION_SCOPE. This work fine with uPortal 2.5.

Sharing attributes with a servlets in a portlet context cause a security issue in uPortal. Since created portlets contexts are not invalidated on uPortal logout, portlets session still active and servlets presents in theses contexts still available after the logout.

The same issue where recently fixed on Jetspeed 2 (http://issues.apache.org/jira/browse/JS2-582).

The solution is to invalidate all created portlets sessions on the end-of-session cleanup.

 All   Comments   Work Log   Change History      Sort Order:
[ Permlink | « Hide ]
Stephane Bond [19/Oct/06 09:25 AM]
Patch to solve the issue:
  • Add a specific PortletServlet class (org.jasig.portal.container.PortletServlet) to act as a Portlet Wrapper into portlet’s web.xml file. The new PortletServlet extends the Pluto PortletServlet (org.apache.pluto.core.PortletServlet) actually used by uPortal. It contain code for PortletSession monitoring,
  • Update Deployer.java to set "org.jasig.portal.container.PortletServlet" instead of "org.apache.pluto.core.PortletServlet" into portlet’s web.xml file,
  • Update build.xml to copy the PortletServlet class into tomcat/share folder,
  • Use CPortletAdapter.java to monitor PortletSession object on portlets invocation and invalidate them with the receiveEvent (with SESSION_DONE) method.

[ Permlink | « Hide ]
Stephane Bond [19/Oct/06 04:19 PM]
New patch with theses fix :
  • Use WeakHashMap to store PortletSessions in CPortletAdapter
  • Cleaner version of PortletServlet

[ Permlink | « Hide ]
Stephane Bond [19/Oct/06 04:56 PM]
Updated patch #3 using WeakReference instead of WeakHashMap.

[ Permlink | « Hide ]
Stephane Bond [19/Oct/06 07:30 PM]
Fix possible NPE with WeakReference in CPortletAdaptor

[ Permlink | « Hide ]
Stephane Bond [04/Feb/07 05:17 PM]
Patch has been applied on HEAD for the 2.6 release


Site running on a free Atlassian JIRA Open Source Project License granted to Java Architectures Special Interest Group. Evaluate JIRA today.
Powered by Atlassian JIRA™ the Professional Issue Tracker. (Enterprise Edition, Version: 3.7.1-#185) - Bug/feature request - Contact Administrators