Vaishali Joshi

Greenhorn
+ Follow
since Dec 28, 2001
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Vaishali Joshi

BTW, how is Malicious code related to servlets??? Servlet would be developed by the company itself and would run on company's servers after testing. It's not like a company will download any servlet from the web and put it on the webserver!!!
Thanks for the links, Ramdhan. I'll go through these.
I think putting this up on the Sun's site would be a good idea.

The cause of confusion is that in the Servlet 2.3 Specification, the description for HttpSessionBindingListener excplitily says, "Causes an object to be notified when it is bound to or unbound from a session.
The object is notified by an HttpSessionBindingEvent object.This may be as a
result of a servlet programmer explicitly unbinding an attribute from a session,
due to a session being invalidated, or due to a session timing out.".
But it does not say so for HttpSessionAttributeListener.
Please do let us know what they say.
Could anybody please direct me to resoures for the following objective?
Identify correct descriptions or statements about the security issues:
Malicious code
Web site attacks
thanks,
Vaishali.
Thanks for clearing that up, Jyothi. But that's not what the question is about. The question is whether attributeRemoved() of HttpSessionAttributeListener should be called at all if the session is invalidate. Although, Tomcat calls it but the API does not say so (like it says so clearly for HttpSessionBindingListener).
So what's the answer??? According to the API, there is no reason to call the attributeRemoved() method when the session is invalidated. But tomcat calls it. So either Tomcat is wrong or the API is wrong!!!

Originally posted by Chintan Rajyaguru:
I think in ServletContext interface there is a method
ServletContext getContext(String path)


Yeah, I didn't consider that.

Originally posted by jyothi ve:
I hope the use of HttpSessionListener class is to initilize or track information before serving the requests.
For example: For Admin purpose to findout number of active sessions in the given point of time, how many users accessed the site etc.
when session destroy called number of active users will get reduced.
If you want to initialize some session specific information you can do in this method


That's what I am trying to say. It seems to be the purpose of this interface but you cannot do any of things that you have mentioned. Can you please write some code to show how will you do this?
All you can do is add some generic attribute (I mean, not even user specific because at this time, you won't know whose session is this) in the sessions as soon as they are created using the sessionCreated() method. Yes, you may get value for this attribute from the database.
But I am unable to think of any other use of this interface. Specifically, I more frustrated by the presence of the "good for nothing" sessionDestroyed() method.
Actually sun is not right. I tested the following code:
boolean a = true, b = false, c = false;
System.out.println( a || b && c );
If || and && had the same precedence and if it were only left to right, the above line would have printed false , but it prints true. This means that it is equivalent to a || (b && c)
I cannot see why would you create a database connection in say MyHttpSessionListener class. Even if you do, how will you use that connection? You won't even have a reference to the object of this class.
The only handles you have are the sessionCreated() or sessionDestroyed() methods. For all you know, these method may not even be called if nobody accesses the web application !!!


Some of the use is on the server, which can pool Servlets, and also Sessions.


Could you please be more clear about this? Any example would be helpful.
You'll need it if you have to redirect a broswer to another website. Say from yahoo.com to lycos.com. You cannot even forward a request to another servlet/jsp of a different webapplication.
In your sessionDestroyed() method try retrieving any attribute from the session. I get an IllegalStateException. This the means the method is called AFTER the session is destroyed. This is what I am talking about.
Thanks, Carl. If you look at other error/exception handling approaches, the servlet container automatically adds javax.servlet.error.* attributes in the request before sending the request to the error handler.
Now, please let me go back to what I said before. My doubt/confusion is : can this be achieved using RequestDispatcher in some way other that the way we normally use it?

The approach that you have given ( setAttribute("exception", e) ) is definitely not as per the standard because in this approach the exception handler has to "know" that it'll get the exception in "exception" attribute instead of javax.servlet.error.exception. Of course, you could set it using this name, but is this what the objective refers to? There are 4-5 other attributes as well that need to be
set. Should we set them explicitly? If yes, what's the point of stating this objective explicitly in the error handling section? This is same as when we forward a request to any other jsp/servlet.
thanks for your time,
Vaishali.

Originally posted by Ramdhan Kotamaraja:

sessionDestroyed() is called before invalidating the session.


Well, you should refer to the API.



wrox says you can save the data to database or any other cleanups before the session is being invalidated in sessionDestroyed() method.


I would wish so. But wrox is wrong. You cannot do this. I have tried this on Tomcat40 as well.