NanoContainer NanoWar

Invalid HttpSession retrieval in org.nanocontainer.nanowar.ServletRequestContainerLauncher

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Won't Fix
  • Affects Version/s: None
  • Fix Version/s: 1.1
  • Component/s: None
  • Labels:
    None
  • Number of attachments :
    1

Description

In org.nanocontainer.nanowar.ServletRequestContainerLauncher wrong HttpSession retrieval method is used. In line 39 following method is called:

HttpSession session = request.getSession(true);

but should be:

HttpSession session = request.getSession(false);

i belive. According to J2EE spec getSession(true) automatically creates session if none exists. But then lines following that code check for session being null, which is never true. I suppose that this is simple programming error. Attached patch fixes this issue.

Activity

Hide
Permalink
Michael Rimov added a comment -

Hi Tomasz,

What I did is slightly different from the suggestion.

I took a look at the code and the SessionScopeObjectReference and I realized that the SessionScopeObjectReference MUST have a non-null session to operate.

The in-code comments were a typographical error as well – the code was not designed to operate with a null session – it was designed to operate with a null session container.

I fixed that, and I took out the if (session != null) {} clause to clarify.

I thought about the concept of allowing null sessions, but I realized that it would be impossible to have a proper container hierarchy since a session could be created at any time during the request and then the container hierarchy would be out of sync. (The Request container would still point to the app container and would miss the session container alltogether).

I hope this clarifies the issue – feel free to reopen it if you feel I ddin't properly address your issue.

-Mike (R)

Show
Michael Rimov added a comment - Hi Tomasz, What I did is slightly different from the suggestion. I took a look at the code and the SessionScopeObjectReference and I realized that the SessionScopeObjectReference MUST have a non-null session to operate. The in-code comments were a typographical error as well – the code was not designed to operate with a null session – it was designed to operate with a null session container. I fixed that, and I took out the if (session != null) {} clause to clarify. I thought about the concept of allowing null sessions, but I realized that it would be impossible to have a proper container hierarchy since a session could be created at any time during the request and then the container hierarchy would be out of sync. (The Request container would still point to the app container and would miss the session container alltogether). I hope this clarifies the issue – feel free to reopen it if you feel I ddin't properly address your issue. -Mike (R)

People

  • Assignee:
    Michael Rimov
    Reporter:
    Tomasz Skutnik
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: