Wolfram,
On 06/ 6/09 11:35 AM, Wolfram Rittmeyer wrote:
> Jan Luehe wrote:
>> On 04/30/09 01:16 PM, Jan Luehe wrote:
>>> On 04/30/09 09:32 AM, glassfish_at_javadesktop.org wrote:
>>>> Hello all,
>>>>
>>>> I need to make my web application completely stateless, and thus
>>>> would like to turn off http session generation by the app server
>>>> (ie, no memory consumed, no jsessionid generation, etc). These are
>>>> business requirements (not my fault!). In any event, the only
>>>> thing I've done is set the JSP tags to not participate in sessions
>>>> - but I don't see anything in the sun-web.xml that indicates if
>>>> GlassFish can be told to NOT create a session. Is this possible,
>>>> and if so, where is that configured (short of me writing a servlet
>>>> filter that programmatically calls session.invalidate() ) ?
>>>>
>>>
>>> There is no such config option available, as it would be in
>>> violation of the Servlet spec,
>>> which requires that a call to HttpServletRequest#getSession create a
>>> session if one does
>>> not already exist.
>>
>> I was able to think of a simple and portable solution when this issue
>> was brought up again
>> during a meeting earlier this morning: How about declaring an
>> HttpSessionListener in your app,
>> and implementing its sessionCreated callback such that it throws an
>> IllegalStateException?
>>
>> Jan
>
> Jan,
>
> I might be daft, but I still do not see the issue here. If there is a
> requirement not to use any session - why then would one call
> getSession() or getSession(true) in the first place? And as long as
> these methods are not called - no session gets created anyway.
The issue was brought up at the JSR 315 meeting during JavaOne last
week. Being able to suppress session creation at the application level
may be
useful if your application bundles 3rd party code, in which case it may
be impossible
or too tedious to inspect that code for any calls to
HttpServletRequest#getSession(true).
>
> Also, the listener's sessionCreated gets notified when the session
> already has been created - thus too late for the requirement not to
> create a session.
Right, but HttpSessionListener#sessionCreated is called as part of
HttpServletRequest#getSession(true), which means that if one of the
invoked listeners throws an exception, then no session will be returned
to the caller. This approach is really only intended to catch and flag any
"accidental" session creation.
Jan
>
> What do I miss here?
>
>
> --
> Wolfram Rittmeyer
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: webtier-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: webtier-help_at_glassfish.dev.java.net
>