7 Replies Latest reply on Jun 20, 2014 7:52 PM by rade.todorovich

    ADF 12c: Proper Session handling

    rade.todorovich

      JDeveloper 12.1.2

       

      I have ADF fusion web application with ADF security. There are 4 scenarios I am interested in best practice solution

      1. User Initiated Logout and session is invalidated Protected ADF page (by ADF securty) has logout link. I have implemented this and works fine. User is redirected back to login page

       

      2. User stays idle for the time that exceeds session timeout set in web.xml. There is a small popup which when user clicks, I would like to redirect back to login page. No need to have custom page that says: "Session expired" since that popup already says so. The question is how to do this? I read a note Doc ID 741576.1 (and found on this forum) that describes how to setup a custom filter that redirects to custom page. This does not work in 12c version with adf security.

       

      3. User closes the browser in the middle of the session. What is the best way to do this? Please provide detailed examples if known or links to actual solutions

       

      4. User closes the browser after automatic session expiration popup is shown. Not sure if this is the same as 2? Is the session really invalidated?

        • 2. Re: ADF 12c: Proper Session handling
          rade.todorovich

          Shyam,

          Thank you for the reply. Yes I have seen your blog. The first part which is creating a filter is really the same as Doc ID 741576.1

           

          So yes I tried that and did not work. As I said in the OP, I am using ADF security. So I set session timeout to 3 minutes for testing purpose. Run the application and login. Then I wait for 5 minutes or more and then click on any link. It does logout but it returns me to the login page (with error displayed in the log file-see below) even though I have this

            <filter>

              <filter-name>ApplicationSessionExpiryFilter</filter-name>

              <filter-class>access.view.ApplicationSessionExpiryFilter</filter-class>

              <init-param>

                <param-name>SessionTimeoutRedirect</param-name>

                <param-value>SessionHasExpired.jspx</param-value>

              </init-param>

            </filter>

           

          Furthermore, I checked the code in the filter

           

                  if (!sessionOk && requestedSession != null){

                      // the session has expired or renewed. Redirect request

                      System.out.println("Redirecting to SessionHasExpired page"); //!!!! THIS NEVER EXECUTES

                      ((HttpServletResponse) response).sendRedirect(_filterConfig.getInitParameter("SessionTimeoutRedirect"));

                  }

                  else{

                      chain.doFilter(request, response);

                  }

           

          Basically the above code never executes. The error I get in log file is

           

          <Jun 20, 2014 12:50:12 PM CDT> <Error> <oracle.adfinternal.view.faces.webapp.rich.RichWindowManager> <BEA-000000> <No registered window for:w0>

          <Jun 20, 2014 12:50:12 PM CDT> <Error> <oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter> <BEA-000000> <ADF_FACES-60096:Server Exception during PPR, #1

          java.lang.NullPointerException

            at oracle.adfinternal.view.faces.util.rich.PartialResponseUtils$ExtendedPartialResponseWriter.redirect(PartialResponseUtils.java:263)

            at oracle.adfinternal.view.faces.util.rich.PartialResponseUtils.writeRedirect(PartialResponseUtils.java:195)

            at oracle.adfinternal.view.faces.config.rich.XmlHttpServletResponse.sendRedirect(XmlHttpServletResponse.java:57)

            at oracle.adf.share.http.ServletEnvironment.redirect(ServletEnvironment.java:171)

            at oracle.adf.share.security.authentication.JEEAuthenticationService.login(JEEAuthenticationService.java:73)

            at oracle.adf.share.security.providers.jps.JpsAuthenticationService.login(JpsAuthenticationService.java:59)

            at oracle.adf.model.BindingRequestHandler.beginRequest(BindingRequestHandler.java:312)

            at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:190)

            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

            at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)

            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:478)

            at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)

            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:478)

            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:303)

            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:208)

            at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)

            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

            at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:137)

            at java.security.AccessController.doPrivileged(Native Method)

            at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)

            at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460)

            at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:120)

            at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:217)

            at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:81)

            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

            at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:225)

            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

            at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)

            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

            at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3367)

            at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3333)

            at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

            at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

            at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)

            at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2220)

            at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2146)

            at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2124)

            at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1564)

            at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)

            at weblogic.work.ExecuteThread.execute(ExecuteThread.java:295)

            at weblogic.work.ExecuteThread.run(ExecuteThread.java:254)

          >

          • 3. Re: ADF 12c: Proper Session handling
            Timo Hahn

            Have you checked that your filter is executed before the adfSecurity filter? If not that is the reason your code never executes. The adf filter redirects as described in https://blogs.oracle.com/jdevotnharvest/entry/how-to_logout_from_adf_security

             

            Timo

            1 person found this helpful
            • 4. Re: ADF 12c: Proper Session handling
              dvohra21

              Does a Caused By also get listed in the error?

              • 5. Re: ADF 12c: Proper Session handling
                rade.todorovich

                Timo,

                 

                I am unsure how to check that. What I can tell you is that in 12.1.2, in web.xml under filters I originally had only

                - JpsFilter

                - trinidad

                -adfBindings

                 

                So there is no entry for what you refer as 'adfSecurity' filter. However there is an entry under 'Servlets': adfAuthentication which is a oracle.adf.share.security.authentication.AuthenticationServlet class

                 

                Now:

                1. User triggered logout works just as shown in your link (Frank's blog). When I click logout it takes me back to login page that is unprotected by ADF security. If I want to login again then it simply repeats and user is authenticated and welcome page is displayed. The only difference is that I do not have:

                fctx.responseComplete();

                I do not remember why at the moment but it seems I removed that part of the code


                2. User is idle for time that exceeds session expiration set in web.xml. Then page expires and small popups shows with 'OK' button. After I click it, it takes me back to login page. However this time when I am authenticated, I am not redirected to the 'welcome' page bur rather to the page where session previously expired, which is not what I want either. But this case, even though is not handled perfectly, still somewhat works


                3. If user just closes the browser, I would like to somehow make sure session dies or at least make sure that new user or next session is safe and independent from the session that might have been active. The reason is that I save certain parameters in the session that I need for various application handling.



                • 6. Re: ADF 12c: Proper Session handling
                  rade.todorovich

                  No I copied the entire error

                  • 7. Re: ADF 12c: Proper Session handling
                    rade.todorovich

                    Timo

                     

                    One other thing: When session expires and I click 'OK' on the little dialog, this line shows-up in the log:

                     

                    <Jun 20, 2014 2:51:18 PM CDT> <Error> <oracle.adfinternal.view.faces.webapp.rich.RichWindowManager> <BEA-000000> <No registered window for:w0>

                     

                    Then I login again and instead to welcome page, it takes me to the page where it expired last time