This filter has one objective - place the principal from User Principal in the session attribute (if not already present) under a key like JBOSS_PRINCIPAL.This filter should be configured by the user on an on-demand basis. (If the customer wants this to be applied to all web apps, he can configure this in of the jboss tomcat service).I doubt we will be able to get to the actual catalina session from the facade ( AM) Remy Maucherat: the facade strictly implements the javax API, and thus does not add any custom call to internal structures; the principal can be accessed through other objects (the request, I think) ( AM) Remy Maucherat: so can you use the request instead ?( AM) anil_msn: for a regular session.invalidation, we are in a path of request. When the session expires, the session listener basically gets a tomcat session facade (that implements httpsession).
The Tomcat session does retain the principal in its session.
( AM) Remy Maucherat: of course, but most likely they can use a filter or listener to do it ( AM) anil_msn: That is a good suggestion.
We can provide an ondemand valve to place the principal on the session (only if the customer wants it) and then update our session listener to also look for this principal ( AM) anil_msn: if the customer is so bent on this use case, he can configure this valve that we will provide ( AM) Remy Maucherat: it would be better to use a filter: his application will always need the attribute to run We can solve it this way (based on a suggestion from Remy): a) We will provide a servlet filter in "org.tomcat.security" called as Principal Session Attribute Filter.
Fortunately for us servlet developers, it's not always necessary for a servlet to manage its own sessions using the techniques we have just discussed.
But when the container expires sessions after an hour or so, there is no request ( AM) anil_msn: we are using the request approach for active sessions getting invalidated ( AM) anil_msn: only the case of container expiring sessions ( AM) anil_msn: I think any approach we take will be like a hack ( AM) anil_msn: better ignore the use case (some customer asked for it) ( AM) Remy Maucherat: hum, right, that's interesting stuff, but it's not going to work ( AM) anil_msn: I was thinking about placing the principal after authentication into the http session. ( AM) anil_msn: anyway we are not doing the hack ( AM) Remy Maucherat: no, you can put an object in the session as an attribute ( AM) anil_msn: I cannot justify placing the principal in the session attribute map, just to solve one rare use case.
( AM) anil_msn: we recommend session invalidation anyway as a best practice.