Wednesday, July 29, 2015

Understand WebCenter/ADF Session Invalidation and Removal

There are a couple of ways to invalidate the session in WebCenter Portal (or ADF) application. They are not the same. They all would invalidate the user session which is intended. The main difference is around whether the session will be removed after it's invalidated. In this post, I will walk through this.

In WebCenter Portal framework application, the built-in page template already has a logout function provided. Let's take a look at it.

Create a WebCenter portal application and open up the page template as below



In this JSPX file, you will find a logout command link with action specified as "#{o_w_s_l_LoginBackingBean.doLogout}". The source code of this bean is not available unless you trace back to the shipped libraries that were installed with Jdeveloper.


Let's take a look at the effect of the logout function. Run the portal application.

Open the local weblogic console, navigate to the deployment, find your application, go to application configuration, and select the monitor tab to look at the session statistics.

Before going forward, let's look at the definitions of the 3 columns we are interested in:

  • Sessions: Displays the current number of open sessions associated with this web application.
  • Sessions High: Displays the highest number of concurrent open sessions associated with this web application that have ever been reached since the weblogic instance was started.
  • Total Sessions: Displays the total number of open sessions ever associated with this web application.

We can see there is 1 current open session. At this time the user is not logged in yet. So it's anonymous session. Please note this is true for an type of pages - JSP, JSPX or HTML, as long as they are part of the web application (war or ear). If you may need to avoid this anonymous session, assuming your application entry page is not dynamic, you can consider build such login page in HTML and store it in web server. In this case, there will no session attached when such page is visited.

Let's login.

Check the session statistics again, we can see the current open session is still 1 but the session high and total session is 2. The anonymous session gets removed and a new authenticated user session created. That makes sense.

Let's logout and check the session statistics again. Now the open session is 2, session high is 2 and total session is 4. What does this mean?
Let's review the numbers. Total session increases from 2 to 4. That means 2 new sessions created. But the open session increases from 1 to 2. That means there are 2 current open session, increased only 1 from previous state. One thing to note is after the logout, the page lands on the entry page again just like the page before the login.

The explanation on above behaviors would be the previous authenticate session gets removed, but as soon as it's removed, an anonymous session is created. It's like the authenticated session gets converted to an anonymous session. Since the page is redirected to the login page, it's just like the initial rendering of the login page, there is a new anonymous session created. So it's 2 - one is not associated with the current UI (login page) and the other is associated. When the first anonymous session will be removed? It will be removed after the session timeout setting reached (set in web.xml). The second anonymous session will be removed after the server detects the user is idle for the session timeout setting reached.

Well, you may say that's not desired. Correct, it's not. Let's look how can we avoid the redundant anonymous sessions.

We have reviewed the second anonymous session is associated with page as it's part of the web application. Let's do a test and force the redirection to go to a page outside of the web application. To do such redirect, we will need to put in some custom code. I am going to reuse the WebCenter portal built-in logout function by taking the expression inside my managed bean.

Here is the custom managed bean associated with the command link:


Here is the logic for the custom managed bean:


Basically, I used an utility method to resolve the expression function to logout. Then issue a redirect to the server host. Here is the page landed after the logout.


Let's look at the session statistics again. Since the statistics are the same until the logout, here is just the statistics after issuing a logout.

Now we can see there is only 1 open session with total session of 3. This open session is the anonymous session converted from authenticated users session.

Next, let's look at how to avoid the anonymous session conversion but rather to remove it for good.

After some trials, none of the JEE related methods work as expected. This includes HttpSession.invalidate(), HttpSession.setMaxInactiveInterval(), and a few other methods. No mistaken, the session indeed get invalidated and there is no security concern, but the redundant anonymous session (not associated with any front-end) hanging around is the complaint.

The only working way is to use the ADF authentication servlet. Here is the code snippet to use:


In the code, I used "/adfAuthentication?logout=true&end_url=../" to call the ADF authentication servlet to invalidate the user (and remove the session) and redirect the page to host with parameter "end_url". The ADF authentication servlet is defined in web.xml by default:

Now let's use the new doLogout() method which uses ADF authentication Servlet to logout and review the session statistics after logout:

Great. There is 0 open sessions and no redundant session hanging around.

Summary:

1. To avoid anonymous session before login or after logout, please redirect to pages outside of web application.
2. To avoid anonymous session hanging around being converted from authenticated session, please use ADF authenticate servlet to logout.

No comments: