7 Replies Latest reply on Dec 13, 2011 8:02 AM by tsweeney56

Removing JSession id from url and links

tsweeney56 Dec 7, 2011 10:11 PM

I am trying to remove the jsession id from the url and links in much the same fashion as in seam 2, here is the example servlet from seam 2

@Startup
@Scope(ScopeType.APPLICATION)
@Name("sessionIdFilter")
@BypassInterceptors
@Filter(around ="org.jboss.seam.web.ajax4jsfFilter")
public class SessionIdFilter extends AbstractFilter {

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {

        if (!(req instanceof HttpServletRequest)) {
            chain.doFilter(req, res);
            return;
        }

        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        // Redirect requests with JSESSIONID in URL to clean version (old links 
        // bookmarked/stored by bots). This is ONLY triggered if the request did 
        // not also contain a JSESSIONID cookie! Which should be fine for bots...
        if (request.isRequestedSessionIdFromURL()) {
            String url = request.getRequestURL()
                         .append(request.getQueryString() != null ? "?"+request.getQueryString() : "")
                         .toString();
            // TODO: The url is clean, at least in Tomcat, which strips out 
            // the JSESSIONID path parameter automatically (Jetty does not?!)
            response.setHeader("Location", url);
            response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
            return;
        }

        // Prevent rendering of JSESSIONID in URLs for all outgoing links
        HttpServletResponseWrapper wrappedResponse =
            new HttpServletResponseWrapper(response) {
                @Override
                public String encodeRedirectUrl(String url) {
                    return url;
                }

                @Override
                public String encodeRedirectURL(String url) {
                    return url;
                }

                @Override
                public String encodeUrl(String url) {
                    return url;
                }

                @Override
                public String encodeURL(String url) {
                    return url;
                }
            };
        chain.doFilter(req, wrappedResponse);

    }
}

In seam 3 i have converted this filter to observe the HttpServletRequestContext for @PATH("") and @Initialized

The first half of the above servlet is an easy conversion as I can grab the request and redirect if needed. The second and most useful half is where I am stumped. I cant find any way to override the response object to no op the 4 encodeurl methods.

Has anyone found a solution to this yet? any suggestions?

1. Re: Removing JSession id from url and links

lightguard Dec 8, 2011 1:59 AM (in response to tsweeney56)

Have you tried using PrettyFaces and setting up URL rewriting for your app?
Actions
2. Re: Removing JSession id from url and links

ssachtleben.ssachtleben.gmail.com Dec 8, 2011 9:03 AM (in response to tsweeney56)

I have switched tracking-mode to COOKIE in web.xml. It works nearly perfect (no sessionid's in google). Anyways I run into a strange problem. If I call my page, wait for session timeout and click somewhere I retrieve a url with sessionid which resolves in a 404 error. Not sure if its a chrome or jboss 7 problem right now.
Actions
3. Re: Removing JSession id from url and links

tsweeney56 Dec 8, 2011 8:01 PM (in response to tsweeney56)

We do use pretty faces, however what is your suggestion? can you block a parameter from it?

the problem we have is if the page is loaded with a jsessionid in the url the links on the page also have that parameter. Those links are then cached by akamai.
Actions
4. Re: Removing JSession id from url and links

lincolnthree Dec 9, 2011 3:45 PM (in response to tsweeney56)

Here is how you do this in PrettyFaces:

http://ocpsoft.com/support/topic/url-rewrite-removing-the-jsessionid-from-the-url#post-410
Actions
5. Re: Removing JSession id from url and links

tsweeney56 Dec 12, 2011 1:45 PM (in response to tsweeney56)

the inbound url looks like its fixed, we did that the above filter, and i tried the pretty-faces rewrite which also worked. However the far more important issue remains where the links built by richfaces on the page still contain the jsessionid. The thread you posted is about a year old, has anyone looked at the outbound urls yet in pretty faces?
Actions
6. Re: Removing JSession id from url and links

tsweeney56 Dec 12, 2011 3:48 PM (in response to tsweeney56)

So my issue is probably a bit deeper than just the jsessionid fix. In the seam 2 version of filtering we had control over the response object as seen above, which allowed us to replace the response object with overridden encodeURL methods. I would love to know if there is someway we can get access to these objects again to replace them with our overridden versions.
Actions
7. Re: Removing JSession id from url and links

tsweeney56 Dec 13, 2011 8:02 AM (in response to tsweeney56)

Quick update for anyone with the same problem, after reading through the seam servlet code i did find how to get a servlet filter installed in jboss 7 using the web-fragment.xml. All the old code will work using the same filters.

I would be nice if the CDI impl provided a method to replace the response object itself to override methods, however this will work
Actions

Go to original post