MATLAB: Do the webfigures not work correctly on Tomcat when the application uses authentication

I have written a Web Application on Tomcat which uses Webfigures. The application used to run fine but after adding a login/authentication by adding the following to my web.xml:

<security-constraint>
      <web-resource-collection>
          <web-resource-name>securedapp</web-resource-name>
          <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
          <role-name>admin</role-name>
      </auth-constraint>
</security-constraint>    
<login-config>
      <auth-method>BASIC</auth-method>
</login-config>

The Webfigures do not work correctly anymore. The first time when an user instantiates a new session; I receive errors like:

 INFO: WebFigures: com.mathworks.toolbox.javabuilder.services.ServiceException: com.mathworks.toolbox.javabuilder.services.ServiceException: com.mathworks.toolbox.javabuilder.statemanager.ObjectNotFoundException: The resource named 'myFigure' at scope 'session' could not be found
 at com.mathworks.toolbox.javabuilder.webfigures.WebFiguresServlet.doGet(WebFiguresServlet.java:161)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
 at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:393)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
 (...)

If the user then refreshes the page, the figures appear to work fine again.

Best Answer

This is the result of "Session Fixation Protection" in Tomcat (<http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection>). The session ID is automatically changed when an user logs in which can lead to a different session being used by the webfigures service than the session to which you assigned your webfigure.

To work around this either:

1. Disable Session Fixation Protection by adding a Valve to your application's context.xml and setting changeSessionIdOnAuthentication to false:

<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" 
         changeSessionIdOnAuthentication="false"/>

2. Or you could use a redirect page (so automatically perform a "refresh" for the end-user). For example write an index.jsp which basically only has:

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%
response.sendRedirect("page2.jsp");
%>

And then on page2.jsp use the webfigures.

Best Answer

Related Solutions

MATLAB: Do I receive an error when I am attempting to use the WebFigures example using Builder JA 2.0.3 (R2009a)

MATLAB: R2018a GLException error on linux

Related Question