struts2 creating session objects, why and when?

Question

I want to create session only when a user is authenticated successfully in my web application. But for some reason struts2 creating session objects even though we just accessing login page.

I went thorough some documentation of struts2 and found using struts.custom.i18n.resources might create sessions. So I removed it from my struts.xml file. But even though session is getting created in my web application.

Any help/thoughts on this is really appreciated.

Updated Question

I had the following lines in my web.xml to work with Cayenne data context.

<filter>
    <filter-name>CayenneFilter</filter-name>
    <filter-class>org.apache.cayenne.conf.WebApplicationContextFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>CayenneFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Is this causing session creation in my web applications?

-Narendra

Answer 1

Here is an answer from the Cayenne perspective. By default WebApplicationContextFilter lazily creates a session-bound ObjectContext for each request that the filter matches. This creates an HttpSession of course.

So one solution would be to reduce the filter mapping from "/*" to a more specific URL that corresponds to authenticated pages. Then Cayenne filter will not be called for anonymous users.

If this can't be done, create your own version of WebApplicationContextFilter (after all WebApplicationContextFilter is just an example of how Cayenne can be bootstrapped in the app, so check its source, and create something similar for yourself). Your own filter can implement some logic that skips ObjectContext (and session) creation for anonymous.

Answer 2

JSP pages create session automatically unless you specifically include a directive telling them not to.

IMO trying to prevent session creation is a waste of time. Instead, put something in the session on a valid login, and invalidate the session on logout. Anything else is too much work.