Jackrabbit 中Session最佳实践

    随着内容管理系统(CMS)使用的不断增加，如何规范内容，保护数字资产是面临的一个问题。如某机构全国各分支机构均自行建立了网站和各种web应用，但网站架构各不相同，内容的存储也建立在各自的需求之上。JCR的提出就是为了规范内容的管理，而Jackrabbit是Apache基金下的一个开源项目，全面实现了JCR1.0和JCR2.0规范。

问题提出：

    Jackrabbit 使用Session对象管理对内容库的登录。在一个web application中，Session 对象的创建可以有3种可能：

1.    整个Application中创建一个Session对象，所有用户访问通过一个 Session 对象访问；
2.    每个 HttpSession 一个 Session ；
3.    每个 HttpRequest 一个 Session

三种方式中，哪一种是最佳实践呢？不同方式的使用，对应用的性能会有比较大的影响，故需要留意。

下面是搜索出的某贴，记录如下：

Subject: Re: JCR session handling - msg#00184

List: users.jackrabbit.apache.org

Hi, Over in Apache Sling, we create new sessions for each request. We used to have Session pooling (maintain a pool of open sessions per user to be reused on future requests). But this proved unstable and slower than calling Repository.login on each request (!) and we will remove the Session pool code in the near future. We do not use any HTTP Session. Also we do not share sessions between requests. The problem, you will have doing this is, that Session objects are not thread safe. So while reading from the same session concurrently will generally be rather safe (no guarantee, though), writing concurrently with the same sessions is a guaranteed failure. Hope this helps. Regards Felix On 21.01.2010 18:41, John Tranier wrote: > Hi everybody, > > I would like to have advices about how I should handle JCR sessions in > my application context. > I have read the guide on the wiki, but I'm not clear about what is > called "transient mods", if my application fall into it, and finally how > to deal with that case. > > I am using a Jackrabbit repository to handle personal storage space for > users of my web application. I've defined personalized access for each > users, so it's about personalized accounts. > > Up to now, I've handled sessions by creating a session for each http > request. But since my application makes use of AJAX to display the tree > view of the personal space of a user, a lot of requests may be launched > in sequence, causing a lot of login/logout... > > Would it be a better practice to use a http session scope instead of > request scope, with eventually a TTL after which a session would be closed? > > Thanks in advance, > John > > >

大致翻译如下： 嗨！在 Apache Sling 中（注：Sling 是Apache 的另一个项目，使用Jackrabbit持久化），我们为每个request创建一个session，我们曾经使用了Session 池(为每个用户打开的多个session维护一个池，以便后继的请求重用)。但是事实证明这样比每个请求(!)调用一次 Repository.login 更加不稳定，更慢，所以我们准备在不远的将来去掉 session池代码。我们不使用任何 HTTP Session。我们也不在不同请求中共享session。你这样做的原因是：Session对象是线程不安全的。所以当从同一session并发读取时一般是安全的(但不保证)(我汗。)，从同一session并发写是保证会失败的。希望能有所帮助。 Regards Felix (问题贴，我就不翻译了。还没吃早饭呢。)

开源