struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Prasanth Pasala <ppas...@pangburngroup.com>
Subject Re: Struts2 login action class seems to be reused
Date Tue, 15 May 2018 14:27:52 GMT
Hi Martin,

Thanks for the response. We are using Wildfly 11.0.0 Final.  I will try to get the HTTP header
dump.

Thanks,
Prasanth


On 05/15/2018 07:44 AM, Martin Gainty wrote:
> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session State"with Wildfly's implementation
of TC 5.5
>
> https://en.wikipedia.org/wiki/WildFly
>
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly>
>
> WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored
by JBoss, now developed by Red Hat.WildFly is written in Java and implements the Java Platform,
Enterprise Edition (Java EE) specification.
>
>
> MG>as a debugging exercise I would dump HTTP Header attributes with
>
> http://livehttpheaders.mozdev.org/
>
> mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> livehttpheaders.mozdev.org
> Welcome to the livehttpheaders project.. The goal of this project is to adds information
about the HTTP headers in two ways: First by adding a 'Headers' tab in 'View Page Info' of
a web page.
>
>
> MG>then check JSESSIONID
>
> MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> MG>and corrected with his own StandardManager findSession method
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>
> Yes, there is! I found it and implemented this solution: A class
> extending org.apache.catalina.session.StandardManager and overriding
> the method public Session findSession(String id) throws IOException -
> simply removing quotation marks, if any! Seems to work fine.
> Thanks for putting me on the right trail!
>
> MG>assuming your TC has incorrect StandardManager can you update wildfly with a more
updated version?
> MG>here are versions
> https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
> developer.jboss.org
> What version of Apache Tomcat ships with JBoss Application Server JBossAS version Ships
with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
>
>
> MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and getting
jboss-web container
>
> hth
> martin
> ______________________________________________
>
>
>
>
> ________________________________
> From: Norbert Hirneisen <nobbi@s2you.de>
> Sent: Friday, March 2, 2018 6:55 PM
> To: user@struts.apache.org
> Subject: Fwd: Re: Struts2 login action class seems to be reused
>
> Hi Prasanth,
>
> are you sure all your struts1 code is thread safe ? I had some similiar
> problems in a struts1 application. After removing all action class
> properties the problem was solved. Struts2 should be thread safe. But
> your problems looks to me like a problem with thread safety.
>
> Best regards,
>
> Norbert
>
> science + communication & HaNo Systems
>
> Bonn/Ho-Chi-Minh
>
>
> Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
>> I was able to replicate the issue today. Asked few users to keep logging in and ran
jmeter to access login page, with out putting any username or password. Out of the 100 attempts
2 attempts were
>> successful in getting in with out username/password. I am seeing database login entries
for these two. Which would happen only if a valid session is not present and user has provided
username/password.
>>
>> Thanks,
>> Prasanth
>>
>> On 03/01/2018 02:27 PM, Prasanth wrote:
>>> Hi,
>>>
>>> I have an application which uses both struts1 & struts2. The login action
was recently moved to struts2. Immediately after the deployment we were notified that one
user is seeing a different user
>>> information, so we had to move to older war files. I am not able to replicate
it. But after investigating the logs it seems like couple users were logged in as soon as
they requested the login page.
>>> For the database entry to happen it has to verify the username and password in
the action class, but the fact that there is no POST entry at that time from that IP in my
access log makes me believe
>>> that the action class some how already had that information from a prior user.
>>>
>>> I do have a login filter to check if users are logged in when accessing other
pages. In this filter I have the below two lines, we had to do this as we will have requests
forwarded from one
>>> application to another and when that happens we are getting class cast exception
for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having
the below lines.
>>>
>>>              request.setAttribute("struts.actionMapping", new ActionMapping());
>>>              request.setAttribute("struts.valueStack", null);
>>>
>>> We are using Struts 2.3.34 and Wildfly.
>>>
>>> Appreciate any insights you might have.
>>>
>>> Thanks,
>>> Prasanth
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message