struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jaikiran Pai <jai.forums2...@gmail.com>
Subject Re: Struts2 login action class seems to be reused
Date Wed, 16 May 2018 01:45:25 GMT
I don't have enough context of this discussion, but looking briefly at 
this, it looks like you are using Apache HTTP client (probably with 
pooled connections) and it seems like a connection reuse for a 
subsequent login request is sending a Cookie with the request (when it 
shouldn't?).


If that's the case, then it looks like the Apache HTTP client's auto 
Cookie management is coming into picture where it "auto attaches" the 
Cookie, obtained from a previous response on that connection, to the new 
request on that reused connection. Apache HTTP client allows you to 
configure this behaviour by setting a cookie policy management. I guess 
you probably want to use the "ignoreCookies" policy in your case, since 
you want to manage setting the Cookie to the requests yourself. The 
Apache HTTP client documentation[1] has more information. Something like:


         final HttpClientBuilder httpClientBuilder =....
         final RequestConfig.Builder requestConfigBuilder = 
RequestConfig.custom();
         ...
requestConfigBuilder.setCookieSpec(org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES);
         ...
httpClientBuilder.setDefaultRequestConfig(requestConfigBuilder.build());


[1] For 3.x version (I couldn't find one for 4.x which you seem to be 
using) https://hc.apache.org/httpclient-3.x/cookies.html

[2] 
https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html


-Jaikiran


On 16/05/18 2:33 AM, Martin Gainty wrote:
>
> 8443 indicates secure connection so perhaps a misconfig with 
> wildfly standalone.xml (see below)
>
> <servlet-container name="pasala">
>  <session-cookie http-only="true" secure="true"/> <!-- enable secure 
> cookies with secure = true -->
>
>  <jsp-config/>
> </servlet-container>
>
> https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration

>
> Admin Guide - WildFly 10 - Project Documentation Editor 
> <https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration>
> docs.jboss.org
> Target audience. This document is a guide to the setup, 
> administration, and configuration of WildFly. Prerequisites. Before 
> continuing, you should know how to download, install and run WildFly.
>
> ?
>
> can you ping wildfly userlist ?
> https://developer.jboss.org/en/wildfly
> Space: WildFly |JBoss Developer <https://developer.jboss.org/en/wildfly>
> developer.jboss.org
> Log in to follow, share, and participate in this community. Not a 
> member? Join Now!
>
>
> jaikiran is a good resource that i met on a different userlist..i 
> would definitely ping him
> stay in  touch/let me know if setting session-cookie in standalone.xml 
> works
>
> M-
> NB: I once contracted to the company that bought wildfly..we had to 
> figure configuration by ourselves
>
> ------------------------------------------------------------------------
> *From:* Prasanth Pasala <ppasala@pangburngroup.com>
> *Sent:* Tuesday, May 15, 2018 11:42 AM
> *To:* user@struts.apache.org
> *Subject:* Re: Struts2 login action class seems to be reused
> See below the header information when the exception occurred. Strange 
> thing is JMeter is saying it did not send any cookie (which is want I 
> would except in this case as it is just requesting the login
> page)
>
> Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.xxxxxxxx 
> (xxxxxx - is the machine name on which wildfly is running)
> Connection: keep-alive
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
> Host: dev.secure.xxxxxxxxxxx.com:8443
> Content-Length: 46
> Content-Type: application/x-www-form-urlencoded
>
> 10:09:09,150 ERROR 
> [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default 
> task-20) Exception occurred during processing request: UT000010: 
> Session is invalid
> ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: 
> java.lang.IllegalStateException: UT000010: Session is invalid 
> ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ
>
> ------------From JMeter---------------------------------------------------
> GET https://dev.secure.pangburngroup.com:8443/participant/
>
> GET data:
>
>
> [no cookies]
>
> Request Headers:
> Connection: keep-alive
> Host: dev.secure.xxxxxxxxxxx.com:8443
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
> ------------------------------------------------------------------------------
>
> Thanks,
> Prasanth
>
> On 05/15/2018 07:44 AM, Martin Gainty wrote:
> > Hi Norbert/Prasanth
> >
> > Struts2 login action problem has morphed to "Invalid Session 
> State"with Wildfly's implementation of TC 5.5
> >
> > https://en.wikipedia.org/wiki/WildFly 
> <https://en.wikipedia.org/wiki/WildFly>
> >
> > 
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly

> <https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly>>
> >
> > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> > en.wikipedia.org
> > WildFly, formerly known as JBoss AS, or simply JBoss, is an 
> application server authored by JBoss, now developed by Red Hat.WildFly 
> is written in Java and implements the Java Platform, Enterprise 
> Edition (Java EE) specification.
> >
> >
> > MG>as a debugging exercise I would dump HTTP Header attributes with
> >
> > http://livehttpheaders.mozdev.org/ <http://livehttpheaders.mozdev.org/>
> >
> > mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> > livehttpheaders.mozdev.org
> > Welcome to the livehttpheaders project.. The goal of this project is 
> to adds information about the HTTP headers in two ways: First by 
> adding a 'Headers' tab in 'View Page Info' of a web page.
> >
> >
> > MG>then check JSESSIONID
> >
> > MG>a fellow named "Thomas" had a similar problem with incorrect 
> JSESSIONID
> > MG>and corrected with his own StandardManager findSession method
> > 
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
> >
> > Yes, there is! I found it and implemented this solution: A class
> > extending org.apache.catalina.session.StandardManager and overriding
> > the method public Session findSession(String id) throws IOException -
> > simply removing quotation marks, if any! Seems to work fine.
> > Thanks for putting me on the right trail!
> >
> > MG>assuming your TC has incorrect StandardManager can you update 
> wildfly with a more updated version?
> > MG>here are versions
> > https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> > true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
> > developer.jboss.org
> > What version of Apache Tomcat ships with JBoss Application Server 
> JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
> >
> >
> > MG>personally i wouldnt muck with TC i would suggest upgrading 
> wildfly and getting jboss-web container
> >
> > hth
> > martin
> > ______________________________________________
> >
> >
> >
> >
> > ________________________________
> > From: Norbert Hirneisen <nobbi@s2you.de>
> > Sent: Friday, March 2, 2018 6:55 PM
> > To: user@struts.apache.org
> > Subject: Fwd: Re: Struts2 login action class seems to be reused
> >
> > Hi Prasanth,
> >
> > are you sure all your struts1 code is thread safe ? I had some similiar
> > problems in a struts1 application. After removing all action class
> > properties the problem was solved. Struts2 should be thread safe. But
> > your problems looks to me like a problem with thread safety.
> >
> > Best regards,
> >
> > Norbert
> >
> > science + communication & HaNo Systems
> >
> > Bonn/Ho-Chi-Minh
> >
> >
> > Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
> >> I was able to replicate the issue today. Asked few users to keep 
> logging in and ran jmeter to access login page, with out putting any 
> username or password. Out of the 100 attempts 2 attempts were
> >> successful in getting in with out username/password. I am seeing 
> database login entries for these two. Which would happen only if a 
> valid session is not present and user has provided username/password.
> >>
> >> Thanks,
> >> Prasanth
> >>
> >> On 03/01/2018 02:27 PM, Prasanth wrote:
> >>> Hi,
> >>>
> >>> I have an application which uses both struts1 & struts2. The login 
> action was recently moved to struts2. Immediately after the deployment 
> we were notified that one user is seeing a different user
> >>> information, so we had to move to older war files. I am not able 
> to replicate it. But after investigating the logs it seems like couple 
> users were logged in as soon as they requested the login page.
> >>> For the database entry to happen it has to verify the username and 
> password in the action class, but the fact that there is no POST entry 
> at that time from that IP in my access log makes me believe
> >>> that the action class some how already had that information from a 
> prior user.
> >>>
> >>> I do have a login filter to check if users are logged in when 
> accessing other pages. In this filter I have the below two lines, we 
> had to do this as we will have requests forwarded from one
> >>> application to another and when that happens we are getting class 
> cast exception for ActionMapping class and valueStack. Not sure if the 
> behavior is a side effect of having the below lines.
> >>>
> >>> request.setAttribute("struts.actionMapping", new ActionMapping());
> >>> request.setAttribute("struts.valueStack", null);
> >>>
> >>> We are using Struts 2.3.34 and Wildfly.
> >>>
> >>> Appreciate any insights you might have.
> >>>
> >>> Thanks,
> >>> Prasanth
> >>>
> >>>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message