From user-return-219013-apmail-struts-user-archive=struts.apache.org@struts.apache.org Wed May 16 02:44:02 2018 Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B1585187EF for ; Wed, 16 May 2018 02:44:02 +0000 (UTC) Received: (qmail 55047 invoked by uid 500); 16 May 2018 02:44:01 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 55001 invoked by uid 500); 16 May 2018 02:44:01 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 54946 invoked by uid 99); 16 May 2018 02:44:00 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 May 2018 02:44:00 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id D98101A2C94 for ; Wed, 16 May 2018 02:43:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.5 X-Spam-Level: ** X-Spam-Status: No, score=2.5 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, SPF_PASS=-0.001, URI_NOVOWEL=0.5, WEIRD_PORT=0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id XjjYhujHX-rS for ; Wed, 16 May 2018 02:43:51 +0000 (UTC) Received: from mail.nqadmin.com (mail.nqadmin.com [12.230.133.169]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id B3F2E5F23C for ; Wed, 16 May 2018 02:43:51 +0000 (UTC) Received: (from root@localhost) by mail.nqadmin.com (8.14.4/8.14.4) id w4G2hcTU006442; Tue, 15 May 2018 21:43:38 -0500 Received: from [192.168.8.105] (174.73.122.74 [174.73.122.74]) (authenticated-user ppasala) (TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256 128/128) by mail.nqadmin.com with SMTP id c5r8vfyks8n8r3eqzbrup2xzpe; Tue, 15 May 2018 21:43:37 -0500 (CDT) (envelope-from ppasala@pangburngroup.com) X-Avenger: version=0.8.4; receiver=mail.nqadmin.com; client-ip=174.73.122.74; client-port=59370; client-dnsfail=174.73.122.74: name server failure; network-path=12.230.133.161 12.94.168.177 12.122.162.86 12.122.156.197 12.122.117.121 0.0.0.0 0.0.0.0 4.7.200.14 68.1.0.161 70.169.88.97 70.169.88.97; network-path-time=1526438617 Date: Tue, 15 May 2018 21:29:00 -0500 User-Agent: K-9 Mail for Android In-Reply-To: <50645d89-92a3-0088-eab0-2346098a6a50@apache.org> References: <86f40b9b-111b-1007-5a58-915d9fc33fbd@s2you.de> <50645d89-92a3-0088-eab0-2346098a6a50@apache.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----3MHYMMH1UU942LO6DZNKJVZIFW8IUY" Content-Transfer-Encoding: 7bit Subject: Re: Struts2 login action class seems to be reused To: Struts Users Mailing List , Jaikiran Pai CC: Martin Gainty From: Prasanth Pasala Message-ID: <46BD9035-9804-45FB-B42C-FF108D2B4754@pangburngroup.com> ------3MHYMMH1UU942LO6DZNKJVZIFW8IUY Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable We have two applications (websites) to make it easier for users we have a t= hird site that acts as a common login place=2E Once the user enters the use= rname and password it determines the right site to use and does a forward t= o that context (applications hosted in the same host)=2E When using struts1 everything was fine=2E When we moved to struts2 we star= ted getting crossed logins=2E When a user gets to login page the action wou= ld get populated with a username and password used by some other user=2E Th= is happens only if a request with this information is forwarded from one co= ntext to another=2E With some help from struts mailing list it was determined that some how ol= d actions are in the stack and if we remove get methods struts2 would not b= e able to pull that data and put in the current value stack=2E So we did it= and when we started testing we are getting session invalid exceptions=2E A= gain this happens only if there are users logging in context1 and that requ= est is forwarded to context2=2E If the login activity is done directly in c= ontext2 the issue does not arise=2E Thanks Prasanth On May 15, 2018 8:45:25 PM CDT, Jaikiran Pai wrote: >I don't have enough context of this discussion, but looking briefly at=20 >this, it looks like you are using Apache HTTP client (probably with=20 >pooled connections) and it seems like a connection reuse for a=20 >subsequent login request is sending a Cookie with the request (when it=20 >shouldn't?)=2E > > >If that's the case, then it looks like the Apache HTTP client's auto=20 >Cookie management is coming into picture where it "auto attaches" the=20 >Cookie, obtained from a previous response on that connection, to the >new=20 >request on that reused connection=2E Apache HTTP client allows you to=20 >configure this behaviour by setting a cookie policy management=2E I guess > >you probably want to use the "ignoreCookies" policy in your case, since > >you want to manage setting the Cookie to the requests yourself=2E The=20 >Apache HTTP client documentation[1] has more information=2E Something >like: > > > =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 final HttpClientBuilder httpClient= Builder =3D=2E=2E=2E=2E > =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 final RequestConfig=2EBuilder requ= estConfigBuilder =3D=20 >RequestConfig=2Ecustom(); > =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =2E=2E=2E >requestConfigBuilder=2EsetCookieSpec(org=2Eapache=2Ehttp=2Eclient=2Econfi= g=2ECookieSpecs=2EIGNORE_COOKIES); > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =2E=2E=2E >httpClientBuilder=2EsetDefaultRequestConfig(requestConfigBuilder=2Ebuild(= )); > > >[1] For 3=2Ex version (I couldn't find one for 4=2Ex which you seem to be= =20 >using) https://hc=2Eapache=2Eorg/httpclient-3=2Ex/cookies=2Ehtml > >[2]=20 >https://hc=2Eapache=2Eorg/httpcomponents-client-ga/httpclient/apidocs/org= /apache/http/client/config/CookieSpecs=2Ehtml > > >-Jaikiran > > >On 16/05/18 2:33 AM, Martin Gainty wrote: >> >> 8443 indicates secure connection so=C2=A0perhaps a misconfig with=20 >> wildfly=C2=A0standalone=2Exml (see below) >> >> >> =C2=A0 >> >> =C2=A0 >> >> >> >https://docs=2Ejboss=2Eorg/author/display/WFLY10/Admin+Guide#AdminGuide-S= essionCookieConfiguration > >> >> Admin Guide - WildFly 10 - Project Documentation Editor=20 >> > >> docs=2Ejboss=2Eorg >> Target audience=2E This document is a guide to the setup,=20 >> administration, and configuration of WildFly=2E Prerequisites=2E Before= =20 >> continuing, you should know how to download, install and run WildFly=2E >> >> ? >> >> can you ping=C2=A0wildfly userlist ? >> https://developer=2Ejboss=2Eorg/en/wildfly >> Space: WildFly |JBoss Developer > >> developer=2Ejboss=2Eorg >> Log in to follow, share, and participate in this community=2E Not a=20 >> member? Join Now! >> >> >> jaikiran is a good resource that i met on a different userlist=2E=2Ei= =20 >> would definitely=C2=A0ping him >> stay in=C2=A0 touch/let me know if setting=C2=A0session-cookie in >standalone=2Exml=20 >> works >> >> M- >> NB: I once contracted to the company that bought wildfly=2E=2Ewe had to= =20 >> figure configuration by ourselves >> >> >------------------------------------------------------------------------ >> *From:* Prasanth Pasala >> *Sent:* Tuesday, May 15, 2018 11:42 AM >> *To:* user@struts=2Eapache=2Eorg >> *Subject:* Re: Struts2 login action class seems to be reused >> See below the header information when the exception occurred=2E Strange > >> thing is JMeter is saying it did not send any cookie (which is want I > >> would except in this case as it is just requesting the login >> page) >> >> Cookie: JSESSIONID=3DZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ=2Exxxxxxx= x=20 >> (xxxxxx - is the machine name on which wildfly is running) >> Connection: keep-alive >> User-Agent: Apache-HttpClient/4=2E5=2E5 (Java/1=2E8=2E0_151) >> Host: dev=2Esecure=2Exxxxxxxxxxx=2Ecom:8443 >> Content-Length: 46 >> Content-Type: application/x-www-form-urlencoded >> >> 10:09:09,150 ERROR=20 >> [org=2Eapache=2Estruts2=2Edispatcher=2EDefaultDispatcherErrorHandler] >(default=20 >> task-20) Exception occurred during processing request: UT000010:=20 >> Session is invalid >> ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ:=20 >> java=2Elang=2EIllegalStateException: UT000010: Session is invalid=20 >> ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ >> >> ------------From >JMeter--------------------------------------------------- >> GET https://dev=2Esecure=2Epangburngroup=2Ecom:8443/participant/ >> >> GET data: >> >> >> [no cookies] >> >> Request Headers: >> Connection: keep-alive >> Host: dev=2Esecure=2Exxxxxxxxxxx=2Ecom:8443 >> User-Agent: Apache-HttpClient/4=2E5=2E5 (Java/1=2E8=2E0_151) >> >-------------------------------------------------------------------------= ----- >> >> Thanks, >> Prasanth >> >> On 05/15/2018 07:44 AM, Martin Gainty wrote: >> > Hi Norbert/Prasanth >> > >> > Struts2 login action problem has morphed to "Invalid Session=20 >> State"with Wildfly's implementation of TC 5=2E5 >> > >> > https://en=2Ewikipedia=2Eorg/wiki/WildFly=20 >> >> > >> >=20 >> >[https://upload=2Ewikimedia=2Eorg/wikipedia/commons/thumb/a/a3/Wildfly_lo= go=2Epng/200px-Wildfly_logo=2Epng] >> >> >> > >> > WildFly - Wikipedia >> > en=2Ewikipedia=2Eorg >> > WildFly, formerly known as JBoss AS, or simply JBoss, is an=20 >> application server authored by JBoss, now developed by Red >Hat=2EWildFly=20 >> is written in Java and implements the Java Platform, Enterprise=20 >> Edition (Java EE) specification=2E >> > >> > >> > MG>as a debugging exercise I would dump HTTP Header attributes with >> > >> > http://livehttpheaders=2Emozdev=2Eorg/ > >> > >> > mozdev=2Eorg - livehttpheaders: >index >> > livehttpheaders=2Emozdev=2Eorg >> > Welcome to the livehttpheaders project=2E=2E The goal of this project >is=20 >> to adds information about the HTTP headers in two ways: First by=20 >> adding a 'Headers' tab in 'View Page Info' of a web page=2E >> > >> > >> > MG>then check JSESSIONID >> > >> > MG>a fellow named "Thomas" had a similar problem with incorrect=20 >> JSESSIONID >> > MG>and corrected with his own StandardManager findSession method >> >=20 >> >https://www=2Ethecodingforums=2Ecom/threads/session-problem-jsessionid-co= okie-comes-back-with-double-quotes=2E140442/ >> > >> > Yes, there is! I found it and implemented this solution: A class >> > extending org=2Eapache=2Ecatalina=2Esession=2EStandardManager and >overriding >> > the method public Session findSession(String id) throws IOException >- >> > simply removing quotation marks, if any! Seems to work fine=2E >> > Thanks for putting me on the right trail! >> > >> > MG>assuming your TC has incorrect StandardManager can you update=20 >> wildfly with a more updated version? >> > MG>here are versions >> > https://developer=2Ejboss=2Eorg/wiki/VersionOfTomcatInJBossAS?_sscc= =3Dt >> > >true >> > developer=2Ejboss=2Eorg >> > What version of Apache Tomcat ships with JBoss Application Server=20 >> JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3=2E2=2E3 4=2E1= =2E29 >2=2E3 >> > >> > >> > MG>personally i wouldnt muck with TC i would suggest upgrading=20 >> wildfly and getting jboss-web container >> > >> > hth >> > martin >> > ______________________________________________ >> > >> > >> > >> > >> > ________________________________ >> > From: Norbert Hirneisen >> > Sent: Friday, March 2, 2018 6:55 PM >> > To: user@struts=2Eapache=2Eorg >> > Subject: Fwd: Re: Struts2 login action class seems to be reused >> > >> > Hi Prasanth, >> > >> > are you sure all your struts1 code is thread safe ? I had some >similiar >> > problems in a struts1 application=2E After removing all action class >> > properties the problem was solved=2E Struts2 should be thread safe=2E >But >> > your problems looks to me like a problem with thread safety=2E >> > >> > Best regards, >> > >> > Norbert >> > >> > science + communication & HaNo Systems >> > >> > Bonn/Ho-Chi-Minh >> > >> > >> > Am 02=2E03=2E2018 um 22:07 schrieb Prasanth Pasala: >> >> I was able to replicate the issue today=2E Asked few users to keep= =20 >> logging in and ran jmeter to access login page, with out putting any=20 >> username or password=2E Out of the 100 attempts 2 attempts were >> >> successful in getting in with out username/password=2E I am seeing= =20 >> database login entries for these two=2E Which would happen only if a=20 >> valid session is not present and user has provided username/password=2E >> >> >> >> Thanks, >> >> Prasanth >> >> >> >> On 03/01/2018 02:27 PM, Prasanth wrote: >> >>> Hi, >> >>> >> >>> I have an application which uses both struts1 & struts2=2E The >login=20 >> action was recently moved to struts2=2E Immediately after the >deployment=20 >> we were notified that one user is seeing a different user >> >>> information, so we had to move to older war files=2E I am not able= =20 >> to replicate it=2E But after investigating the logs it seems like >couple=20 >> users were logged in as soon as they requested the login page=2E >> >>> For the database entry to happen it has to verify the username >and=20 >> password in the action class, but the fact that there is no POST >entry=20 >> at that time from that IP in my access log makes me believe >> >>> that the action class some how already had that information from >a=20 >> prior user=2E >> >>> >> >>> I do have a login filter to check if users are logged in when=20 >> accessing other pages=2E In this filter I have the below two lines, we= =20 >> had to do this as we will have requests forwarded from one >> >>> application to another and when that happens we are getting class > >> cast exception for ActionMapping class and valueStack=2E Not sure if >the=20 >> behavior is a side effect of having the below lines=2E >> >>> >> >>> request=2EsetAttribute("struts=2EactionMapping", new >ActionMapping()); >> >>> request=2EsetAttribute("struts=2EvalueStack", null); >> >>> >> >>> We are using Struts 2=2E3=2E34 and Wildfly=2E >> >>> >> >>> Appreciate any insights you might have=2E >> >>> >> >>> Thanks, >> >>> Prasanth >> >>> >> >>> >> > >> > >--------------------------------------------------------------------- >> > To unsubscribe, e-mail: user-unsubscribe@struts=2Eapache=2Eorg >> > For additional commands, e-mail: user-help@struts=2Eapache=2Eorg >> > >> > >> --=20 Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E ------3MHYMMH1UU942LO6DZNKJVZIFW8IUY--