From user-return-219010-archive-asf-public=cust-asf.ponee.io@struts.apache.org Tue May 15 17:42:35 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id BD022180634 for ; Tue, 15 May 2018 17:42:34 +0200 (CEST) Received: (qmail 19905 invoked by uid 500); 15 May 2018 15:42:33 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 19890 invoked by uid 99); 15 May 2018 15:42:32 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 May 2018 15:42:32 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 3F7CACE87E for ; Tue, 15 May 2018 15:42:32 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.5 X-Spam-Level: ** X-Spam-Status: No, score=2.5 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, SPF_PASS=-0.001, URI_NOVOWEL=0.5, WEIRD_PORT=0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id EQaQjdv2sGEq for ; Tue, 15 May 2018 15:42:29 +0000 (UTC) Received: from mail.nqadmin.com (mail.nqadmin.com [12.230.133.169]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id B49D45F56D for ; Tue, 15 May 2018 15:42:28 +0000 (UTC) Received: (from root@localhost) by mail.nqadmin.com (8.14.4/8.14.4) id w4FFgQYl020106 for user@struts.apache.org; Tue, 15 May 2018 10:42:26 -0500 Received: from ppasalalinux.nqadmin.com (ppasalalinux.nqadmin.com [192.168.0.234]) (TLSv1/SSLv3 DHE-RSA-AES128-SHA 128/128) by mail.nqadmin.com with SMTP id 4u3udd4ja9xtc6wg5hy469e86w; for user@struts.apache.org; Tue, 15 May 2018 10:42:26 -0500 (CDT) (envelope-from ppasala@pangburngroup.com) Subject: Re: Struts2 login action class seems to be reused To: user@struts.apache.org References: <86f40b9b-111b-1007-5a58-915d9fc33fbd@s2you.de> From: Prasanth Pasala Organization: The Pangburn Company Message-ID: Date: Tue, 15 May 2018 10:42:26 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------B9C0137DC4C4D775DA81E5B3" Content-Language: en-US --------------B9C0137DC4C4D775DA81E5B3 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit See below the header information when the exception occurred. Strange thing is JMeter is saying it did not send any cookie (which is want I would except in this case as it is just requesting the login page) Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.xxxxxxxx��� (xxxxxx - is the machine name on which wildfly is running) Connection: keep-alive User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) Host: dev.secure.xxxxxxxxxxx.com:8443 Content-Length: 46 Content-Type: application/x-www-form-urlencoded 10:09:09,150 ERROR [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) Exception occurred during processing request: UT000010: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: UT000010: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ ------------From JMeter--------------------------------------------------- GET https://dev.secure.pangburngroup.com:8443/participant/ GET data: [no cookies] Request Headers: Connection: keep-alive Host: dev.secure.xxxxxxxxxxx.com:8443 User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) ------------------------------------------------------------------------------ Thanks, Prasanth On 05/15/2018 07:44 AM, Martin Gainty wrote: > Hi Norbert/Prasanth > > Struts2 login action problem has morphed to "Invalid Session State"with Wildfly's implementation of TC 5.5 > > https://en.wikipedia.org/wiki/WildFly > > [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png] > > WildFly - Wikipedia > en.wikipedia.org > WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by JBoss, now developed by Red Hat.WildFly is written in Java and implements the Java Platform, Enterprise Edition (Java EE) specification. > > > MG>as a debugging exercise I would dump HTTP Header attributes with > > http://livehttpheaders.mozdev.org/ > > mozdev.org - livehttpheaders: index > livehttpheaders.mozdev.org > Welcome to the livehttpheaders project.. The goal of this project is to adds information about the HTTP headers in two ways: First by adding a 'Headers' tab in 'View Page Info' of a web page. > > > MG>then check JSESSIONID > > MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID > MG>and corrected with his own StandardManager findSession method > https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/ > > Yes, there is! I found it and implemented this solution: A class > extending org.apache.catalina.session.StandardManager and overriding > the method public Session findSession(String id) throws IOException - > simply removing quotation marks, if any! Seems to work fine. > Thanks for putting me on the right trail! > > MG>assuming your TC has incorrect StandardManager can you update wildfly with a more updated version? > MG>here are versions > https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t > true > developer.jboss.org > What version of Apache Tomcat ships with JBoss Application Server JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3 > > > MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and getting jboss-web container > > hth > martin > ______________________________________________ > > > > > ________________________________ > From: Norbert Hirneisen > Sent: Friday, March 2, 2018 6:55 PM > To: user@struts.apache.org > Subject: Fwd: Re: Struts2 login action class seems to be reused > > Hi Prasanth, > > are you sure all your struts1 code is thread safe ? I had some similiar > problems in a struts1 application. After removing all action class > properties the problem was solved. Struts2 should be thread safe. But > your problems looks to me like a problem with thread safety. > > Best regards, > > Norbert > > science + communication & HaNo Systems > > Bonn/Ho-Chi-Minh > > > Am 02.03.2018 um 22:07 schrieb Prasanth Pasala: >> I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were >> successful in getting in with out username/password. I am seeing database login entries for these two. Which would happen only if a valid session is not present and user has provided username/password. >> >> Thanks, >> Prasanth >> >> On 03/01/2018 02:27 PM, Prasanth wrote: >>> Hi, >>> >>> I have an application which uses both struts1 & struts2. The login action was recently moved to struts2. Immediately after the deployment we were notified that one user is seeing a different user >>> information, so we had to move to older war files. I am not able to replicate it. But after investigating the logs it seems like couple users were logged in as soon as they requested the login page. >>> For the database entry to happen it has to verify the username and password in the action class, but the fact that there is no POST entry at that time from that IP in my access log makes me believe >>> that the action class some how already had that information from a prior user. >>> >>> I do have a login filter to check if users are logged in when accessing other pages. In this filter I have the below two lines, we had to do this as we will have requests forwarded from one >>> application to another and when that happens we are getting class cast exception for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having the below lines. >>> >>> request.setAttribute("struts.actionMapping", new ActionMapping()); >>> request.setAttribute("struts.valueStack", null); >>> >>> We are using Struts 2.3.34 and Wildfly. >>> >>> Appreciate any insights you might have. >>> >>> Thanks, >>> Prasanth >>> >>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org > For additional commands, e-mail: user-help@struts.apache.org > > --------------B9C0137DC4C4D775DA81E5B3--