tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <bo...@binarix.com>
Subject Bugs/Improvements in Tomcat 3.3-m2
Date Tue, 10 Apr 2001 01:34:12 GMT
I think there is a bug in AccessInterceptor.java, line 488, which only
shows when cookies are turned off in server.xml file with:

<SessionId cookiesFirst="false" noCookies="true" />

The problem is related to the fact that at the time of 'if', the
req.getSessionIdSource() returns null and the test is blown sky high
(ie. there is a NullPointerException). If I specify a URL with a session
id encoded into it, the problem goes away. Obviously, without the
encoded URL, the sessionIdSource is still null.

Unfortunately I don't know enough about the internals of Tomcat to fix
this properly, but I guess for someone familiar it should be fairly
easy.

I came up with this:

---
jakarta-tomcat-3.3-src-original/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
    
Sat Mar 10 09:54:07 2001
+++
jakarta-tomcat-3.3-src/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java    
 
Tue Apr 10 09:55:45 2001
@@ -485,7 +485,8 @@
                 && !req.queryString().toString().equals(""))
            originalLocation += "?" + req.queryString().toString();
         //XXX is needed to put the JVM route too?
-        if
(req.getSessionIdSource().equals(Request.SESSIONID_FROM_URL)){
+        if (req.getSessionIdSource()!=null &&
+           
req.getSessionIdSource().equals(Request.SESSIONID_FROM_URL)){
             String id=";jsessionid="+req.getSessionId() ;
             originalLocation += id ;
             page += id ;

But this doesn't really work, because, for reasons unknown to me,
j_security_check isn't there any more (works fine with cookies). Instead
I get the listing of the /login directory. That's where pages used for
authentication login.jsp and error.jsp live. I'm sure the request
actually reaches Tomcat because I'm tailing the logs. My bet is that the
jsessionid isn't taken into account when comparing the request URI to
j_security_check that was mapped in the context. But, as I said before,
a bit over my head, this one...

There is also the problem with slow session id generation on Linux. This
fixes it nicely in SessionIdGenerator.java, without upsetting other
operating systems, even on Linux that doesn't have /dev/random. This is
a slight rework of the code someone else submitted to the Tomcat list
some time ago. I can't remember the name right now, but the credit goes
to that person anyway.

---
jakarta-tomcat-3.3-src-original/src/share/org/apache/tomcat/util/SessionIdGe
nerator.java    Wed Dec 27 10:26:18 2000
+++
jakarta-tomcat-3.3-src/src/share/org/apache/tomcat/util/SessionIdGenerator.j
ava     Tue Apr 10 09:59:04 2001
@@ -61,6 +61,7 @@
 package org.apache.tomcat.util;
 
 import java.util.Random;
+import java.io.*;
 
 /**
  * This class generates a unique 10+ character id. This is good
@@ -120,7 +121,20 @@
            throw new RuntimeException( "No random source " );
        
         // random value ..
-        long n = randomSource.nextLong();
+        long n = 0;
+        if ( System.getProperty("os.name").equalsIgnoreCase("linux") )
{
+          try {
+            DataInputStream is = new DataInputStream(
+                                 new FileInputStream("/dev/random"));
+            n=is.readLong();
+            is.close();
+          } catch (IOException ie) {
+            n = randomSource.nextLong();
+          }
+        } else {
+          n = randomSource.nextLong();
+        }
+
         if (n < 0) n = -n;
         n %= maxRandomLen;
         // add maxLen to pad the leading characters with '0'; remove

Bojan

Mime
View raw message