Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 25550 invoked by uid 500); 10 Apr 2001 01:34:12 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: tomcat-dev@jakarta.apache.org Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 25539 invoked from network); 10 Apr 2001 01:34:10 -0000 Sender: bojan@binarix.com Message-ID: <3AD26314.611BF6A5@binarix.com> Date: Tue, 10 Apr 2001 11:34:12 +1000 From: Bojan Smojver Organization: Binarix Corporation Pty Ltd X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.3 i586) X-Accept-Language: en MIME-Version: 1.0 To: Tomcat Dev List Subject: Bugs/Improvements in Tomcat 3.3-m2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N I think there is a bug in AccessInterceptor.java, line 488, which only shows when cookies are turned off in server.xml file with: The problem is related to the fact that at the time of 'if', the req.getSessionIdSource() returns null and the test is blown sky high (ie. there is a NullPointerException). If I specify a URL with a session id encoded into it, the problem goes away. Obviously, without the encoded URL, the sessionIdSource is still null. Unfortunately I don't know enough about the internals of Tomcat to fix this properly, but I guess for someone familiar it should be fairly easy. I came up with this: --- jakarta-tomcat-3.3-src-original/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java Sat Mar 10 09:54:07 2001 +++ jakarta-tomcat-3.3-src/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java Tue Apr 10 09:55:45 2001 @@ -485,7 +485,8 @@ && !req.queryString().toString().equals("")) originalLocation += "?" + req.queryString().toString(); //XXX is needed to put the JVM route too? - if (req.getSessionIdSource().equals(Request.SESSIONID_FROM_URL)){ + if (req.getSessionIdSource()!=null && + req.getSessionIdSource().equals(Request.SESSIONID_FROM_URL)){ String id=";jsessionid="+req.getSessionId() ; originalLocation += id ; page += id ; But this doesn't really work, because, for reasons unknown to me, j_security_check isn't there any more (works fine with cookies). Instead I get the listing of the /login directory. That's where pages used for authentication login.jsp and error.jsp live. I'm sure the request actually reaches Tomcat because I'm tailing the logs. My bet is that the jsessionid isn't taken into account when comparing the request URI to j_security_check that was mapped in the context. But, as I said before, a bit over my head, this one... There is also the problem with slow session id generation on Linux. This fixes it nicely in SessionIdGenerator.java, without upsetting other operating systems, even on Linux that doesn't have /dev/random. This is a slight rework of the code someone else submitted to the Tomcat list some time ago. I can't remember the name right now, but the credit goes to that person anyway. --- jakarta-tomcat-3.3-src-original/src/share/org/apache/tomcat/util/SessionIdGe nerator.java Wed Dec 27 10:26:18 2000 +++ jakarta-tomcat-3.3-src/src/share/org/apache/tomcat/util/SessionIdGenerator.j ava Tue Apr 10 09:59:04 2001 @@ -61,6 +61,7 @@ package org.apache.tomcat.util; import java.util.Random; +import java.io.*; /** * This class generates a unique 10+ character id. This is good @@ -120,7 +121,20 @@ throw new RuntimeException( "No random source " ); // random value .. - long n = randomSource.nextLong(); + long n = 0; + if ( System.getProperty("os.name").equalsIgnoreCase("linux") ) { + try { + DataInputStream is = new DataInputStream( + new FileInputStream("/dev/random")); + n=is.readLong(); + is.close(); + } catch (IOException ie) { + n = randomSource.nextLong(); + } + } else { + n = randomSource.nextLong(); + } + if (n < 0) n = -n; n %= maxRandomLen; // add maxLen to pad the leading characters with '0'; remove Bojan