tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "at.silk" <at.s...@everis.com>
Subject RE: Exception in CoyoteAdapter class
Date Mon, 09 Dec 2013 11:43:03 GMT
Hi Konstantin,

My answers below.

AT.

2013/12/3 at.silk <at.silk@everis.com>:
> Hi,
>
> I contact you to talk about an exception we receive in a Tomcat class. Few days ago we
get an error in an application integrated with Tomcat. We have tried to get information about
it but we don't find any solution, so we would like to know if you are aware about this issue.
>
> First we describe our scenario:
> 1. User logs in the portal and remain static for more than 30 minutes (30 minutes is
session expiration time).
> 2. Afterwards, he refreshes the webpage and session has been expired.
> 3. During the page reloading, an error occurs while executing the "parseSessionSslId"
method because the "SSLSupport.SESSION_ID_KEY" is empty.
> 4. A blank page is displayed because the error is not caught.
>
> The exception produced during step 3 belongs to this section:
>  [org\apache\catalina\connector\CoyoteAdapter.java]
>       Method parseSessionSslId:
>                 request.setRequestedSessionId(request.getAttribute(SSLSupport.SESSION_ID_KEY).toString());
>                 request.setRequestedSessionSSL(true);
>
> This is our context:
> - Tomcat version: 7.0.25
> - OS: Linux distribution
> - Liferay 6.1GA1 portal integrated with Tomcat
> - We don't negotiate user session by the sessionid with the cookie but with the certificate.
>
> Our server.xml configuration file contains the following connectors:
> <Connector URIEncoding="UTF-8" port="8010" protocol="AJP/1.3" 
> redirectPort="8443" scheme="https" secure="true" /> <Connector 
> URIEncoding="UTF-8" port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
> clientAuth="false" keystoreFile="xxx" keystorePass="yyy" 
> keystoreType="PKCS12" maxThreads="150" scheme="https" secure="true" 
> sslProtocol="TLS"/>

1. Is Tomcat accessed via AJP or HTTPS ?
AT: Tomcat is accessed via AJP:
<Connector URIEncoding="UTF-8" port="8010" protocol="AJP/1.3" redirectPort="8443" scheme="https"
secure="true" />

<Connector URIEncoding="UTF-8" port="8443" protocol="HTTP/1.1" SSLEnabled="true" clientAuth="false"
keystoreFile="xxx" keystorePass="yyy" keystoreType="PKCS12" maxThreads="150" scheme="https"
secure="true" sslProtocol="TLS"/>


2. What is in front of Tomcat? An Apache HTTPD server? -> Right.

Is Apache HTTPD accessed via HTTPS? -> Right, via HTTPS

How mod_jk is configured there?
Is mod_jk configured to pass SSL_SESSION_ID to Tomcat?

AT:
This is our configuration:
AllowCONNECT 443
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLOptions +StdEnvVars +ExportCertData
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile "xxx.crt"
SSLCertificateKeyFile "xxx.key"
ProxyPass / ajp://localhost:8010/ connectiontimeout=3600 timeout=3600
ProxyPassReverse / ajp://localhost:8010/

3. How <session-config> is configured in WEB-INF/web.xml of your web applications and
in the shared $CATALINA_BASE/conf/web.xml file?
I expect that you have <tracking-mode> configured in one of those files.
<session-config>
	<session-timeout>30</session-timeout>
	<tracking-mode>SSL</tracking-mode>
</session-config>

Are you able to identify what web application is being requested here?
(E.g. by looking into the access log)?
There is just one web application accessing there.

> Conclusion:
> The exception is raised when the session id is empty due to we have an expired session.
We have compiled this code section with a try catch and now our application does not receive
the error, and we can see our page displayed, obviously with session expired.

4. A full stacktrace = ?
java.lang.NullPointerException
at org.apache.catalina.connector.CoyoteAdapter.parseSessionSslId(CoyoteAdapter.java:894)
at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:689)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:402)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)	


> Do you think this could be due to some local configuration or is it a general issue?
> Is there the possibility to contemplate this case to be protected when sessionId is null?
>

If an application is configured to use ssl session as its session identifier, and no ssl session
is available, how do you expect it to behave?  I looks that one adds a try/catch there, the
application will create a new session with every request.  Are you OK with that?
AT: If there is not already an active session I would agree with creating a new session just
for this situation.

5. I do not see how 30 minutes can come into a play here. With my guesses above an application
should have failed with the first request.
Is some form of single-sign-on configured between applications? Is 30 minutes the expiration
time from single-sign-on (and not from webapp's session)?
AT: There is no any SSO. It seems the application is checking later than Tomcat its own timeout.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message