tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Exception in CoyoteAdapter class
Date Wed, 04 Dec 2013 20:49:31 GMT
2013/12/3 at.silk <at.silk@everis.com>:
> Hi,
>
> I contact you to talk about an exception we receive in a Tomcat class. Few days ago we
get an error in an application integrated with Tomcat. We have tried to get information about
it but we don't find any solution, so we would like to know if you are aware about this issue.
>
> First we describe our scenario:
> 1. User logs in the portal and remain static for more than 30 minutes (30 minutes is
session expiration time).
> 2. Afterwards, he refreshes the webpage and session has been expired.
> 3. During the page reloading, an error occurs while executing the "parseSessionSslId"
method because the "SSLSupport.SESSION_ID_KEY" is empty.
> 4. A blank page is displayed because the error is not caught.
>
> The exception produced during step 3 belongs to this section:
>  [org\apache\catalina\connector\CoyoteAdapter.java]
>       Method parseSessionSslId:
>                 request.setRequestedSessionId(request.getAttribute(SSLSupport.SESSION_ID_KEY).toString());
>                 request.setRequestedSessionSSL(true);
>
> This is our context:
> - Tomcat version: 7.0.25
> - OS: Linux distribution
> - Liferay 6.1GA1 portal integrated with Tomcat
> - We don't negotiate user session by the sessionid with the cookie but with the certificate.
>
> Our server.xml configuration file contains the following connectors:
> <Connector URIEncoding="UTF-8" port="8010" protocol="AJP/1.3" redirectPort="8443"
scheme="https" secure="true" />
> <Connector URIEncoding="UTF-8" port="8443" protocol="HTTP/1.1" SSLEnabled="true" clientAuth="false"
keystoreFile="xxx" keystorePass="yyy" keystoreType="PKCS12" maxThreads="150" scheme="https"
secure="true" sslProtocol="TLS"/>

1. Is Tomcat accessed via AJP or HTTPS ?

2. What is in front of Tomcat? An Apache HTTPD server? How mod_jk is
configured there? Is Apache HTTPD accessed via HTTPS?  Is mod_jk
configured to pass SSL_SESSION_ID to Tomcat?

http://tomcat.apache.org/connectors-doc/reference/apache.html

SSLOptions +StdEnvVars
JkExtractSSL On

3. How <session-config> is configured in WEB-INF/web.xml of your web
applications
and in the shared $CATALINA_BASE/conf/web.xml file?

I expect that you have <tracking-mode> configured in one of those files.

Are you able to identify what web application is being requested here?
(E.g. by looking into the access log)?

> Conclusion:
> The exception is raised when the session id is empty due to we have an expired session.
We have compiled this code section with a try catch and now our application does not receive
the error, and we can see our page displayed, obviously with session expired.

4. A full stacktrace = ?

> Do you think this could be due to some local configuration or is it a general issue?
> Is there the possibility to contemplate this case to be protected when sessionId is null?
>

If an application is configured to use ssl session as its session
identifier, and no ssl session is available, how do you expect it to
behave?  I looks that one adds a try/catch there, the application will
create a new session with every request.  Are you OK with that?

5. I do not see how 30 minutes can come into a play here. With my
guesses above an application should have failed with the first
request.

Is some form of single-sign-on configured between applications? Is 30
minutes the expiration time from single-sign-on (and not from webapp's
session)?

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message