tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: seeking help with stabilizing the persistence of a JSESSIONID
Date Wed, 09 Sep 2015 20:30:25 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hardy,

On 9/9/15 4:22 PM, Pottinger, Hardy J. wrote:
> Ha, sorry for the useless detail :-)

It's no problem. Stymied by the effective use of class extension
features in an OO language. :)

>>> Is that enough of a clue?
>> Ha ha ha, no unfortunately not: pretty much all of the
>> authenticators extend from AuthenticatorBase, so the only thing
>> it tells us is that there is at least *some* authenticator.
>> 
>> If nobody else replies, I'll try to trace-through the code to
>> figure out what kind of authenticator you are getting. I'm
>> guessing NoLoginAuthenticator is the one, though.
> 
> Thanks for the offer of tracing through the code. If you're really
> interested, here is a starting point: 
> https://github.com/DSpace/DSpace/tree/master/dspace-api/src/main/java/
org/dspace/authenticate

Yeah,
> 
I'm not looking-through that. I was going to look at Tomcat's
source, which should be as far as I'll have to look.

Or, if one of the other committers with more experience with this code
(*cough*markt/kkolinko*cough*) could comment, it would save me a bunch
of time ;)

- -chris

> ________________________________________ From: Christopher Schultz
> [chris@christopherschultz.net] Sent: Wednesday, September 09, 2015
> 3:09 PM To: Tomcat Users List Subject: Re: seeking help with
> stabilizing the persistence of a JSESSIONID
> 
> Hardy,
> 
> On 9/9/15 3:54 PM, Pottinger, Hardy J. wrote:
>> Well... it occurred to me that from time to time we happen to
>> have stack traces show up in our log files due to some error or
>> another, and, I could just *look* at the log files. Sure enough,
>> here's an example of one line of interest (there are many similar
>> ones):
> 
>> at 
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
t
>
>> 
orBase.java:503)
> 
>> Is that enough of a clue?
> 
> Ha ha ha, no unfortunately not: pretty much all of the
> authenticators extend from AuthenticatorBase, so the only thing it
> tells us is that there is at least *some* authenticator.
> 
> If nobody else replies, I'll try to trace-through the code to
> figure out what kind of authenticator you are getting. I'm
> guessing NoLoginAuthenticator is the one, though.
> 
> -chris
> 
>> From: Pottinger, Hardy J. Sent: Wednesday, September 09, 2015
>> 9:35 AM To: Tomcat Users List Subject: RE: seeking help with
>> stabilizing the persistence of a JSESSIONID
> 
>> Hi, thanks for following up! No, no luck at all. The web 
>> application I'm working with is based on Apache Cocoon 2.2, so,
>> no JSPs in sight. I am actually weighing my options, I have a
>> choice to either pursue making the current design work (i.e. try
>> to get the session to stick around long enough so I can use it),
>> or else change the design and go with a more conventional "pass
>> the return URL around as a parameter in the request" approach.
>> I'm leaning towards the latter, as it sidesteps this whole issue
>> we're having with session fixation protection, *and* it deals
>> with a slightly esoteric use case, where a user encounters a
>> password challenge when attempting to view a restricted item,
>> backtracks, then later chooses to log in for some other reason,
>> and is returned to the original restricted item page (because the
>> redirect URL is still in the session).
> 
>> If I do continue to persue the session route, I'll let you know
>> if I'm able to determine what authentication class ends up in
>> the stack trace.
> 
>> --Hardy ________________________________________ From:
>> Christopher Schultz [chris@christopherschultz.net] Sent:
>> Wednesday, September 09, 2015 8:24 AM To: Tomcat Users List
>> Subject: Re: seeking help with stabilizing the persistence of a
>> JSESSIONID
> 
>> Hardy,
> 
>> On 9/4/15 4:32 PM, Pottinger, Hardy J. wrote:
>>>> Are you using AJP or HTTP as your proxy protocol? If AJP,
>>>> are you using tomcatAuthentication="false" on your
>>>> <Connector>? I'm not exactly sure what happens when you do
>>>> that... you might get a NonLoginAuthenticator.
> 
>>> in our Vhost file, we have this:
> 
>>> <Location "/xmlui"> ProxyPass
>>> ajp://127.0.0.1:8009/xmlui retry=1 keepalive=on
>>> ProxyPassReverse ajp://127.0.0.1:8009/xmlui ShibUseHeaders On
>>> SetEnv proxy-sendchunked 1 </Location>
> 
>>> in our server.xml file, we have this: <!-- Define an AJP 1.3 
>>> Connector on port 8009, just on localhost --> <Connector 
>>> port="8009" enableLookups="false" redirectPort="8080" 
>>> protocol="AJP/1.3" address="127.0.0.1" 
>>> tomcatAuthentication="false" maxSwallowSize="-1" 
>>> connectionTimeout="1232000" disableUploadTimeout="false" 
>>> connectionUploadTimeout="1232000" URIEncoding="UTF-8"/>
> 
>>> So, we're using tomcatAuthentication="false"
> 
>>> I will try your suggestion of using NonLoginAuthenticator and 
>>> see what I get. If it doesn't work, I'll try your suggestion
>>> of setting a breakpoint and using a debugger to look at the
>>> stack.
> 
>> Any luck?
> 
>> You don't have to use a debugger to get a stack trace: just
>> create a JSP and have it 'throw Exception("getting a stack
>> trace")'.
> 
>> -chris
> 
>> ---------------------------------------------------------------------
>
>> 
> 
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
>> ---------------------------------------------------------------------
>
>> 
> 
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
>> ---------------------------------------------------------------------
>
>> 
> 
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV8JbhAAoJEBzwKT+lPKRYWTkQAJJaUpaZvLdSz3ty3NEjSruw
vHFxcS88L3AdQ78FDsfoFTYdxSJxMxZy4PWOQIN9JIhlAW4yYyzWdpitqneqhs2F
gKQFVQi2oA/HLkXZnqdYK4uL7hhE2iYZkh4dK3WSudOQ2T6bP04s54vd4j8T0S9u
vz0dpXJGUI0hIOE/6NYaJRpeQYba5Su757dGdE7XNzGoJoSWl6V+SzXiBHOLztiL
1Iy+DO/AZ+d+RzWw4eGDUmN/IYxApbZvh2wBWhFUV+Xb5635F22QUO9w3ezRioFy
bl+ekABQpvxvhwx9e8eb6C9LBqDWAyX6rkSHTkvuTsVrdGNCZTW2UivLwGyDh3Ye
wdBvJ5mnxksRcHoIXgRSbYkl8w+dfghsqxxj6Rvr704rMbjMXR8Lse3AbbX5+5kQ
A2Elc2QSoX6cuAHK1NSyMtSS7JsjJjqAiTVHZB7RaDQDhU26+mRS9VHkVJrU3l7+
fD/ROTK5Eu/BZ0RxzmAJLmyuEGZ83xkGxIfC8MvzoE6DpPcaT7yMA9RP4KP4i9cY
rir8wFGL23N/qdR2rxzj87Dys9GHG7hPekbXlprvjTgWLqw0T+JxfZddmuhw5acm
dkkJUIxkG4UOLZVZYX7MYIDZpX5UHEFJQ6M5nfoMaqOa6+EWXqObh+p1cUgW2X7p
EpQ55H8EXObcQXFPJFf9
=+wkD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message