Fwd: Re: Struts2 login action class seems to be reused

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Re: Struts2 login action class seems to be reused

Norbert Hirneisen
Hi Prasanth,

are you sure all your struts1 code is thread safe ? I had some similiar
problems in a struts1 application. After removing all action class
properties the problem was solved. Struts2 should be thread safe. But
your problems looks to me like a problem with thread safety.

Best regards,

Norbert

science + communication & HaNo Systems

Bonn/Ho-Chi-Minh


Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:

> I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were
> successful in getting in with out username/password. I am seeing database login entries for these two. Which would happen only if a valid session is not present and user has provided username/password.
>
> Thanks,
> Prasanth
>
> On 03/01/2018 02:27 PM, Prasanth wrote:
>> Hi,
>>
>> I have an application which uses both struts1 & struts2. The login action was recently moved to struts2. Immediately after the deployment we were notified that one user is seeing a different user
>> information, so we had to move to older war files. I am not able to replicate it. But after investigating the logs it seems like couple users were logged in as soon as they requested the login page.
>> For the database entry to happen it has to verify the username and password in the action class, but the fact that there is no POST entry at that time from that IP in my access log makes me believe
>> that the action class some how already had that information from a prior user.
>>
>> I do have a login filter to check if users are logged in when accessing other pages. In this filter I have the below two lines, we had to do this as we will have requests forwarded from one
>> application to another and when that happens we are getting class cast exception for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having the below lines.
>>
>>              request.setAttribute("struts.actionMapping", new ActionMapping());
>>              request.setAttribute("struts.valueStack", null);
>>
>> We are using Struts 2.3.34 and Wildfly.
>>
>> Appreciate any insights you might have.
>>
>> Thanks,
>> Prasanth
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Re: Struts2 login action class seems to be reused

Prasanth-2
Hi Norbert,

Struts1 actions are thread safe (no instance variables). The login
action has been moved to Struts2 with instance variables for username,
password and the issue is coming up with this new struts2 action. Which
is used for both displaying login page and also taking username/password
when the form is submitted.

Thanks,
Prasanth

On 3/2/2018 5:55 PM, Norbert Hirneisen wrote:

> Hi Prasanth,
>
> are you sure all your struts1 code is thread safe ? I had some similiar
> problems in a struts1 application. After removing all action class
> properties the problem was solved. Struts2 should be thread safe. But
> your problems looks to me like a problem with thread safety.
>
> Best regards,
>
> Norbert
>
> science + communication & HaNo Systems
>
> Bonn/Ho-Chi-Minh
>
>
> Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
>> I was able to replicate the issue today. Asked few users to keep
>> logging in and ran jmeter to access login page, with out putting any
>> username or password. Out of the 100 attempts 2 attempts were
>> successful in getting in with out username/password. I am seeing
>> database login entries for these two. Which would happen only if a
>> valid session is not present and user has provided username/password.
>>
>> Thanks,
>> Prasanth
>>
>> On 03/01/2018 02:27 PM, Prasanth wrote:
>>> Hi,
>>>
>>> I have an application which uses both struts1 & struts2. The login
>>> action was recently moved to struts2. Immediately after the
>>> deployment we were notified that one user is seeing a different user
>>> information, so we had to move to older war files. I am not able to
>>> replicate it. But after investigating the logs it seems like couple
>>> users were logged in as soon as they requested the login page.
>>> For the database entry to happen it has to verify the username and
>>> password in the action class, but the fact that there is no POST
>>> entry at that time from that IP in my access log makes me believe
>>> that the action class some how already had that information from a
>>> prior user.
>>>
>>> I do have a login filter to check if users are logged in when
>>> accessing other pages. In this filter I have the below two lines, we
>>> had to do this as we will have requests forwarded from one
>>> application to another and when that happens we are getting class
>>> cast exception for ActionMapping class and valueStack. Not sure if
>>> the behavior is a side effect of having the below lines.
>>>
>>>              request.setAttribute("struts.actionMapping", new
>>> ActionMapping());
>>>              request.setAttribute("struts.valueStack", null);
>>>
>>> We are using Struts 2.3.34 and Wildfly.
>>>
>>> Appreciate any insights you might have.
>>>
>>> Thanks,
>>> Prasanth
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Re: Struts2 login action class seems to be reused

Martin Gainty
In reply to this post by Norbert Hirneisen
Hi Norbert/Prasanth

Struts2 login action problem has morphed to "Invalid Session State"with Wildfly's implementation of TC 5.5

https://en.wikipedia.org/wiki/WildFly

[https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly>

WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
en.wikipedia.org
WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by JBoss, now developed by Red Hat.WildFly is written in Java and implements the Java Platform, Enterprise Edition (Java EE) specification.


MG>as a debugging exercise I would dump HTTP Header attributes with

http://livehttpheaders.mozdev.org/

mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
livehttpheaders.mozdev.org
Welcome to the livehttpheaders project.. The goal of this project is to adds information about the HTTP headers in two ways: First by adding a 'Headers' tab in 'View Page Info' of a web page.


MG>then check JSESSIONID

MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
MG>and corrected with his own StandardManager findSession method
https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/

Yes, there is! I found it and implemented this solution: A class
extending org.apache.catalina.session.StandardManager and overriding
the method public Session findSession(String id) throws IOException -
simply removing quotation marks, if any! Seems to work fine.
Thanks for putting me on the right trail!

MG>assuming your TC has incorrect StandardManager can you update wildfly with a more updated version?
MG>here are versions
https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
developer.jboss.org
What version of Apache Tomcat ships with JBoss Application Server JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3


MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and getting jboss-web container

hth
martin
______________________________________________




________________________________
From: Norbert Hirneisen <[hidden email]>
Sent: Friday, March 2, 2018 6:55 PM
To: [hidden email]
Subject: Fwd: Re: Struts2 login action class seems to be reused

Hi Prasanth,

are you sure all your struts1 code is thread safe ? I had some similiar
problems in a struts1 application. After removing all action class
properties the problem was solved. Struts2 should be thread safe. But
your problems looks to me like a problem with thread safety.

Best regards,

Norbert

science + communication & HaNo Systems

Bonn/Ho-Chi-Minh


Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:

> I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were
> successful in getting in with out username/password. I am seeing database login entries for these two. Which would happen only if a valid session is not present and user has provided username/password.
>
> Thanks,
> Prasanth
>
> On 03/01/2018 02:27 PM, Prasanth wrote:
>> Hi,
>>
>> I have an application which uses both struts1 & struts2. The login action was recently moved to struts2. Immediately after the deployment we were notified that one user is seeing a different user
>> information, so we had to move to older war files. I am not able to replicate it. But after investigating the logs it seems like couple users were logged in as soon as they requested the login page.
>> For the database entry to happen it has to verify the username and password in the action class, but the fact that there is no POST entry at that time from that IP in my access log makes me believe
>> that the action class some how already had that information from a prior user.
>>
>> I do have a login filter to check if users are logged in when accessing other pages. In this filter I have the below two lines, we had to do this as we will have requests forwarded from one
>> application to another and when that happens we are getting class cast exception for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having the below lines.
>>
>>              request.setAttribute("struts.actionMapping", new ActionMapping());
>>              request.setAttribute("struts.valueStack", null);
>>
>> We are using Struts 2.3.34 and Wildfly.
>>
>> Appreciate any insights you might have.
>>
>> Thanks,
>> Prasanth
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
Hi Martin,

Thanks for the response. We are using Wildfly 11.0.0 Final.  I will try to get the HTTP header dump.

Thanks,
Prasanth


On 05/15/2018 07:44 AM, Martin Gainty wrote:

> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session State"with Wildfly's implementation of TC 5.5
>
> https://en.wikipedia.org/wiki/WildFly
>
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly>
>
> WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by JBoss, now developed by Red Hat.WildFly is written in Java and implements the Java Platform, Enterprise Edition (Java EE) specification.
>
>
> MG>as a debugging exercise I would dump HTTP Header attributes with
>
> http://livehttpheaders.mozdev.org/
>
> mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> livehttpheaders.mozdev.org
> Welcome to the livehttpheaders project.. The goal of this project is to adds information about the HTTP headers in two ways: First by adding a 'Headers' tab in 'View Page Info' of a web page.
>
>
> MG>then check JSESSIONID
>
> MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> MG>and corrected with his own StandardManager findSession method
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>
> Yes, there is! I found it and implemented this solution: A class
> extending org.apache.catalina.session.StandardManager and overriding
> the method public Session findSession(String id) throws IOException -
> simply removing quotation marks, if any! Seems to work fine.
> Thanks for putting me on the right trail!
>
> MG>assuming your TC has incorrect StandardManager can you update wildfly with a more updated version?
> MG>here are versions
> https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
> developer.jboss.org
> What version of Apache Tomcat ships with JBoss Application Server JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
>
>
> MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and getting jboss-web container
>
> hth
> martin
> ______________________________________________
>
>
>
>
> ________________________________
> From: Norbert Hirneisen <[hidden email]>
> Sent: Friday, March 2, 2018 6:55 PM
> To: [hidden email]
> Subject: Fwd: Re: Struts2 login action class seems to be reused
>
> Hi Prasanth,
>
> are you sure all your struts1 code is thread safe ? I had some similiar
> problems in a struts1 application. After removing all action class
> properties the problem was solved. Struts2 should be thread safe. But
> your problems looks to me like a problem with thread safety.
>
> Best regards,
>
> Norbert
>
> science + communication & HaNo Systems
>
> Bonn/Ho-Chi-Minh
>
>
> Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
>> I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were
>> successful in getting in with out username/password. I am seeing database login entries for these two. Which would happen only if a valid session is not present and user has provided username/password.
>>
>> Thanks,
>> Prasanth
>>
>> On 03/01/2018 02:27 PM, Prasanth wrote:
>>> Hi,
>>>
>>> I have an application which uses both struts1 & struts2. The login action was recently moved to struts2. Immediately after the deployment we were notified that one user is seeing a different user
>>> information, so we had to move to older war files. I am not able to replicate it. But after investigating the logs it seems like couple users were logged in as soon as they requested the login page.
>>> For the database entry to happen it has to verify the username and password in the action class, but the fact that there is no POST entry at that time from that IP in my access log makes me believe
>>> that the action class some how already had that information from a prior user.
>>>
>>> I do have a login filter to check if users are logged in when accessing other pages. In this filter I have the below two lines, we had to do this as we will have requests forwarded from one
>>> application to another and when that happens we are getting class cast exception for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having the below lines.
>>>
>>>              request.setAttribute("struts.actionMapping", new ActionMapping());
>>>              request.setAttribute("struts.valueStack", null);
>>>
>>> We are using Struts 2.3.34 and Wildfly.
>>>
>>> Appreciate any insights you might have.
>>>
>>> Thanks,
>>> Prasanth
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
In reply to this post by Martin Gainty
See below the header information when the exception occurred. Strange thing is JMeter is saying it did not send any cookie (which is want I would except in this case as it is just requesting the login
page)

Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.xxxxxxxx    (xxxxxx - is the machine name on which wildfly is running)
Connection: keep-alive
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
Host: dev.secure.xxxxxxxxxxx.com:8443
Content-Length: 46
Content-Type: application/x-www-form-urlencoded

10:09:09,150 ERROR [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) Exception occurred during processing request: UT000010: Session is invalid
ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: UT000010: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ

------------From JMeter---------------------------------------------------
GET https://dev.secure.pangburngroup.com:8443/participant/

GET data:


[no cookies]

Request Headers:
Connection: keep-alive
Host: dev.secure.xxxxxxxxxxx.com:8443
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
------------------------------------------------------------------------------

Thanks,
Prasanth

On 05/15/2018 07:44 AM, Martin Gainty wrote:

> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session State"with Wildfly's implementation of TC 5.5
>
> https://en.wikipedia.org/wiki/WildFly
>
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly>
>
> WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by JBoss, now developed by Red Hat.WildFly is written in Java and implements the Java Platform, Enterprise Edition (Java EE) specification.
>
>
> MG>as a debugging exercise I would dump HTTP Header attributes with
>
> http://livehttpheaders.mozdev.org/
>
> mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> livehttpheaders.mozdev.org
> Welcome to the livehttpheaders project.. The goal of this project is to adds information about the HTTP headers in two ways: First by adding a 'Headers' tab in 'View Page Info' of a web page.
>
>
> MG>then check JSESSIONID
>
> MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> MG>and corrected with his own StandardManager findSession method
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>
> Yes, there is! I found it and implemented this solution: A class
> extending org.apache.catalina.session.StandardManager and overriding
> the method public Session findSession(String id) throws IOException -
> simply removing quotation marks, if any! Seems to work fine.
> Thanks for putting me on the right trail!
>
> MG>assuming your TC has incorrect StandardManager can you update wildfly with a more updated version?
> MG>here are versions
> https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
> developer.jboss.org
> What version of Apache Tomcat ships with JBoss Application Server JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
>
>
> MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and getting jboss-web container
>
> hth
> martin
> ______________________________________________
>
>
>
>
> ________________________________
> From: Norbert Hirneisen <[hidden email]>
> Sent: Friday, March 2, 2018 6:55 PM
> To: [hidden email]
> Subject: Fwd: Re: Struts2 login action class seems to be reused
>
> Hi Prasanth,
>
> are you sure all your struts1 code is thread safe ? I had some similiar
> problems in a struts1 application. After removing all action class
> properties the problem was solved. Struts2 should be thread safe. But
> your problems looks to me like a problem with thread safety.
>
> Best regards,
>
> Norbert
>
> science + communication & HaNo Systems
>
> Bonn/Ho-Chi-Minh
>
>
> Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
>> I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were
>> successful in getting in with out username/password. I am seeing database login entries for these two. Which would happen only if a valid session is not present and user has provided username/password.
>>
>> Thanks,
>> Prasanth
>>
>> On 03/01/2018 02:27 PM, Prasanth wrote:
>>> Hi,
>>>
>>> I have an application which uses both struts1 & struts2. The login action was recently moved to struts2. Immediately after the deployment we were notified that one user is seeing a different user
>>> information, so we had to move to older war files. I am not able to replicate it. But after investigating the logs it seems like couple users were logged in as soon as they requested the login page.
>>> For the database entry to happen it has to verify the username and password in the action class, but the fact that there is no POST entry at that time from that IP in my access log makes me believe
>>> that the action class some how already had that information from a prior user.
>>>
>>> I do have a login filter to check if users are logged in when accessing other pages. In this filter I have the below two lines, we had to do this as we will have requests forwarded from one
>>> application to another and when that happens we are getting class cast exception for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having the below lines.
>>>
>>>              request.setAttribute("struts.actionMapping", new ActionMapping());
>>>              request.setAttribute("struts.valueStack", null);
>>>
>>> We are using Struts 2.3.34 and Wildfly.
>>>
>>> Appreciate any insights you might have.
>>>
>>> Thanks,
>>> Prasanth
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Martin Gainty
8443 indicates secure connection so perhaps a misconfig with wildfly standalone.xml (see below)

<servlet-container name="pasala">
 <session-cookie http-only="true" secure="true"/> <!-- enable secure cookies with secure = true -->

 <jsp-config/>
</servlet-container>


https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration
Admin Guide - WildFly 10 - Project Documentation Editor<https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration>
docs.jboss.org
Target audience. This document is a guide to the setup, administration, and configuration of WildFly. Prerequisites. Before continuing, you should know how to download, install and run WildFly.

?

can you ping wildfly userlist ?
https://developer.jboss.org/en/wildfly
Space: WildFly |JBoss Developer<https://developer.jboss.org/en/wildfly>
developer.jboss.org
Log in to follow, share, and participate in this community. Not a member? Join Now!


jaikiran is a good resource that i met on a different userlist..i would definitely ping him
stay in  touch/let me know if setting session-cookie in standalone.xml works

M-
NB: I once contracted to the company that bought wildfly..we had to figure configuration by ourselves

________________________________
From: Prasanth Pasala <[hidden email]>
Sent: Tuesday, May 15, 2018 11:42 AM
To: [hidden email]
Subject: Re: Struts2 login action class seems to be reused

See below the header information when the exception occurred. Strange thing is JMeter is saying it did not send any cookie (which is want I would except in this case as it is just requesting the login
page)

Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.xxxxxxxx    (xxxxxx - is the machine name on which wildfly is running)
Connection: keep-alive
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
Host: dev.secure.xxxxxxxxxxx.com:8443
Content-Length: 46
Content-Type: application/x-www-form-urlencoded

10:09:09,150 ERROR [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) Exception occurred during processing request: UT000010: Session is invalid
ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: UT000010: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ

------------From JMeter---------------------------------------------------
GET https://dev.secure.pangburngroup.com:8443/participant/

GET data:


[no cookies]

Request Headers:
Connection: keep-alive
Host: dev.secure.xxxxxxxxxxx.com:8443
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
------------------------------------------------------------------------------

Thanks,
Prasanth

On 05/15/2018 07:44 AM, Martin Gainty wrote:

> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session State"with Wildfly's implementation of TC 5.5
>
> https://en.wikipedia.org/wiki/WildFly
>
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly>
>
> WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by JBoss, now developed by Red Hat.WildFly is written in Java and implements the Java Platform, Enterprise Edition (Java EE) specification.
>
>
> MG>as a debugging exercise I would dump HTTP Header attributes with
>
> http://livehttpheaders.mozdev.org/
>
> mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> livehttpheaders.mozdev.org
> Welcome to the livehttpheaders project.. The goal of this project is to adds information about the HTTP headers in two ways: First by adding a 'Headers' tab in 'View Page Info' of a web page.
>
>
> MG>then check JSESSIONID
>
> MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> MG>and corrected with his own StandardManager findSession method
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>
> Yes, there is! I found it and implemented this solution: A class
> extending org.apache.catalina.session.StandardManager and overriding
> the method public Session findSession(String id) throws IOException -
> simply removing quotation marks, if any! Seems to work fine.
> Thanks for putting me on the right trail!
>
> MG>assuming your TC has incorrect StandardManager can you update wildfly with a more updated version?
> MG>here are versions
> https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
> developer.jboss.org
> What version of Apache Tomcat ships with JBoss Application Server JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
>
>
> MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and getting jboss-web container
>
> hth
> martin
> ______________________________________________
>
>
>
>
> ________________________________
> From: Norbert Hirneisen <[hidden email]>
> Sent: Friday, March 2, 2018 6:55 PM
> To: [hidden email]
> Subject: Fwd: Re: Struts2 login action class seems to be reused
>
> Hi Prasanth,
>
> are you sure all your struts1 code is thread safe ? I had some similiar
> problems in a struts1 application. After removing all action class
> properties the problem was solved. Struts2 should be thread safe. But
> your problems looks to me like a problem with thread safety.
>
> Best regards,
>
> Norbert
>
> science + communication & HaNo Systems
>
> Bonn/Ho-Chi-Minh
>
>
> Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
>> I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were
>> successful in getting in with out username/password. I am seeing database login entries for these two. Which would happen only if a valid session is not present and user has provided username/password.
>>
>> Thanks,
>> Prasanth
>>
>> On 03/01/2018 02:27 PM, Prasanth wrote:
>>> Hi,
>>>
>>> I have an application which uses both struts1 & struts2. The login action was recently moved to struts2. Immediately after the deployment we were notified that one user is seeing a different user
>>> information, so we had to move to older war files. I am not able to replicate it. But after investigating the logs it seems like couple users were logged in as soon as they requested the login page.
>>> For the database entry to happen it has to verify the username and password in the action class, but the fact that there is no POST entry at that time from that IP in my access log makes me believe
>>> that the action class some how already had that information from a prior user.
>>>
>>> I do have a login filter to check if users are logged in when accessing other pages. In this filter I have the below two lines, we had to do this as we will have requests forwarded from one
>>> application to another and when that happens we are getting class cast exception for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having the below lines.
>>>
>>>              request.setAttribute("struts.actionMapping", new ActionMapping());
>>>              request.setAttribute("struts.valueStack", null);
>>>
>>> We are using Struts 2.3.34 and Wildfly.
>>>
>>> Appreciate any insights you might have.
>>>
>>> Thanks,
>>> Prasanth
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Jaikiran Pai
I don't have enough context of this discussion, but looking briefly at
this, it looks like you are using Apache HTTP client (probably with
pooled connections) and it seems like a connection reuse for a
subsequent login request is sending a Cookie with the request (when it
shouldn't?).


If that's the case, then it looks like the Apache HTTP client's auto
Cookie management is coming into picture where it "auto attaches" the
Cookie, obtained from a previous response on that connection, to the new
request on that reused connection. Apache HTTP client allows you to
configure this behaviour by setting a cookie policy management. I guess
you probably want to use the "ignoreCookies" policy in your case, since
you want to manage setting the Cookie to the requests yourself. The
Apache HTTP client documentation[1] has more information. Something like:


         final HttpClientBuilder httpClientBuilder =....
         final RequestConfig.Builder requestConfigBuilder =
RequestConfig.custom();
         ...
requestConfigBuilder.setCookieSpec(org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES);
         ...
httpClientBuilder.setDefaultRequestConfig(requestConfigBuilder.build());


[1] For 3.x version (I couldn't find one for 4.x which you seem to be
using) https://hc.apache.org/httpclient-3.x/cookies.html

[2]
https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html


-Jaikiran


On 16/05/18 2:33 AM, Martin Gainty wrote:

>
> 8443 indicates secure connection so perhaps a misconfig with
> wildfly standalone.xml (see below)
>
> <servlet-container name="pasala">
>  <session-cookie http-only="true" secure="true"/> <!-- enable secure
> cookies with secure = true -->
>
>  <jsp-config/>
> </servlet-container>
>
> https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration 
>
> Admin Guide - WildFly 10 - Project Documentation Editor
> <https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration>
> docs.jboss.org
> Target audience. This document is a guide to the setup,
> administration, and configuration of WildFly. Prerequisites. Before
> continuing, you should know how to download, install and run WildFly.
>
> ?
>
> can you ping wildfly userlist ?
> https://developer.jboss.org/en/wildfly
> Space: WildFly |JBoss Developer <https://developer.jboss.org/en/wildfly>
> developer.jboss.org
> Log in to follow, share, and participate in this community. Not a
> member? Join Now!
>
>
> jaikiran is a good resource that i met on a different userlist..i
> would definitely ping him
> stay in  touch/let me know if setting session-cookie in standalone.xml
> works
>
> M-
> NB: I once contracted to the company that bought wildfly..we had to
> figure configuration by ourselves
>
> ------------------------------------------------------------------------
> *From:* Prasanth Pasala <[hidden email]>
> *Sent:* Tuesday, May 15, 2018 11:42 AM
> *To:* [hidden email]
> *Subject:* Re: Struts2 login action class seems to be reused
> See below the header information when the exception occurred. Strange
> thing is JMeter is saying it did not send any cookie (which is want I
> would except in this case as it is just requesting the login
> page)
>
> Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.xxxxxxxx
> (xxxxxx - is the machine name on which wildfly is running)
> Connection: keep-alive
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
> Host: dev.secure.xxxxxxxxxxx.com:8443
> Content-Length: 46
> Content-Type: application/x-www-form-urlencoded
>
> 10:09:09,150 ERROR
> [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default
> task-20) Exception occurred during processing request: UT000010:
> Session is invalid
> ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ:
> java.lang.IllegalStateException: UT000010: Session is invalid
> ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ
>
> ------------From JMeter---------------------------------------------------
> GET https://dev.secure.pangburngroup.com:8443/participant/
>
> GET data:
>
>
> [no cookies]
>
> Request Headers:
> Connection: keep-alive
> Host: dev.secure.xxxxxxxxxxx.com:8443
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
> ------------------------------------------------------------------------------
>
> Thanks,
> Prasanth
>
> On 05/15/2018 07:44 AM, Martin Gainty wrote:
> > Hi Norbert/Prasanth
> >
> > Struts2 login action problem has morphed to "Invalid Session
> State"with Wildfly's implementation of TC 5.5
> >
> > https://en.wikipedia.org/wiki/WildFly 
> <https://en.wikipedia.org/wiki/WildFly>
> >
> >
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly 
> <https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly>>
> >
> > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> > en.wikipedia.org
> > WildFly, formerly known as JBoss AS, or simply JBoss, is an
> application server authored by JBoss, now developed by Red Hat.WildFly
> is written in Java and implements the Java Platform, Enterprise
> Edition (Java EE) specification.
> >
> >
> > MG>as a debugging exercise I would dump HTTP Header attributes with
> >
> > http://livehttpheaders.mozdev.org/ <http://livehttpheaders.mozdev.org/>
> >
> > mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> > livehttpheaders.mozdev.org
> > Welcome to the livehttpheaders project.. The goal of this project is
> to adds information about the HTTP headers in two ways: First by
> adding a 'Headers' tab in 'View Page Info' of a web page.
> >
> >
> > MG>then check JSESSIONID
> >
> > MG>a fellow named "Thomas" had a similar problem with incorrect
> JSESSIONID
> > MG>and corrected with his own StandardManager findSession method
> >
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
> >
> > Yes, there is! I found it and implemented this solution: A class
> > extending org.apache.catalina.session.StandardManager and overriding
> > the method public Session findSession(String id) throws IOException -
> > simply removing quotation marks, if any! Seems to work fine.
> > Thanks for putting me on the right trail!
> >
> > MG>assuming your TC has incorrect StandardManager can you update
> wildfly with a more updated version?
> > MG>here are versions
> > https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> > true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
> > developer.jboss.org
> > What version of Apache Tomcat ships with JBoss Application Server
> JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
> >
> >
> > MG>personally i wouldnt muck with TC i would suggest upgrading
> wildfly and getting jboss-web container
> >
> > hth
> > martin
> > ______________________________________________
> >
> >
> >
> >
> > ________________________________
> > From: Norbert Hirneisen <[hidden email]>
> > Sent: Friday, March 2, 2018 6:55 PM
> > To: [hidden email]
> > Subject: Fwd: Re: Struts2 login action class seems to be reused
> >
> > Hi Prasanth,
> >
> > are you sure all your struts1 code is thread safe ? I had some similiar
> > problems in a struts1 application. After removing all action class
> > properties the problem was solved. Struts2 should be thread safe. But
> > your problems looks to me like a problem with thread safety.
> >
> > Best regards,
> >
> > Norbert
> >
> > science + communication & HaNo Systems
> >
> > Bonn/Ho-Chi-Minh
> >
> >
> > Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
> >> I was able to replicate the issue today. Asked few users to keep
> logging in and ran jmeter to access login page, with out putting any
> username or password. Out of the 100 attempts 2 attempts were
> >> successful in getting in with out username/password. I am seeing
> database login entries for these two. Which would happen only if a
> valid session is not present and user has provided username/password.
> >>
> >> Thanks,
> >> Prasanth
> >>
> >> On 03/01/2018 02:27 PM, Prasanth wrote:
> >>> Hi,
> >>>
> >>> I have an application which uses both struts1 & struts2. The login
> action was recently moved to struts2. Immediately after the deployment
> we were notified that one user is seeing a different user
> >>> information, so we had to move to older war files. I am not able
> to replicate it. But after investigating the logs it seems like couple
> users were logged in as soon as they requested the login page.
> >>> For the database entry to happen it has to verify the username and
> password in the action class, but the fact that there is no POST entry
> at that time from that IP in my access log makes me believe
> >>> that the action class some how already had that information from a
> prior user.
> >>>
> >>> I do have a login filter to check if users are logged in when
> accessing other pages. In this filter I have the below two lines, we
> had to do this as we will have requests forwarded from one
> >>> application to another and when that happens we are getting class
> cast exception for ActionMapping class and valueStack. Not sure if the
> behavior is a side effect of having the below lines.
> >>>
> >>> request.setAttribute("struts.actionMapping", new ActionMapping());
> >>> request.setAttribute("struts.valueStack", null);
> >>>
> >>> We are using Struts 2.3.34 and Wildfly.
> >>>
> >>> Appreciate any insights you might have.
> >>>
> >>> Thanks,
> >>> Prasanth
> >>>
> >>>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
We have two applications (websites) to make it easier for users we have a third site that acts as a common login place. Once the user enters the username and password it determines the right site to use and does a forward to that context (applications hosted in the same host).

When using struts1 everything was fine. When we moved to struts2 we started getting crossed logins. When a user gets to login page the action would get populated with a username and password used by some other user. This happens only if a request with this information is forwarded from one context to another.

With some help from struts mailing list it was determined that some how old actions are in the stack and if we remove get methods struts2 would not be able to pull that data and put in the current value stack. So we did it and when we started testing we are getting session invalid exceptions. Again this happens only if there are users logging in context1 and that request is forwarded to context2. If the login activity is done directly in context2 the issue does not arise.

Thanks
Prasanth

On May 15, 2018 8:45:25 PM CDT, Jaikiran Pai <[hidden email]> wrote:

>I don't have enough context of this discussion, but looking briefly at
>this, it looks like you are using Apache HTTP client (probably with
>pooled connections) and it seems like a connection reuse for a
>subsequent login request is sending a Cookie with the request (when it
>shouldn't?).
>
>
>If that's the case, then it looks like the Apache HTTP client's auto
>Cookie management is coming into picture where it "auto attaches" the
>Cookie, obtained from a previous response on that connection, to the
>new
>request on that reused connection. Apache HTTP client allows you to
>configure this behaviour by setting a cookie policy management. I guess
>
>you probably want to use the "ignoreCookies" policy in your case, since
>
>you want to manage setting the Cookie to the requests yourself. The
>Apache HTTP client documentation[1] has more information. Something
>like:
>
>
>         final HttpClientBuilder httpClientBuilder =....
>         final RequestConfig.Builder requestConfigBuilder =
>RequestConfig.custom();
>         ...
>requestConfigBuilder.setCookieSpec(org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES);
>         ...
>httpClientBuilder.setDefaultRequestConfig(requestConfigBuilder.build());
>
>
>[1] For 3.x version (I couldn't find one for 4.x which you seem to be
>using) https://hc.apache.org/httpclient-3.x/cookies.html
>
>[2]
>https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html
>
>
>-Jaikiran
>
>
>On 16/05/18 2:33 AM, Martin Gainty wrote:
>>
>> 8443 indicates secure connection so perhaps a misconfig with
>> wildfly standalone.xml (see below)
>>
>> <servlet-container name="pasala">
>>  <session-cookie http-only="true" secure="true"/> <!-- enable secure
>> cookies with secure = true -->
>>
>>  <jsp-config/>
>> </servlet-container>
>>
>>
>https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration
>
>>
>> Admin Guide - WildFly 10 - Project Documentation Editor
>>
><https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration>
>> docs.jboss.org
>> Target audience. This document is a guide to the setup,
>> administration, and configuration of WildFly. Prerequisites. Before
>> continuing, you should know how to download, install and run WildFly.
>>
>> ?
>>
>> can you ping wildfly userlist ?
>> https://developer.jboss.org/en/wildfly
>> Space: WildFly |JBoss Developer
><https://developer.jboss.org/en/wildfly>
>> developer.jboss.org
>> Log in to follow, share, and participate in this community. Not a
>> member? Join Now!
>>
>>
>> jaikiran is a good resource that i met on a different userlist..i
>> would definitely ping him
>> stay in  touch/let me know if setting session-cookie in
>standalone.xml
>> works
>>
>> M-
>> NB: I once contracted to the company that bought wildfly..we had to
>> figure configuration by ourselves
>>
>>
>------------------------------------------------------------------------
>> *From:* Prasanth Pasala <[hidden email]>
>> *Sent:* Tuesday, May 15, 2018 11:42 AM
>> *To:* [hidden email]
>> *Subject:* Re: Struts2 login action class seems to be reused
>> See below the header information when the exception occurred. Strange
>
>> thing is JMeter is saying it did not send any cookie (which is want I
>
>> would except in this case as it is just requesting the login
>> page)
>>
>> Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.xxxxxxxx
>> (xxxxxx - is the machine name on which wildfly is running)
>> Connection: keep-alive
>> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
>> Host: dev.secure.xxxxxxxxxxx.com:8443
>> Content-Length: 46
>> Content-Type: application/x-www-form-urlencoded
>>
>> 10:09:09,150 ERROR
>> [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler]
>(default
>> task-20) Exception occurred during processing request: UT000010:
>> Session is invalid
>> ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ:
>> java.lang.IllegalStateException: UT000010: Session is invalid
>> ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ
>>
>> ------------From
>JMeter---------------------------------------------------
>> GET https://dev.secure.pangburngroup.com:8443/participant/
>>
>> GET data:
>>
>>
>> [no cookies]
>>
>> Request Headers:
>> Connection: keep-alive
>> Host: dev.secure.xxxxxxxxxxx.com:8443
>> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
>>
>------------------------------------------------------------------------------
>>
>> Thanks,
>> Prasanth
>>
>> On 05/15/2018 07:44 AM, Martin Gainty wrote:
>> > Hi Norbert/Prasanth
>> >
>> > Struts2 login action problem has morphed to "Invalid Session
>> State"with Wildfly's implementation of TC 5.5
>> >
>> > https://en.wikipedia.org/wiki/WildFly 
>> <https://en.wikipedia.org/wiki/WildFly>
>> >
>> >
>>
>[https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly
>
>>
><https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly>>
>> >
>> > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
>> > en.wikipedia.org
>> > WildFly, formerly known as JBoss AS, or simply JBoss, is an
>> application server authored by JBoss, now developed by Red
>Hat.WildFly
>> is written in Java and implements the Java Platform, Enterprise
>> Edition (Java EE) specification.
>> >
>> >
>> > MG>as a debugging exercise I would dump HTTP Header attributes with
>> >
>> > http://livehttpheaders.mozdev.org/
><http://livehttpheaders.mozdev.org/>
>> >
>> > mozdev.org - livehttpheaders:
>index<http://livehttpheaders.mozdev.org/>
>> > livehttpheaders.mozdev.org
>> > Welcome to the livehttpheaders project.. The goal of this project
>is
>> to adds information about the HTTP headers in two ways: First by
>> adding a 'Headers' tab in 'View Page Info' of a web page.
>> >
>> >
>> > MG>then check JSESSIONID
>> >
>> > MG>a fellow named "Thomas" had a similar problem with incorrect
>> JSESSIONID
>> > MG>and corrected with his own StandardManager findSession method
>> >
>>
>https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>> >
>> > Yes, there is! I found it and implemented this solution: A class
>> > extending org.apache.catalina.session.StandardManager and
>overriding
>> > the method public Session findSession(String id) throws IOException
>-
>> > simply removing quotation marks, if any! Seems to work fine.
>> > Thanks for putting me on the right trail!
>> >
>> > MG>assuming your TC has incorrect StandardManager can you update
>> wildfly with a more updated version?
>> > MG>here are versions
>> > https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
>> >
>true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
>> > developer.jboss.org
>> > What version of Apache Tomcat ships with JBoss Application Server
>> JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29
>2.3
>> >
>> >
>> > MG>personally i wouldnt muck with TC i would suggest upgrading
>> wildfly and getting jboss-web container
>> >
>> > hth
>> > martin
>> > ______________________________________________
>> >
>> >
>> >
>> >
>> > ________________________________
>> > From: Norbert Hirneisen <[hidden email]>
>> > Sent: Friday, March 2, 2018 6:55 PM
>> > To: [hidden email]
>> > Subject: Fwd: Re: Struts2 login action class seems to be reused
>> >
>> > Hi Prasanth,
>> >
>> > are you sure all your struts1 code is thread safe ? I had some
>similiar
>> > problems in a struts1 application. After removing all action class
>> > properties the problem was solved. Struts2 should be thread safe.
>But
>> > your problems looks to me like a problem with thread safety.
>> >
>> > Best regards,
>> >
>> > Norbert
>> >
>> > science + communication & HaNo Systems
>> >
>> > Bonn/Ho-Chi-Minh
>> >
>> >
>> > Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
>> >> I was able to replicate the issue today. Asked few users to keep
>> logging in and ran jmeter to access login page, with out putting any
>> username or password. Out of the 100 attempts 2 attempts were
>> >> successful in getting in with out username/password. I am seeing
>> database login entries for these two. Which would happen only if a
>> valid session is not present and user has provided username/password.
>> >>
>> >> Thanks,
>> >> Prasanth
>> >>
>> >> On 03/01/2018 02:27 PM, Prasanth wrote:
>> >>> Hi,
>> >>>
>> >>> I have an application which uses both struts1 & struts2. The
>login
>> action was recently moved to struts2. Immediately after the
>deployment
>> we were notified that one user is seeing a different user
>> >>> information, so we had to move to older war files. I am not able
>> to replicate it. But after investigating the logs it seems like
>couple
>> users were logged in as soon as they requested the login page.
>> >>> For the database entry to happen it has to verify the username
>and
>> password in the action class, but the fact that there is no POST
>entry
>> at that time from that IP in my access log makes me believe
>> >>> that the action class some how already had that information from
>a
>> prior user.
>> >>>
>> >>> I do have a login filter to check if users are logged in when
>> accessing other pages. In this filter I have the below two lines, we
>> had to do this as we will have requests forwarded from one
>> >>> application to another and when that happens we are getting class
>
>> cast exception for ActionMapping class and valueStack. Not sure if
>the
>> behavior is a side effect of having the below lines.
>> >>>
>> >>> request.setAttribute("struts.actionMapping", new
>ActionMapping());
>> >>> request.setAttribute("struts.valueStack", null);
>> >>>
>> >>> We are using Struts 2.3.34 and Wildfly.
>> >>>
>> >>> Appreciate any insights you might have.
>> >>>
>> >>> Thanks,
>> >>> Prasanth
>> >>>
>> >>>
>> >
>> >
>---------------------------------------------------------------------
>> > To unsubscribe, e-mail: [hidden email]
>> > For additional commands, e-mail: [hidden email]
>> >
>> >
>>

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Yasser Zamani-2


On 5/16/2018 6:59 AM, Prasanth Pasala wrote:
> We have two applications (websites) to make it easier for users we have a third site that acts as a common login place. Once the user enters the username and password it determines the right site to use and does a forward to that context (applications hosted in the same host).
>
> When using struts1 everything was fine. When we moved to struts2 we started getting crossed logins. When a user gets to login page the action would get populated with a username and password used by some other user. This happens only if a request with this information is forwarded from one context to another.
>
> With some help from struts mailing list it was determined that some how old actions are in the stack and if we remove get methods struts2 would not be able to pull that data and put in the current value stack. So we did it and when we started testing we are getting session invalid exceptions. Again this happens only if there are users logging in context1 and that request is forwarded to context2. If the login activity is done directly in context2 the issue does not arise.

Could you post the complete stacktrace of invalid session exception? I
think knowing where and why tries to access session may help.

Regards.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth Pasala
Below is a complete stack trace.

 Exception: java.lang.IllegalStateException: UT000010: Session is invalid r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op
    at io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481
    at io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122
    at com.xxxxxx.xxxxxx.LoginAction.execute(LoginAction.java:76
    at sun.reflect.GeneratedMethodAccessor147.invoke(null:-1
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43
    at java.lang.reflect.Method.invoke(Method.java:498
    at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:897
    at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1299
    at ognl.ObjectMethodAccessor.callMethod(ObjectMethodAccessor.java:68
    at com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethodWithDebugInfo(XWorkMethodAccessor.java:117
    at com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethod(XWorkMethodAccessor.java:108
    at ognl.OgnlRuntime.callMethod(OgnlRuntime.java:1375
    at ognl.ASTMethod.getValueBody(ASTMethod.java:91
    at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212
    at ognl.SimpleNode.getValue(SimpleNode.java:258
    at ognl.Ognl.getValue(Ognl.java:470
    at ognl.Ognl.getValue(Ognl.java:434
    at com.opensymphony.xwork2.ognl.OgnlUtil$3.execute(OgnlUtil.java:362
    at com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecuteMethod(OgnlUtil.java:414
    at com.opensymphony.xwork2.ognl.OgnlUtil.callMethod(OgnlUtil.java:360
    at com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:430
    at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:290
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251
    at org.apache.struts2.interceptor.DeprecationInterceptor.intercept(DeprecationInterceptor.java:41
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:256
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:168
    at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:265
    at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:76
    at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:138
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229
    at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229
    at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:191
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:73
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at org.apache.struts2.interceptor.DateTextFieldInterceptor.intercept(DateTextFieldInterceptor.java:125
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:253
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:100
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:141
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:145
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171
    at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:140
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:193
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:189
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
    at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:54
    at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:575
    at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:81
    at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:99
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131
    at com.xxxxxx.xxxxxx.LoginFilter.doFilter(LoginFilter.java:52
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209
    at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221
    at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(RequestDispatcherImpl.java:147
    at io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:111
    at org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:722
    at org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:695
    at org.apache.jsp.index_jsp._jspService(index_jsp.java:107
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:403
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:347
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62
    at io.undertow.jsp.JspFileHandler.handleRequest(JspFileHandler.java:32
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43
    at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64
    at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77
    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43
    at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292
    at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43
    at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624



On 05/16/2018 12:44 AM, Yasser Zamani wrote:

>
> On 5/16/2018 6:59 AM, Prasanth Pasala wrote:
>> We have two applications (websites) to make it easier for users we have a third site that acts as a common login place. Once the user enters the username and password it determines the right site to use and does a forward to that context (applications hosted in the same host).
>>
>> When using struts1 everything was fine. When we moved to struts2 we started getting crossed logins. When a user gets to login page the action would get populated with a username and password used by some other user. This happens only if a request with this information is forwarded from one context to another.
>>
>> With some help from struts mailing list it was determined that some how old actions are in the stack and if we remove get methods struts2 would not be able to pull that data and put in the current value stack. So we did it and when we started testing we are getting session invalid exceptions. Again this happens only if there are users logging in context1 and that request is forwarded to context2. If the login activity is done directly in context2 the issue does not arise.
> Could you post the complete stacktrace of invalid session exception? I
> think knowing where and why tries to access session may help.
>
> Regards.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth-2
In reply to this post by Martin Gainty
Martin,

We have the cookie config in the application.

         <session-config>
              <session-timeout>20</session-timeout>
              <cookie-config>
                  <path>/</path>
                <http-only>true</http-only>
                <secure>true</secure>
        </cookie-config>
         </session-config>

Thanks,
Prasanth

On 05/15/2018 04:03 PM, Martin Gainty wrote:

>
> 8443 indicates secure connection so perhaps a misconfig with wildfly standalone.xml (see below)
>
> <servlet-container name="pasala">
>  <session-cookie http-only="true" secure="true"/> <!-- enable secure cookies with secure = true -->
>
>  <jsp-config/>
> </servlet-container>
>
> https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration
> Admin Guide - WildFly 10 - Project Documentation Editor <https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration>
> docs.jboss.org
> Target audience. This document is a guide to the setup, administration, and configuration of WildFly. Prerequisites. Before continuing, you should know how to download, install and run WildFly.
>
> ?
>
> can you ping wildfly userlist ?
> https://developer.jboss.org/en/wildfly
> Space: WildFly |JBoss Developer <https://developer.jboss.org/en/wildfly>
> developer.jboss.org
> Log in to follow, share, and participate in this community. Not a member? Join Now!
>
>
> jaikiran is a good resource that i met on a different userlist..i would definitely ping him 
> stay in  touch/let me know if setting session-cookie in standalone.xml works
>
> M-
> NB: I once contracted to the company that bought wildfly..we had to figure configuration by ourselves
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Prasanth Pasala <[hidden email]>
> *Sent:* Tuesday, May 15, 2018 11:42 AM
> *To:* [hidden email]
> *Subject:* Re: Struts2 login action class seems to be reused
>  
> See below the header information when the exception occurred. Strange thing is JMeter is saying it did not send any cookie (which is want I would except in this case as it is just requesting the login
> page)
>
> Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.xxxxxxxx    (xxxxxx - is the machine name on which wildfly is running)
> Connection: keep-alive
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
> Host: dev.secure.xxxxxxxxxxx.com:8443
> Content-Length: 46
> Content-Type: application/x-www-form-urlencoded
>
> 10:09:09,150 ERROR [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) Exception occurred during processing request: UT000010: Session is invalid
> ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: UT000010: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ
>
> ------------From JMeter---------------------------------------------------
> GET https://dev.secure.pangburngroup.com:8443/participant/
>
> GET data:
>
>
> [no cookies]
>
> Request Headers:
> Connection: keep-alive
> Host: dev.secure.xxxxxxxxxxx.com:8443
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
> ------------------------------------------------------------------------------
>
> Thanks,
> Prasanth
>
> On 05/15/2018 07:44 AM, Martin Gainty wrote:
> > Hi Norbert/Prasanth
> >
> > Struts2 login action problem has morphed to "Invalid Session State"with Wildfly's implementation of TC 5.5
> >
> > https://en.wikipedia.org/wiki/WildFly <https://en.wikipedia.org/wiki/WildFly>
> >
> > [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly
> <https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly>>
> >
> > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> > en.wikipedia.org
> > WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by JBoss, now developed by Red Hat.WildFly is written in Java and implements the Java Platform, Enterprise
> Edition (Java EE) specification.
> >
> >
> > MG>as a debugging exercise I would dump HTTP Header attributes with
> >
> > http://livehttpheaders.mozdev.org/ <http://livehttpheaders.mozdev.org/>
> >
> > mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> > livehttpheaders.mozdev.org
> > Welcome to the livehttpheaders project.. The goal of this project is to adds information about the HTTP headers in two ways: First by adding a 'Headers' tab in 'View Page Info' of a web page.
> >
> >
> > MG>then check JSESSIONID
> >
> > MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> > MG>and corrected with his own StandardManager findSession method
> > https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
> >
> > Yes, there is! I found it and implemented this solution: A class
> > extending org.apache.catalina.session.StandardManager and overriding
> > the method public Session findSession(String id) throws IOException -
> > simply removing quotation marks, if any! Seems to work fine.
> > Thanks for putting me on the right trail!
> >
> > MG>assuming your TC has incorrect StandardManager can you update wildfly with a more updated version?
> > MG>here are versions
> > https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> > true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
> > developer.jboss.org
> > What version of Apache Tomcat ships with JBoss Application Server JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
> >
> >
> > MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and getting jboss-web container
> >
> > hth
> > martin
> > ______________________________________________
> >
> >
> >
> >
> > ________________________________
> > From: Norbert Hirneisen <[hidden email]>
> > Sent: Friday, March 2, 2018 6:55 PM
> > To: [hidden email]
> > Subject: Fwd: Re: Struts2 login action class seems to be reused
> >
> > Hi Prasanth,
> >
> > are you sure all your struts1 code is thread safe ? I had some similiar
> > problems in a struts1 application. After removing all action class
> > properties the problem was solved. Struts2 should be thread safe. But
> > your problems looks to me like a problem with thread safety.
> >
> > Best regards,
> >
> > Norbert
> >
> > science + communication & HaNo Systems
> >
> > Bonn/Ho-Chi-Minh
> >
> >
> > Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
> >> I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were
> >> successful in getting in with out username/password. I am seeing database login entries for these two. Which would happen only if a valid session is not present and user has provided
> username/password.
> >>
> >> Thanks,
> >> Prasanth
> >>
> >> On 03/01/2018 02:27 PM, Prasanth wrote:
> >>> Hi,
> >>>
> >>> I have an application which uses both struts1 & struts2. The login action was recently moved to struts2. Immediately after the deployment we were notified that one user is seeing a different user
> >>> information, so we had to move to older war files. I am not able to replicate it. But after investigating the logs it seems like couple users were logged in as soon as they requested the login page.
> >>> For the database entry to happen it has to verify the username and password in the action class, but the fact that there is no POST entry at that time from that IP in my access log makes me believe
> >>> that the action class some how already had that information from a prior user.
> >>>
> >>> I do have a login filter to check if users are logged in when accessing other pages. In this filter I have the below two lines, we had to do this as we will have requests forwarded from one
> >>> application to another and when that happens we are getting class cast exception for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having the below lines.
> >>>
> >>>              request.setAttribute("struts.actionMapping", new ActionMapping());
> >>>              request.setAttribute("struts.valueStack", null);
> >>>
> >>> We are using Struts 2.3.34 and Wildfly.
> >>>
> >>> Appreciate any insights you might have.
> >>>
> >>> Thanks,
> >>> Prasanth
> >>>
> >>>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Yasser Zamani-2
In reply to this post by Prasanth Pasala


On 5/16/2018 7:23 PM, Prasanth Pasala wrote:
>  Exception: java.lang.IllegalStateException: UT000010: Session is invalid r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op
>     at io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481
>     at io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122
>     at com.xxxxxx.xxxxxx.LoginAction.execute(LoginAction.java:76

Could you see if "Best Practices: Cross-Context Dispatching and Session
Handling" [1] fixes your issue? However, it's about Servlets not Struts.

Regards.

[1] http://satworks.blogspot.com/2011/07/best-practices-cross-context.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth-2
We use the path as / for the cookie path that allows the session to be shared between context1 and context2. The JSESSIONID also remains the same when the request is forwarded.

Martin asked me if we the action is session aware. It was not implementing SessionAware interface even though session was accessed (using request.getSession()). Artifact of code from struts1, that
part of the code did not change when we move the action to struts2. So decided to change it and use the session map provided by struts2. Once I have added SessionAware I am not able to reproduce the
session invalid exception, did not have a problem reproducing the issue before. Is this expected?

Thanks,
Prasanth

On 05/16/2018 10:40 AM, Yasser Zamani wrote:

>
> On 5/16/2018 7:23 PM, Prasanth wrote:
>>  Exception: java.lang.IllegalStateException: UT000010: Session is invalid r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op
>>     at io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481
>>     at io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122
>>     at com.xxxxxx.xxxxxx.LoginAction.execute(LoginAction.java:76
> Could you see if "Best Practices: Cross-Context Dispatching and Session
> Handling" [1] fixes your issue? However, it's about Servlets not Struts.
>
> Regards.
>
> [1] http://satworks.blogspot.com/2011/07/best-practices-cross-context.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth-2
Another update,  the LoginAction in Context2 had the below methods, two methods to set the request. May be I have done RequestAware and then realized it should be ServletRequestAware and did not
delete the setRequest method. I think having the setRequest is the culprit for the invalid session exception. I have went back and forth and when I have this method I can reproduce the error and when
I remove this method I don't get the error.

While implementing the SessionAware I removed this additional method also, so it worked but I was thinking that SessionAware implementation solved the issue.

Any insights as to why this additional setRequest method causes the problem? Would struts2 call this setRequest method even if the class is implementing just ServletRequestAware?

    @Override
    public void *setServletRequest*(HttpServletRequest request) {
        this.request = request;
    }

    /**
     * @return the request
     */
    public HttpServletRequest getRequest() {
        return this.request;
    }

    /**
     * @param aRequest the request to set
     */
    public void *setRequest*(HttpServletRequest aRequest) {
        this.request = aRequest;
    }

Thanks,
Prasanth

On 05/16/2018 12:44 PM, Prasanth wrote:

> We use the path as / for the cookie path that allows the session to be shared between context1 and context2. The JSESSIONID also remains the same when the request is forwarded.
>
> Martin asked me if  the action is session aware. It was not implementing SessionAware interface even though session was accessed (using request.getSession()). Artifact of code from struts1, that
> part of the code did not change when we moved the action to struts2. So decided to change it and use the session map provided by struts2. Once I have added SessionAware I am not able to reproduce
> the session invalid exception, did not have a problem reproducing the issue before. Is this expected?
>
> Thanks,
> Prasanth
>
> On 05/16/2018 10:40 AM, Yasser Zamani wrote:
>> On 5/16/2018 7:23 PM, Prasanth wrote:
>>>  Exception: java.lang.IllegalStateException: UT000010: Session is invalid r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op
>>>     at io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481
>>>     at io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122
>>>     at com.xxxxxx.xxxxxx.LoginAction.execute(LoginAction.java:76
>> Could you see if "Best Practices: Cross-Context Dispatching and Session
>> Handling" [1] fixes your issue? However, it's about Servlets not Struts.
>>
>> Regards.
>>
>> [1] http://satworks.blogspot.com/2011/07/best-practices-cross-context.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Yasser Zamani-2


On 5/16/2018 11:51 PM, Prasanth wrote:
> Would struts2 call this setRequest method even if the class is implementing just ServletRequestAware?

No. Additionally Struts RequestAware method signature is
setRequest(Map<String,Object> request); i.e. it's parameter is Map not
ServletRequest.

> Any insights as to why this additional setRequest method causes the problem?

Yes. It's same as your issue with username/password copy from previous
action. Your previous action is in value stack (I don't know why! see
[1]) ChainingInterceptor thinks it's a chain result, so, calls
getRequest on previous action and then calls setRequest on your current
action with returned value (i.e. copies this value from previous action
and overrides your private request field inside your action).

You can fix this also by removing getRequest method which disables
ChainingInterceptor to copies this.

But you may encounter several same issues when you have both setX and
getX methods on your actions.

[1] So, as I mentioned before, could you please rewrite all of your
FORWARDs with Struts ServletRedirect or PostBack results (also revert
back all removed getter methods)? this shows us if FORWARDs are root
cause of these issues or not. Then we can investigate more on other
possible causes.

Regards.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts2 login action class seems to be reused

Prasanth-2
The forward happens only to LoginAction. In some cases a PostBack will work but in cases where we have given the end user a choice of applications PostBack will not work as browser has to post back
the 1st request information rather than the second request information.

Agree I guess we have to make sure we don't have any get methods in the second application LoginAction to avoid similar issues.

We have removed the getUsername, getPassword, getAction methods which has stopped the issue of having login credentials in the LoginAction when those are not submitted by user. Now I have removed the
setRequest method (not getRequest) and that seems to solve the session invalid exception. May be I can remove the getRequest also as this is not really needed. We have one more get method getMessage
this is used to display error messages on login page, which we probably need to keep but should not cause any issues as this data does not change site behavior but I might set this to empty at the
start of execute (effectively clearing, if this is set from old action).

Thanks,
Prasanth

On 05/17/2018 06:11 AM, Yasser Zamani wrote:

>
> On 5/16/2018 11:51 PM, Prasanth wrote:
>> Would struts2 call this setRequest method even if the class is implementing just ServletRequestAware?
> No. Additionally Struts RequestAware method signature is
> setRequest(Map<String,Object> request); i.e. it's parameter is Map not
> ServletRequest.
>
>> Any insights as to why this additional setRequest method causes the problem?
> Yes. It's same as your issue with username/password copy from previous
> action. Your previous action is in value stack (I don't know why! see
> [1]) ChainingInterceptor thinks it's a chain result, so, calls
> getRequest on previous action and then calls setRequest on your current
> action with returned value (i.e. copies this value from previous action
> and overrides your private request field inside your action).
>
> You can fix this also by removing getRequest method which disables
> ChainingInterceptor to copies this.
>
> But you may encounter several same issues when you have both setX and
> getX methods on your actions.
>
> [1] So, as I mentioned before, could you please rewrite all of your
> FORWARDs with Struts ServletRedirect or PostBack results (also revert
> back all removed getter methods)? this shows us if FORWARDs are root
> cause of these issues or not. Then we can investigate more on other
> possible causes.
>
> Regards.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>