: users-h...@wicket.apache.org
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p21943432.html
Sent from the Wicket - User mailing list archive at Nabble.com
Or just copy WicketFilter into your source, and fix it there, it'll override
the default. Its a quick fix until the release comes out.
Iman
On Fri, May 16, 2008 at 10:25 AM, Johan Compagner [EMAIL PROTECTED]
wrote:
Or get the snapshot build from or wicketstuff maven repo
On 5/16/08, Erik van
I see a lot of folks recommending this, but nobody confirming this
actually helps.
Martijn
On 5/17/08, Iman Rahmatizadeh [EMAIL PROTECTED] wrote:
Or just copy WicketFilter into your source, and fix it there, it'll override
the default. Its a quick fix until the release comes out.
Iman
The workaround definitely catches some erroneous situations.
Nevertheless, it is a workaround (does not solve the root problem).
2008/5/17 Martijn Dashorst [EMAIL PROTECTED]:
I see a lot of folks recommending this, but nobody confirming this
actually helps.
Martijn
On 5/17/08, Iman
It is not a workaround!
The wicketfilter fix is a real fix for that situation. There is no
root cause or real cause that i need to fix, at least not that i know
of
On 5/17/08, Martin Makundi [EMAIL PROTECTED] wrote:
The workaround definitely catches some erroneous situations.
Nevertheless, it
Ok. I meant the WicketServlet fix. Haven't seen the wicketFilter fix.
**
Martin
2008/5/17 Johan Compagner [EMAIL PROTECTED]:
It is not a workaround!
The wicketfilter fix is a real fix for that situation. There is no
root cause or real cause that i need to fix, at least not that i know
of
Chris,
If you read the thread carefuly you can extract a quick fix. You'll need
it as the core developers argumented against a quick bugfix release.
Just checkout Wicket from SVN and apply the patch (2 lines in the Wicket
filter). Its a pain, but if you can not wait...
Regards,
Erik.
Chris
Or get the snapshot build from or wicketstuff maven repo
On 5/16/08, Erik van Oosten [EMAIL PROTECTED] wrote:
Chris,
If you read the thread carefuly you can extract a quick fix. You'll need
it as the core developers argumented against a quick bugfix release.
Just checkout Wicket from SVN and
Has this fix been confirmed to help? If so, I'm +1 for releasing 1.3.4
Martijn
On 5/16/08, Johan Compagner [EMAIL PROTECTED] wrote:
Or get the snapshot build from or wicketstuff maven repo
On 5/16/08, Erik van Oosten [EMAIL PROTECTED] wrote:
Chris,
If you read the thread carefuly
]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p17266484.html
Sent from the Wicket - User mailing list archive at Nabble.com
]
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p17057591.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail
://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p17057591.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail
/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p17057591.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p17057591.html
Sent from the Wicket - User
Isn't this problem serious enough to release 1.3.4?
Regards,
Erik.
Johan Compagner wrote:
the only thing we found was the finalize block that could be skipped because
of an exception again in that block
That is fixed in current 1.3.x branch (and 1.4)
--
Erik van Oosten
On 5/5/08, Erik van Oosten [EMAIL PROTECTED] wrote:
Isn't this problem serious enough to release 1.3.4?
The core developers have not found any problems with 1.3.1, 1.3.2,
1.3.3 on their production boxes. There is no evidence this solves the
problem, so IMO there is no need to release 1.3.4
it was really a pretty rare exception
285154 [btpool0-9] ERROR org.mortbay.log - /undefined
java.lang.IllegalStateException: STREAM
at org.mortbay.jetty.Response.getWriter(Response.java:585)
at
org.apache.wicket.protocol.http.WebResponse.write(WebResponse.java:355)
at
I'm also experiencing this with jetty. Is everybody else the same ?
Iman
On Mon, May 5, 2008 at 6:09 PM, Johan Compagner [EMAIL PROTECTED]
wrote:
it was really a pretty rare exception
285154 [btpool0-9] ERROR org.mortbay.log - /undefined
java.lang.IllegalStateException: STREAM
at
. This sounds like a doozy of a
bug - show stopper for everyone!
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16735844.html
Sent from the Wicket - User mailing list archive at Nabble.com
/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16735844.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED
on this issue?
/Gwyn
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16718246.html
Sent from the Wicket - User mailing list archive at Nabble.com
No, it has not. Johan said he fixed a bug that might have been this problem, but I haven't been able to confirm it yet, as the fix is in
1.3-SNAPSHOT, and I ran into some issues when deploying with the snapshot-version.
I see this problem 10-20 times every day still..
-- Edvin
StephenP skrev:
..
-- Edvin
I hope we see a non snapshot release soon. This sounds like a doozy of a
bug - show stopper for everyone!
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16735844.html
Sent from the Wicket - User mailing list
of a
bug - show stopper for everyone!
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16735844.html
Sent from the Wicket - User mailing list archive at Nabble.com
]
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16590574.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e
Did you try HttpSessionStore?
-Ryan
On Mon, Apr 7, 2008 at 2:00 PM, Edvin Syse [EMAIL PROTECTED] wrote:
is it really the wicket session or a page?
I believe it's the session, but I'm not sure. The hijacker is able to
navigate through all pages as the hijacked user.. And on the top of every
:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16585768.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED
to the thread before the request is processed.
I have only seen it once or twice in our development environment, but it
happens a few times every hour on the production server.
Niels
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x
server.
Niels
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16583880.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e
is processed.
I have only seen it once or twice in our development environment, but it
happens a few times every hour on the production server.
Niels
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16583880.html
Sent from
in our development environment, but
it
happens a few times every hour on the production server.
Niels
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16583880.html
Sent from the Wicket - User mailing
the request is processed.
I have only seen it once or twice in our development environment, but it
happens a few times every hour on the production server.
Niels
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16583880
this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16585502.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL
://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16583880.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail
this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16585768.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL
how those can be jumped over.
johan
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16585768.html
Sent from the Wicket - User mailing list archive at Nabble.com
no idea how those can be jumped over.
johan
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p16585768.html
Sent from the Wicket - User mailing list archive at Nabble.com
Hi,
Is there a jira issue in which the topic is tracked?
Regards,
Erik.
Edvin Syse wrote:
(I wrote this email earlier this evening but forgot to send it it
seems. Here it is:)
When I ran with 1.3.0 I also had 1.3.3 on the classpath. I reverted to
1.3.2 30 minutes ago and still haven't
Erik van Oosten wrote:
Hi,
Is there a jira issue in which the topic is tracked?
No, not yet. I want to be sure that this is a wicket bug first. I have
now confirmed that I get the same behaviour in 1.3.2, and I'm about to
put on some more logging as suggested to try to give you guys more
I have now redeplyed with the following log4j ConversionPattern:
%d{ABSOLUTE} %-5p [%c{1}] [%t] %m%n
I've started saving the ip of the user that creates a new session, and
then before returning the current mailuser from the session I do:
public MailUser getCurrentMailuser() {
String
I think I have something... Look at the attached stacktrace. It seems I
get an NPE on the line where I do:
log.error(Session.get().getId() + + Session.get().hashCode() + +
currentIp + C: + currentCustomer != null ?
currentCustomer.getFullName() : nocustomer);
I think that
log.error(Session.get().getId() + + Session.get().hashCode() + +
currentIp + C: + currentCustomer != null ? currentCustomer.getFullName()
: nocustomer);
You should put parent around ?:. The '+' op is evaluated before !=. Your
statement is effectively this:
(C: + currentCustomer)
Matthew Young wrote:
log.error(Session.get().getId() + + Session.get().hashCode() + +
currentIp + C: + currentCustomer != null ? currentCustomer.getFullName()
: nocustomer);
You should put parent around ?:. The '+' op is evaluated before !=. Your
statement is effectively this:
Here goes the other one I think there might be a problem with, since it deals with PageMaps etc, and I'm not all that familiar with them. I
didn't write much of this code, just changed what I needed to get it to work the way I wanted:
/**
* Url coding strategy for pages that encode number
This wasn't it. I found out that IndexedParamUrlCodingStrategy did the same
thing so I changed to that one and still get the error.. sigh...
-- Edvin
Edvin Syse skrev:
Here goes the other one I think there might be a problem with, since it
deals with PageMaps etc, and I'm not all that
The problem is still there and now it is getting serious for my business. Would any of the core committers be willing to look at my
application? I'll pay USD 2500 as a onetime fee for looking at this.. (Or name your hour-price)
-- Edvin
we can look at somehow, but what do you have in mind?
is it something that we can test/debug somehow easily?
johan
On Tue, Apr 8, 2008 at 10:53 PM, Edvin Syse [EMAIL PROTECTED] wrote:
The problem is still there and now it is getting serious for my business.
Would any of the core committers
Hi,
We (Johan and me - wicket committers) can look at your application as
this problem seems to be quite serious. What would be the best way to
get the application running so that we can see it also we would need
to see some source code.
-Matej
On Tue, Apr 8, 2008 at 10:53 PM, Edvin Syse [EMAIL
sorry, this was supposed to go off the list, please don't reply here :)
-Matej
On Tue, Apr 8, 2008 at 11:19 PM, Matej Knopp [EMAIL PROTECTED] wrote:
Hi,
We (Johan and me - wicket committers) can look at your application as
this problem seems to be quite serious. What would be the best way
Today I deployed an application based on Wicket 1.3.3 that has close to 10.000 users. After a couple of hours we started getting reports
from users saying that even upon requesting the login-page, they were already logged in as an arbitrary user.
The users they were logged in as had previously
is it really the wicket session or a page?
On Mon, Apr 7, 2008 at 10:40 PM, Edvin Syse [EMAIL PROTECTED] wrote:
Today I deployed an application based on Wicket 1.3.3 that has close to
10.000 users. After a couple of hours we started getting reports from users
saying that even upon requesting
is it really the wicket session or a page?
I believe it's the session, but I'm not sure. The hijacker is able to navigate through all pages as the hijacked user.. And on the top of
every page there is a logout button and text saying Logout username.
I'm not running in a clustered
can you try with 1.3.1, 1.3.0. would help us isolate where the problem is...
seems kind of strange that you are the only one seeing this though...
-igor
On Mon, Apr 7, 2008 at 1:40 PM, Edvin Syse [EMAIL PROTECTED] wrote:
Today I deployed an application based on Wicket 1.3.3 that has close to
Igor Vaynberg wrote:
can you try with 1.3.1, 1.3.0. would help us isolate where the problem is...
seems kind of strange that you are the only one seeing this though...
I've turned on some logging in MySession:
public MailUser getCurrentMailuser() {
try {
Igor Vaynberg wrote:
can you try with 1.3.1, 1.3.0. would help us isolate where the problem is...
I tried with 1.3.0 as well, still the same problem.
My authorization-strategy is quite involved.. I can't see any immediate
problems, but I'm posting it here just in case:
can you also log the http session id and the hash/id of the WicketSession?
On Mon, Apr 7, 2008 at 11:22 PM, Edvin Syse [EMAIL PROTECTED] wrote:
Igor Vaynberg wrote:
can you try with 1.3.1, 1.3.0. would help us isolate where the problem
is...
seems kind of strange that you are the only
is it by the way that easy to reproduce for you?
you seem to have it pretty quickly when we ask for you if you could test
some other version
if that is the case isnt it somehow reproducible in a smaller test case?
On Mon, Apr 7, 2008 at 11:25 PM, Edvin Syse [EMAIL PROTECTED] wrote:
Igor
Add to that the thread name. This way you can track session usage
across threads.
Martijn
On 4/8/08, Johan Compagner [EMAIL PROTECTED] wrote:
can you also log the http session id and the hash/id of the WicketSession?
On Mon, Apr 7, 2008 at 11:22 PM, Edvin Syse [EMAIL PROTECTED] wrote:
Johan Compagner wrote:
is it by the way that easy to reproduce for you?
you seem to have it pretty quickly when we ask for you if you could test
some other version
Yes, it's easy because I have more than 10.000 users that have to login to this system to check their email, so all I do is
Martijn Dashorst wrote:
Add to that the thread name. This way you can track session usage
across threads.
How do I get the thread name?
-- Edvin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
Edvin Syse wrote:
Igor Vaynberg wrote:
can you try with 1.3.1, 1.3.0. would help us isolate where the problem
is...
I tried with 1.3.0 as well, still the same problem.
(I wrote this email earlier this evening but forgot to send it it seems. Here
it is:)
When I ran with 1.3.0 I also had
hm, slf4j supports MDC. dont know if it emulates it for logging impls
that dont support it or not.
here we use logback and have a thing like this:
public class RequestIdLogFilter implements Filter
{
private static final String MDC_REQUEST_ID = requestId;
private static AtomicInteger
Martijn Dashorst wrote:
What kind of logging system do you use? log4j's pattern logger has %p
I think. If you combine this with start/end logging of your request
(see requestcycle#onbeginrequest/onendrequest) you can log the session
id together with the username. This would make it easier to
In this case he should use both the MDC and a Session id logger.
The MDC session id is used to track the start session id (from the
start of the request), and the other for comparison during the
request.
It is one of the things I'd like to propose for Wicket NG: to set the
MDC with session id
What kind of logging system do you use? log4j's pattern logger has %p
I think. If you combine this with start/end logging of your request
(see requestcycle#onbeginrequest/onendrequest) you can log the session
id together with the username. This would make it easier to track what
is happening in
65 matches
Mail list logo