Dan Smith created GEODE-1728:
--------------------------------
Summary: SessionCachingFilter can create multiple sessions when
requests are forwarded
Key: GEODE-1728
URL: https://issues.apache.org/jira/browse/GEODE-1728
Project: Geode
Issue Type: Bug
Components: http session
Reporter: Dan Smith
Our installer adds this configuration to the users web.xml file for the session
state replication:
{code}
<filter-mapping>
<filter-name>gemfire-session-filter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
{code}
This means that our filter will be applied to all incoming requests, and it
will be applied *again* if the request is forwarded to or includes another
servlet.
We wrap the HttpServletRequest in our own RequestWrapper class. We have some
code that tries to prevent wrapping a request multiple times:
{code}
/**
* Early out if this isn't the right kind of request. We might see a
* RequestWrapper instance during a forward or include request.
*/
if (request instanceof RequestWrapper ||
!(request instanceof HttpServletRequest)) {
LOG.debug("Handling already-wrapped request");
chain.doFilter(request, response);
return;
}
{code}
Unfortunately, this check will not work if there are *other* filters in the
chain that also wrap the HttpServletRequest. That can result in us wrapping the
forwarded request in a new RequestWrapper that will create another session.
We should not add these <dispatcher/> elements to the web.xml; it should be
sufficient for our filter to intercept all requests initially. In addition, we
might want to enhance our check to see if we have already wrapped a request to
follow the chain of wrapped requests deeper. As long as other filters wrap the
request in a subclass of HttpServletRequestWrapper we should be able to unwrap
the request if needed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
