Re: Struts2 login action class seems to be reused

2018-05-15 Thread Yasser Zamani 


On 5/16/2018 6:59 AM, Prasanth Pasala wrote:
> We have two applications (websites) to make it easier for users we have a 
> third site that acts as a common login place. Once the user enters the 
> username and password it determines the right site to use and does a forward 
> to that context (applications hosted in the same host).
> 
> When using struts1 everything was fine. When we moved to struts2 we started 
> getting crossed logins. When a user gets to login page the action would get 
> populated with a username and password used by some other user. This happens 
> only if a request with this information is forwarded from one context to 
> another.
> 
> With some help from struts mailing list it was determined that some how old 
> actions are in the stack and if we remove get methods struts2 would not be 
> able to pull that data and put in the current value stack. So we did it and 
> when we started testing we are getting session invalid exceptions. Again this 
> happens only if there are users logging in context1 and that request is 
> forwarded to context2. If the login activity is done directly in context2 the 
> issue does not arise.

Could you post the complete stacktrace of invalid session exception? I
think knowing where and why tries to access session may help.

Regards.

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Prasanth Pasala 
We have two applications (websites) to make it easier for users we have a third 
site that acts as a common login place. Once the user enters the username and 
password it determines the right site to use and does a forward to that context 
(applications hosted in the same host).

When using struts1 everything was fine. When we moved to struts2 we started 
getting crossed logins. When a user gets to login page the action would get 
populated with a username and password used by some other user. This happens 
only if a request with this information is forwarded from one context to 
another.

With some help from struts mailing list it was determined that some how old 
actions are in the stack and if we remove get methods struts2 would not be able 
to pull that data and put in the current value stack. So we did it and when we 
started testing we are getting session invalid exceptions. Again this happens 
only if there are users logging in context1 and that request is forwarded to 
context2. If the login activity is done directly in context2 the issue does not 
arise.

Thanks
Prasanth

On May 15, 2018 8:45:25 PM CDT, Jaikiran Pai  wrote:
>I don't have enough context of this discussion, but looking briefly at 
>this, it looks like you are using Apache HTTP client (probably with 
>pooled connections) and it seems like a connection reuse for a 
>subsequent login request is sending a Cookie with the request (when it 
>shouldn't?).
>
>
>If that's the case, then it looks like the Apache HTTP client's auto 
>Cookie management is coming into picture where it "auto attaches" the 
>Cookie, obtained from a previous response on that connection, to the
>new 
>request on that reused connection. Apache HTTP client allows you to 
>configure this behaviour by setting a cookie policy management. I guess
>
>you probably want to use the "ignoreCookies" policy in your case, since
>
>you want to manage setting the Cookie to the requests yourself. The 
>Apache HTTP client documentation[1] has more information. Something
>like:
>
>
>         final HttpClientBuilder httpClientBuilder =
>         final RequestConfig.Builder requestConfigBuilder = 
>RequestConfig.custom();
>         ...
>requestConfigBuilder.setCookieSpec(org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES);
>     ...
>httpClientBuilder.setDefaultRequestConfig(requestConfigBuilder.build());
>
>
>[1] For 3.x version (I couldn't find one for 4.x which you seem to be 
>using) https://hc.apache.org/httpclient-3.x/cookies.html
>
>[2] 
>https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html
>
>
>-Jaikiran
>
>
>On 16/05/18 2:33 AM, Martin Gainty wrote:
>>
>> 8443 indicates secure connection so perhaps a misconfig with 
>> wildfly standalone.xml (see below)
>>
>> 
>>   
>>
>>  
>> 
>>
>>
>https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration
>
>>
>> Admin Guide - WildFly 10 - Project Documentation Editor 
>>
>
>> docs.jboss.org
>> Target audience. This document is a guide to the setup, 
>> administration, and configuration of WildFly. Prerequisites. Before 
>> continuing, you should know how to download, install and run WildFly.
>>
>> ?
>>
>> can you ping wildfly userlist ?
>> https://developer.jboss.org/en/wildfly
>> Space: WildFly |JBoss Developer
>
>> developer.jboss.org
>> Log in to follow, share, and participate in this community. Not a 
>> member? Join Now!
>>
>>
>> jaikiran is a good resource that i met on a different userlist..i 
>> would definitely ping him
>> stay in  touch/let me know if setting session-cookie in
>standalone.xml 
>> works
>>
>> M-
>> NB: I once contracted to the company that bought wildfly..we had to 
>> figure configuration by ourselves
>>
>>
>
>> *From:* Prasanth Pasala 
>> *Sent:* Tuesday, May 15, 2018 11:42 AM
>> *To:* user@struts.apache.org
>> *Subject:* Re: Struts2 login action class seems to be reused
>> See below the header information when the exception occurred. Strange
>
>> thing is JMeter is saying it did not send any cookie (which is want I
>
>> would except in this case as it is just requesting the login
>> page)
>>
>> Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ. 
>> (xx - is the machine name on which wildfly is running)
>> Connection: keep-alive
>> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
>> Host: dev.secure.xxx.com:8443
>> Content-Length: 46
>> Content-Type: application/x-www-form-urlencoded
>>
>> 10:09:09,150 ERROR 
>> [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler]
>(default 
>> task-20) Exception occurred during processing request: UT10: 
>> Session is invalid
>>

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Jaikiran Pai 
I don't have enough context of this discussion, but looking briefly at 
this, it looks like you are using Apache HTTP client (probably with 
pooled connections) and it seems like a connection reuse for a 
subsequent login request is sending a Cookie with the request (when it 
shouldn't?).



If that's the case, then it looks like the Apache HTTP client's auto 
Cookie management is coming into picture where it "auto attaches" the 
Cookie, obtained from a previous response on that connection, to the new 
request on that reused connection. Apache HTTP client allows you to 
configure this behaviour by setting a cookie policy management. I guess 
you probably want to use the "ignoreCookies" policy in your case, since 
you want to manage setting the Cookie to the requests yourself. The 
Apache HTTP client documentation[1] has more information. Something like:



        final HttpClientBuilder httpClientBuilder =
        final RequestConfig.Builder requestConfigBuilder = 
RequestConfig.custom();

        ...
requestConfigBuilder.setCookieSpec(org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES);
    ...
httpClientBuilder.setDefaultRequestConfig(requestConfigBuilder.build());


[1] For 3.x version (I couldn't find one for 4.x which you seem to be 
using) https://hc.apache.org/httpclient-3.x/cookies.html


[2] 
https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html



-Jaikiran


On 16/05/18 2:33 AM, Martin Gainty wrote:


8443 indicates secure connection so perhaps a misconfig with 
wildfly standalone.xml (see below)



  


 


https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration 

Admin Guide - WildFly 10 - Project Documentation Editor 


docs.jboss.org
Target audience. This document is a guide to the setup, 
administration, and configuration of WildFly. Prerequisites. Before 
continuing, you should know how to download, install and run WildFly.


?

can you ping wildfly userlist ?
https://developer.jboss.org/en/wildfly
Space: WildFly |JBoss Developer 
developer.jboss.org
Log in to follow, share, and participate in this community. Not a 
member? Join Now!



jaikiran is a good resource that i met on a different userlist..i 
would definitely ping him
stay in  touch/let me know if setting session-cookie in standalone.xml 
works


M-
NB: I once contracted to the company that bought wildfly..we had to 
figure configuration by ourselves



*From:* Prasanth Pasala 
*Sent:* Tuesday, May 15, 2018 11:42 AM
*To:* user@struts.apache.org
*Subject:* Re: Struts2 login action class seems to be reused
See below the header information when the exception occurred. Strange 
thing is JMeter is saying it did not send any cookie (which is want I 
would except in this case as it is just requesting the login

page)

Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ. 
(xx - is the machine name on which wildfly is running)

Connection: keep-alive
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
Host: dev.secure.xxx.com:8443
Content-Length: 46
Content-Type: application/x-www-form-urlencoded

10:09:09,150 ERROR 
[org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default 
task-20) Exception occurred during processing request: UT10: 
Session is invalid
ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: 
java.lang.IllegalStateException: UT10: Session is invalid 
ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ


From JMeter---
GET https://dev.secure.pangburngroup.com:8443/participant/

GET data:


[no cookies]

Request Headers:
Connection: keep-alive
Host: dev.secure.xxx.com:8443
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
--

Thanks,
Prasanth

On 05/15/2018 07:44 AM, Martin Gainty wrote:
> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session 
State"with Wildfly's implementation of TC 5.5

>
> https://en.wikipedia.org/wiki/WildFly 


>
> 
[https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]>

>
> WildFly - Wikipedia
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an 
application server authored by JBoss, now developed by Red Hat.WildFly 
is written in Java and implements the Java Platform, Enterprise 
Edition (Java EE) specification.

>
>
> MG>as a

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Martin Gainty 
8443 indicates secure connection so perhaps a misconfig with wildfly 
standalone.xml (see below)


  

 



https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration
Admin Guide - WildFly 10 - Project Documentation 
Editor
docs.jboss.org
Target audience. This document is a guide to the setup, administration, and 
configuration of WildFly. Prerequisites. Before continuing, you should know how 
to download, install and run WildFly.

?

can you ping wildfly userlist ?
https://developer.jboss.org/en/wildfly
Space: WildFly |JBoss Developer
developer.jboss.org
Log in to follow, share, and participate in this community. Not a member? Join 
Now!


jaikiran is a good resource that i met on a different userlist..i would 
definitely ping him
stay in  touch/let me know if setting session-cookie in standalone.xml works

M-
NB: I once contracted to the company that bought wildfly..we had to figure 
configuration by ourselves


From: Prasanth Pasala 
Sent: Tuesday, May 15, 2018 11:42 AM
To: user@struts.apache.org
Subject: Re: Struts2 login action class seems to be reused

See below the header information when the exception occurred. Strange thing is 
JMeter is saying it did not send any cookie (which is want I would except in 
this case as it is just requesting the login
page)

Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.(xx 
- is the machine name on which wildfly is running)
Connection: keep-alive
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
Host: dev.secure.xxx.com:8443
Content-Length: 46
Content-Type: application/x-www-form-urlencoded

10:09:09,150 ERROR 
[org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) 
Exception occurred during processing request: UT10: Session is invalid
ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: 
UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ

From JMeter---
GET https://dev.secure.pangburngroup.com:8443/participant/

GET data:


[no cookies]

Request Headers:
Connection: keep-alive
Host: dev.secure.xxx.com:8443
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
--

Thanks,
Prasanth

On 05/15/2018 07:44 AM, Martin Gainty wrote:
> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session State"with 
> Wildfly's implementation of TC 5.5
>
> https://en.wikipedia.org/wiki/WildFly
>
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]
>
> WildFly - Wikipedia
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an application 
> server authored by JBoss, now developed by Red Hat.WildFly is written in Java 
> and implements the Java Platform, Enterprise Edition (Java EE) specification.
>
>
> MG>as a debugging exercise I would dump HTTP Header attributes with
>
> http://livehttpheaders.mozdev.org/
>
> mozdev.org - livehttpheaders: index
> livehttpheaders.mozdev.org
> Welcome to the livehttpheaders project.. The goal of this project is to adds 
> information about the HTTP headers in two ways: First by adding a 'Headers' 
> tab in 'View Page Info' of a web page.
>
>
> MG>then check JSESSIONID
>
> MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> MG>and corrected with his own StandardManager findSession method
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>
> Yes, there is! I found it and implemented this solution: A class
> extending org.apache.catalina.session.StandardManager and overriding
> the method public Session findSession(String id) throws IOException -
> simply removing quotation marks, if any! Seems to work fine.
> Thanks for putting me on the right trail!
>
> MG>assuming your TC has incorrect StandardManager can you update wildfly with 
> a more updated version?
> MG>here are versions
> https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> true
> developer.jboss.org
> What version of Apache Tomcat ships with JBoss Application Server JBossAS 
> version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
>
>
> MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and 
> getting jboss-web container
>
> hth
> martin
> __
>
>
>
>
> 
> From: Norbert Hirneisen 
> Sent: Friday, March 2, 2018 6:55 PM
>

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Prasanth Pasala 
See below the header information when the exception occurred. Strange thing is 
JMeter is saying it did not send any cookie (which is want I would except in 
this case as it is just requesting the login
page)

Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.    (xx 
- is the machine name on which wildfly is running)
Connection: keep-alive
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
Host: dev.secure.xxx.com:8443
Content-Length: 46
Content-Type: application/x-www-form-urlencoded

10:09:09,150 ERROR 
[org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) 
Exception occurred during processing request: UT10: Session is invalid
ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: 
UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ

From JMeter---
GET https://dev.secure.pangburngroup.com:8443/participant/

GET data:


[no cookies]

Request Headers:
Connection: keep-alive
Host: dev.secure.xxx.com:8443
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
--

Thanks,
Prasanth

On 05/15/2018 07:44 AM, Martin Gainty wrote:
> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session State"with 
> Wildfly's implementation of TC 5.5
>
> https://en.wikipedia.org/wiki/WildFly
>
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]
>
> WildFly - Wikipedia
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an application 
> server authored by JBoss, now developed by Red Hat.WildFly is written in Java 
> and implements the Java Platform, Enterprise Edition (Java EE) specification.
>
>
> MG>as a debugging exercise I would dump HTTP Header attributes with
>
> http://livehttpheaders.mozdev.org/
>
> mozdev.org - livehttpheaders: index
> livehttpheaders.mozdev.org
> Welcome to the livehttpheaders project.. The goal of this project is to adds 
> information about the HTTP headers in two ways: First by adding a 'Headers' 
> tab in 'View Page Info' of a web page.
>
>
> MG>then check JSESSIONID
>
> MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> MG>and corrected with his own StandardManager findSession method
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>
> Yes, there is! I found it and implemented this solution: A class
> extending org.apache.catalina.session.StandardManager and overriding
> the method public Session findSession(String id) throws IOException -
> simply removing quotation marks, if any! Seems to work fine.
> Thanks for putting me on the right trail!
>
> MG>assuming your TC has incorrect StandardManager can you update wildfly with 
> a more updated version?
> MG>here are versions
> https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> true
> developer.jboss.org
> What version of Apache Tomcat ships with JBoss Application Server JBossAS 
> version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
>
>
> MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and 
> getting jboss-web container
>
> hth
> martin
> __
>
>
>
>
> 
> From: Norbert Hirneisen 
> Sent: Friday, March 2, 2018 6:55 PM
> To: user@struts.apache.org
> Subject: Fwd: Re: Struts2 login action class seems to be reused
>
> Hi Prasanth,
>
> are you sure all your struts1 code is thread safe ? I had some similiar
> problems in a struts1 application. After removing all action class
> properties the problem was solved. Struts2 should be thread safe. But
> your problems looks to me like a problem with thread safety.
>
> Best regards,
>
> Norbert
>
> science + communication & HaNo Systems
>
> Bonn/Ho-Chi-Minh
>
>
> Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
>> I was able to replicate the issue today. Asked few users to keep logging in 
>> and ran jmeter to access login page, with out putting any username or 
>> password. Out of the 100 attempts 2 attempts were
>> successful in getting in with out username/password. I am seeing database 
>> login entries for these two. Which would happen only if a valid session is 
>> not present and user has provided username/password.
>>
>> Thanks,
>> Prasanth
>>
>> On 03/01/2018 02:27 PM, Prasanth wrote:
>>> Hi,
>>>
>>> I have an application which uses both struts1 & struts2. The login action 
>>> was recently moved to struts2. Immediately after the deployment we were 
>>> notified that one user is seeing a different user
>>> information, so we had to move to older war

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Prasanth Pasala 
Hi Martin,

Thanks for the response. We are using Wildfly 11.0.0 Final.  I will try to get 
the HTTP header dump.

Thanks,
Prasanth


On 05/15/2018 07:44 AM, Martin Gainty wrote:
> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session State"with 
> Wildfly's implementation of TC 5.5
>
> https://en.wikipedia.org/wiki/WildFly
>
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]
>
> WildFly - Wikipedia
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an application 
> server authored by JBoss, now developed by Red Hat.WildFly is written in Java 
> and implements the Java Platform, Enterprise Edition (Java EE) specification.
>
>
> MG>as a debugging exercise I would dump HTTP Header attributes with
>
> http://livehttpheaders.mozdev.org/
>
> mozdev.org - livehttpheaders: index
> livehttpheaders.mozdev.org
> Welcome to the livehttpheaders project.. The goal of this project is to adds 
> information about the HTTP headers in two ways: First by adding a 'Headers' 
> tab in 'View Page Info' of a web page.
>
>
> MG>then check JSESSIONID
>
> MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> MG>and corrected with his own StandardManager findSession method
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>
> Yes, there is! I found it and implemented this solution: A class
> extending org.apache.catalina.session.StandardManager and overriding
> the method public Session findSession(String id) throws IOException -
> simply removing quotation marks, if any! Seems to work fine.
> Thanks for putting me on the right trail!
>
> MG>assuming your TC has incorrect StandardManager can you update wildfly with 
> a more updated version?
> MG>here are versions
> https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> true
> developer.jboss.org
> What version of Apache Tomcat ships with JBoss Application Server JBossAS 
> version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
>
>
> MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and 
> getting jboss-web container
>
> hth
> martin
> __
>
>
>
>
> 
> From: Norbert Hirneisen 
> Sent: Friday, March 2, 2018 6:55 PM
> To: user@struts.apache.org
> Subject: Fwd: Re: Struts2 login action class seems to be reused
>
> Hi Prasanth,
>
> are you sure all your struts1 code is thread safe ? I had some similiar
> problems in a struts1 application. After removing all action class
> properties the problem was solved. Struts2 should be thread safe. But
> your problems looks to me like a problem with thread safety.
>
> Best regards,
>
> Norbert
>
> science + communication & HaNo Systems
>
> Bonn/Ho-Chi-Minh
>
>
> Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
>> I was able to replicate the issue today. Asked few users to keep logging in 
>> and ran jmeter to access login page, with out putting any username or 
>> password. Out of the 100 attempts 2 attempts were
>> successful in getting in with out username/password. I am seeing database 
>> login entries for these two. Which would happen only if a valid session is 
>> not present and user has provided username/password.
>>
>> Thanks,
>> Prasanth
>>
>> On 03/01/2018 02:27 PM, Prasanth wrote:
>>> Hi,
>>>
>>> I have an application which uses both struts1 & struts2. The login action 
>>> was recently moved to struts2. Immediately after the deployment we were 
>>> notified that one user is seeing a different user
>>> information, so we had to move to older war files. I am not able to 
>>> replicate it. But after investigating the logs it seems like couple users 
>>> were logged in as soon as they requested the login page.
>>> For the database entry to happen it has to verify the username and password 
>>> in the action class, but the fact that there is no POST entry at that time 
>>> from that IP in my access log makes me believe
>>> that the action class some how already had that information from a prior 
>>> user.
>>>
>>> I do have a login filter to check if users are logged in when accessing 
>>> other pages. In this filter I have the below two lines, we had to do this 
>>> as we will have requests forwarded from one
>>> application to another and when that happens we are getting class cast 
>>> exception for ActionMapping class and valueStack. Not sure if the behavior 
>>> is a side effect of having the below lines.
>>>
>>>  request.setAttribute("struts.actionMapping", new 
>>> ActionMapping());
>>>  request.setAttribute("struts.valueStack", null);
>>>
>>> We are using Struts 2.3.34 and Wildfly.
>>>
>>> Appreciate any

Re: Re: Struts2 login action class seems to be reused

2018-05-15 Thread Martin Gainty 
Hi Norbert/Prasanth

Struts2 login action problem has morphed to "Invalid Session State"with 
Wildfly's implementation of TC 5.5

https://en.wikipedia.org/wiki/WildFly

[https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]

WildFly - Wikipedia
en.wikipedia.org
WildFly, formerly known as JBoss AS, or simply JBoss, is an application server 
authored by JBoss, now developed by Red Hat.WildFly is written in Java and 
implements the Java Platform, Enterprise Edition (Java EE) specification.


MG>as a debugging exercise I would dump HTTP Header attributes with

http://livehttpheaders.mozdev.org/

mozdev.org - livehttpheaders: index
livehttpheaders.mozdev.org
Welcome to the livehttpheaders project.. The goal of this project is to adds 
information about the HTTP headers in two ways: First by adding a 'Headers' tab 
in 'View Page Info' of a web page.


MG>then check JSESSIONID

MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
MG>and corrected with his own StandardManager findSession method
https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/

Yes, there is! I found it and implemented this solution: A class
extending org.apache.catalina.session.StandardManager and overriding
the method public Session findSession(String id) throws IOException -
simply removing quotation marks, if any! Seems to work fine.
Thanks for putting me on the right trail!

MG>assuming your TC has incorrect StandardManager can you update wildfly with a 
more updated version?
MG>here are versions
https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
true
developer.jboss.org
What version of Apache Tomcat ships with JBoss Application Server JBossAS 
version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3


MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and 
getting jboss-web container

hth
martin
__





From: Norbert Hirneisen 
Sent: Friday, March 2, 2018 6:55 PM
To: user@struts.apache.org
Subject: Fwd: Re: Struts2 login action class seems to be reused

Hi Prasanth,

are you sure all your struts1 code is thread safe ? I had some similiar
problems in a struts1 application. After removing all action class
properties the problem was solved. Struts2 should be thread safe. But
your problems looks to me like a problem with thread safety.

Best regards,

Norbert

science + communication & HaNo Systems

Bonn/Ho-Chi-Minh


Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
> I was able to replicate the issue today. Asked few users to keep logging in 
> and ran jmeter to access login page, with out putting any username or 
> password. Out of the 100 attempts 2 attempts were
> successful in getting in with out username/password. I am seeing database 
> login entries for these two. Which would happen only if a valid session is 
> not present and user has provided username/password.
>
> Thanks,
> Prasanth
>
> On 03/01/2018 02:27 PM, Prasanth wrote:
>> Hi,
>>
>> I have an application which uses both struts1 & struts2. The login action 
>> was recently moved to struts2. Immediately after the deployment we were 
>> notified that one user is seeing a different user
>> information, so we had to move to older war files. I am not able to 
>> replicate it. But after investigating the logs it seems like couple users 
>> were logged in as soon as they requested the login page.
>> For the database entry to happen it has to verify the username and password 
>> in the action class, but the fact that there is no POST entry at that time 
>> from that IP in my access log makes me believe
>> that the action class some how already had that information from a prior 
>> user.
>>
>> I do have a login filter to check if users are logged in when accessing 
>> other pages. In this filter I have the below two lines, we had to do this as 
>> we will have requests forwarded from one
>> application to another and when that happens we are getting class cast 
>> exception for ActionMapping class and valueStack. Not sure if the behavior 
>> is a side effect of having the below lines.
>>
>>  request.setAttribute("struts.actionMapping", new 
>> ActionMapping());
>>  request.setAttribute("struts.valueStack", null);
>>
>> We are using Struts 2.3.34 and Wildfly.
>>
>> Appreciate any insights you might have.
>>
>> Thanks,
>> Prasanth
>>
>>
>


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Yasser Zamani 


On 5/15/2018 12:45 AM, Prasanth Pasala wrote:
> A different issue is coming up now after the get methods are removed.  
> Getting the below exception some times when you request the login page, at 
> which point the browser doesn't have the session id
> yet, the session id mentioned would be a session id from a previous request 
> (from another thread, in JMeter testing). Wonder if, some how this data 
> (session id) is also moved by struts2 when copying
> data from the other LoginAction that is lingering from old requests.
> 
> Thanks,
> Prasanth
> 
> Exception: java.lang.IllegalStateException: UT10: Session is invalid 
> JVoo5BkMlzTpOavsEe7_NjS0MzTXDlhYtlSviiGR


AFAIK session is completely managed by browser and app server e.g.
tomcat; So I think this isn't a Struts issue.

Regards.