Dan Smith created GEODE-1728: -------------------------------- Summary: SessionCachingFilter can create multiple sessions when requests are forwarded Key: GEODE-1728 URL: https://issues.apache.org/jira/browse/GEODE-1728 Project: Geode Issue Type: Bug Components: http session Reporter: Dan Smith
Our installer adds this configuration to the users web.xml file for the session state replication: {code} <filter-mapping> <filter-name>gemfire-session-filter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>REQUEST</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping> {code} This means that our filter will be applied to all incoming requests, and it will be applied *again* if the request is forwarded to or includes another servlet. We wrap the HttpServletRequest in our own RequestWrapper class. We have some code that tries to prevent wrapping a request multiple times: {code} /** * Early out if this isn't the right kind of request. We might see a * RequestWrapper instance during a forward or include request. */ if (request instanceof RequestWrapper || !(request instanceof HttpServletRequest)) { LOG.debug("Handling already-wrapped request"); chain.doFilter(request, response); return; } {code} Unfortunately, this check will not work if there are *other* filters in the chain that also wrap the HttpServletRequest. That can result in us wrapping the forwarded request in a new RequestWrapper that will create another session. We should not add these <dispatcher/> elements to the web.xml; it should be sufficient for our filter to intercept all requests initially. In addition, we might want to enhance our check to see if we have already wrapped a request to follow the chain of wrapped requests deeper. As long as other filters wrap the request in a subclass of HttpServletRequestWrapper we should be able to unwrap the request if needed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)