Hi Martin, Thanks for the response. We are using Wildfly 11.0.0 Final. I will try to get the HTTP header dump.
Thanks, Prasanth On 05/15/2018 07:44 AM, Martin Gainty wrote: > Hi Norbert/Prasanth > > Struts2 login action problem has morphed to "Invalid Session State"with > Wildfly's implementation of TC 5.5 > > https://en.wikipedia.org/wiki/WildFly > > [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly> > > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly> > en.wikipedia.org > WildFly, formerly known as JBoss AS, or simply JBoss, is an application > server authored by JBoss, now developed by Red Hat.WildFly is written in Java > and implements the Java Platform, Enterprise Edition (Java EE) specification. > > > MG>as a debugging exercise I would dump HTTP Header attributes with > > http://livehttpheaders.mozdev.org/ > > mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/> > livehttpheaders.mozdev.org > Welcome to the livehttpheaders project.. The goal of this project is to adds > information about the HTTP headers in two ways: First by adding a 'Headers' > tab in 'View Page Info' of a web page. > > > MG>then check JSESSIONID > > MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID > MG>and corrected with his own StandardManager findSession method > https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/ > > Yes, there is! I found it and implemented this solution: A class > extending org.apache.catalina.session.StandardManager and overriding > the method public Session findSession(String id) throws IOException - > simply removing quotation marks, if any! Seems to work fine. > Thanks for putting me on the right trail! > > MG>assuming your TC has incorrect StandardManager can you update wildfly with > a more updated version? > MG>here are versions > https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t > true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t> > developer.jboss.org > What version of Apache Tomcat ships with JBoss Application Server JBossAS > version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3 > > > MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and > getting jboss-web container > > hth > martin > ______________________________________________ > > > > > ________________________________ > From: Norbert Hirneisen <no...@s2you.de> > Sent: Friday, March 2, 2018 6:55 PM > To: user@struts.apache.org > Subject: Fwd: Re: Struts2 login action class seems to be reused > > Hi Prasanth, > > are you sure all your struts1 code is thread safe ? I had some similiar > problems in a struts1 application. After removing all action class > properties the problem was solved. Struts2 should be thread safe. But > your problems looks to me like a problem with thread safety. > > Best regards, > > Norbert > > science + communication & HaNo Systems > > Bonn/Ho-Chi-Minh > > > Am 02.03.2018 um 22:07 schrieb Prasanth Pasala: >> I was able to replicate the issue today. Asked few users to keep logging in >> and ran jmeter to access login page, with out putting any username or >> password. Out of the 100 attempts 2 attempts were >> successful in getting in with out username/password. I am seeing database >> login entries for these two. Which would happen only if a valid session is >> not present and user has provided username/password. >> >> Thanks, >> Prasanth >> >> On 03/01/2018 02:27 PM, Prasanth wrote: >>> Hi, >>> >>> I have an application which uses both struts1 & struts2. The login action >>> was recently moved to struts2. Immediately after the deployment we were >>> notified that one user is seeing a different user >>> information, so we had to move to older war files. I am not able to >>> replicate it. But after investigating the logs it seems like couple users >>> were logged in as soon as they requested the login page. >>> For the database entry to happen it has to verify the username and password >>> in the action class, but the fact that there is no POST entry at that time >>> from that IP in my access log makes me believe >>> that the action class some how already had that information from a prior >>> user. >>> >>> I do have a login filter to check if users are logged in when accessing >>> other pages. In this filter I have the below two lines, we had to do this >>> as we will have requests forwarded from one >>> application to another and when that happens we are getting class cast >>> exception for ActionMapping class and valueStack. Not sure if the behavior >>> is a side effect of having the below lines. >>> >>> request.setAttribute("struts.actionMapping", new >>> ActionMapping()); >>> request.setAttribute("struts.valueStack", null); >>> >>> We are using Struts 2.3.34 and Wildfly. >>> >>> Appreciate any insights you might have. >>> >>> Thanks, >>> Prasanth >>> >>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
