Hi Konstantin,
My answers below.
AT.
2013/12/3 at.silk <at.s...@everis.com>:
> Hi,
>
> I contact you to talk about an exception we receive in a Tomcat class. Few
> days ago we get an error in an application integrated with Tomcat. We have
> tried to get information about it but we don't find any solution, so we would
> like to know if you are aware about this issue.
>
> First we describe our scenario:
> 1. User logs in the portal and remain static for more than 30 minutes (30
> minutes is session expiration time).
> 2. Afterwards, he refreshes the webpage and session has been expired.
> 3. During the page reloading, an error occurs while executing the
> "parseSessionSslId" method because the "SSLSupport.SESSION_ID_KEY" is empty.
> 4. A blank page is displayed because the error is not caught.
>
> The exception produced during step 3 belongs to this section:
> [org\apache\catalina\connector\CoyoteAdapter.java]
> Method parseSessionSslId:
>
> request.setRequestedSessionId(request.getAttribute(SSLSupport.SESSION_ID_KEY).toString());
> request.setRequestedSessionSSL(true);
>
> This is our context:
> - Tomcat version: 7.0.25
> - OS: Linux distribution
> - Liferay 6.1GA1 portal integrated with Tomcat
> - We don't negotiate user session by the sessionid with the cookie but with
> the certificate.
>
> Our server.xml configuration file contains the following connectors:
> <Connector URIEncoding="UTF-8" port="8010" protocol="AJP/1.3"
> redirectPort="8443" scheme="https" secure="true" /> <Connector
> URIEncoding="UTF-8" port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> clientAuth="false" keystoreFile="xxx" keystorePass="yyy"
> keystoreType="PKCS12" maxThreads="150" scheme="https" secure="true"
> sslProtocol="TLS"/>
1. Is Tomcat accessed via AJP or HTTPS ?
AT: Tomcat is accessed via AJP:
<Connector URIEncoding="UTF-8" port="8010" protocol="AJP/1.3"
redirectPort="8443" scheme="https" secure="true" />
<Connector URIEncoding="UTF-8" port="8443" protocol="HTTP/1.1"
SSLEnabled="true" clientAuth="false" keystoreFile="xxx" keystorePass="yyy"
keystoreType="PKCS12" maxThreads="150" scheme="https" secure="true"
sslProtocol="TLS"/>
2. What is in front of Tomcat? An Apache HTTPD server? -> Right.
Is Apache HTTPD accessed via HTTPS? -> Right, via HTTPS
How mod_jk is configured there?
Is mod_jk configured to pass SSL_SESSION_ID to Tomcat?
AT:
This is our configuration:
AllowCONNECT 443
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLOptions +StdEnvVars +ExportCertData
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile "xxx.crt"
SSLCertificateKeyFile "xxx.key"
ProxyPass / ajp://localhost:8010/ connectiontimeout=3600 timeout=3600
ProxyPassReverse / ajp://localhost:8010/
3. How <session-config> is configured in WEB-INF/web.xml of your web
applications and in the shared $CATALINA_BASE/conf/web.xml file?
I expect that you have <tracking-mode> configured in one of those files.
<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>SSL</tracking-mode>
</session-config>
Are you able to identify what web application is being requested here?
(E.g. by looking into the access log)?
There is just one web application accessing there.
> Conclusion:
> The exception is raised when the session id is empty due to we have an
> expired session. We have compiled this code section with a try catch and now
> our application does not receive the error, and we can see our page
> displayed, obviously with session expired.
4. A full stacktrace = ?
java.lang.NullPointerException
at
org.apache.catalina.connector.CoyoteAdapter.parseSessionSslId(CoyoteAdapter.java:894)
at
org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:689)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:402)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
> Do you think this could be due to some local configuration or is it a general
> issue?
> Is there the possibility to contemplate this case to be protected when
> sessionId is null?
>
If an application is configured to use ssl session as its session identifier,
and no ssl session is available, how do you expect it to behave? I looks that
one adds a try/catch there, the application will create a new session with
every request. Are you OK with that?
AT: If there is not already an active session I would agree with creating a new
session just for this situation.
5. I do not see how 30 minutes can come into a play here. With my guesses above
an application should have failed with the first request.
Is some form of single-sign-on configured between applications? Is 30 minutes
the expiration time from single-sign-on (and not from webapp's session)?
AT: There is no any SSO. It seems the application is checking later than Tomcat
its own timeout.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
