Guys has this been resolved?? We have been having some customers complain as
well (some sending screen shots of others peoples data as proof). Because
our users click streams are available publically at their control, we had
thought jsessionids occurring in the click stream were being maliciously
hijacked. We plugged that hole disallowing any jsessionid to be part of url
(via Servlet filter) - yes this of course means JavaScript must be enabled.
This involuntary session sharing is still occurring. We are running release
1.3.2.
Johan Compagner wrote:
>
> I know all that, but i dont know how this could happen in wicket. I
> think it is user code because if you have a bufferedresponse that has
> a string buffer filled then it is very strange that the output stream
> is already used, i am very curios how both can be used by wicket in
> the same request, wicket only uses outputstream itself for resources
> and a redirect to buffer (the actual redirect) the last part this
> really cant happen because there shouldnt be anything in the response.
>
> The first part cant also happen because we dont render a page or
> something if a resource request target is the response target..
>
> So it seems to me that that it is usercode that writes directly to the
> stream and let wicket still do something
>
>
> On 5/5/08, lars vonk <[EMAIL PROTECTED]> wrote:
>> Hi Johan,
>>
>> This exception occurs if you obtained the servletresponse via the
>> ServletResponse.getOutputStream() and are *trying *to obtained the writer
>> via ServletResponse.getWriter() at the same time. According to the
>> javadoc
>> of ServletRespone you can either use getOutputStream or getWriter to
>> write
>> the body:
>>
>> Either this method or [EMAIL PROTECTED] #getOutputStream} may be called to
>> write the
>> > body, not both.
>> >
>>
>> Jetty tracks this using an inner flag. This flag is only reset on the
>> ServletResponse.reset() method, which I believe is called at the end of
>> the
>> servletrequestcycle.
>>
>> If I look at Wicket's the WebResponse class I see several
>> ServletResponse.getWriter *and* ServletResponse.getOutputStream calls.
>> You
>> can't mix those two when writing the servletresponse.
>>
>> Maybe this helps with tracking where it goes wrong.
>>
>> Cheers Lars
>>
>> PS. The exception would have been IllegalStateException("WRITER') if you
>> obtained the ServletResponse.getWriter() and are *trying* to obtain the
>> ServletResponse.getOutputStream at the same time.
>>
>> On Mon, May 5, 2008 at 4:39 PM, Johan Compagner <[EMAIL PROTECTED]>
>> wrote:
>>
>> > it was really a pretty rare exception
>> >
>> > 285154 [btpool0-9] ERROR org.mortbay.log - /undefined
>> > java.lang.IllegalStateException: STREAM
>> > at org.mortbay.jetty.Response.getWriter(Response.java:585)
>> > at
>> > org.apache.wicket.protocol.http.WebResponse.write(WebResponse.java:355)
>> > at org.apache.wicket.protocol.http.BufferedWebResponse.close
>> > (BufferedWebResponse.java:73)
>> > at
>> org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter
>> > .java:371)
>> > at
>> > org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter
>> > .java:194)
>> > at
>> >
>> >
>> org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
>> >
>> > i have no idea how this exception can happen.
>> > It seems that there is already streamed something but then close does
>> find
>> > also some stuff and wants to write it..
>> >
>> > That did result in an exception on close() so the unset wasnt called.
>> >
>> > johan
>> >
>> >
>> >
>> > On Mon, May 5, 2008 at 3:34 PM, Erik van Oosten <[EMAIL PROTECTED]>
>> > wrote:
>> >
>> > > Isn't this problem serious enough to release 1.3.4?
>> > >
>> > > Regards,
>> > > Erik.
>> > >
>> > >
>> > > Johan Compagner wrote:
>> > > > the only thing we found was the finalize block that could be
>> skipped
>> > > because
>> > > > of an exception again in that block
>> > > >
>> > > > That is fixed in current 1.3.x branch (and 1.4)
>> > > >
>> > > >
>> > >
>> > > --
>> > > Erik van Oosten
>> > > http://day-to-day-stuff.blogspot.com/
>> > >
>> > >
>> > >
>> > > ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
>> > > For additional commands, e-mail: [EMAIL PROTECTED]
>> > >
>> > >
>> >
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
--
View this message in context:
http://www.nabble.com/Invoulentary-session-sharing-leakage-in-Wicket-1.3.x-tp16550360p17266484.html
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
