[
https://issues.apache.org/jira/browse/IGNITE-6070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16158379#comment-16158379
]
ASF GitHub Bot commented on IGNITE-6070:
----------------------------------------
GitHub user alamar opened a pull request:
https://github.com/apache/ignite/pull/2621
IGNITE-6070 Ensure that Web Session RequestWrapper considers its sess…
…ions valid.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/gridgain/apache-ignite ignite-6070
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/ignite/pull/2621.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2621
----
commit 3339796e9a7b98e5c666f902d06589a0fb636703
Author: Ilya Kasnacheev <[email protected]>
Date: 2017-09-08T09:25:10Z
IGNITE-6070 Ensure that Web Session RequestWrapper considers its sessions
valid.
----
> Infinite redirects at Spring Security Web Session Clustering with Tomcat
> ------------------------------------------------------------------------
>
> Key: IGNITE-6070
> URL: https://issues.apache.org/jira/browse/IGNITE-6070
> Project: Ignite
> Issue Type: Bug
> Components: websession
> Affects Versions: 2.1
> Environment: Spring Security, Apache Tomcat
> Reporter: Ilya Kasnacheev
> Assignee: Ilya Kasnacheev
> Priority: Minor
> Labels: easyfix, newbie
> Attachments: IGNITE-6070.patch, webtest.zip
>
>
> See
> https://stackoverflow.com/questions/45648884/apache-ignite-spring-secutiry-error
> description.
> When Session comes from Ignite but its Authentication is anonymous, Spring
> Security does the following check:
> {code}
> } else if (request.getRequestedSessionId() != null &&
> !request.isRequestedSessionIdValid()) {
> this.logger.debug("Requested session ID " +
> request.getRequestedSessionId() + " is invalid.");
>
> this.invalidSessionStrategy.onInvalidSessionDetected(request, response);
> }
> {code}
> The problem is, in Ignite we never override isRequestedSessionIdValid() in
> our request wrappers, so it falls back to Tomcat's own (session) Manager,
> which will then find that it has never seen this Session and it is therefore
> invalid. Thus failover is triggered, and if there's "invalid-session-url"
> clause in Spring Security config, redirect will be issued, possibly circular.
> I've attaching a sample Maven WAR project. It should be deployed to two
> different Tomcat instances operating on two different ports of same machine,
> e.g. 8080 and 8180, and then
> http://localhost:PORT/webtest-1.0-SNAPSHOT/index.jsp should be opened in the
> same Web Browser one after another for two ports. The second one should cause
> infinite 302 Redirect to same URL.
> There's also a minor bug in the same code: see session.jsp in the example. It
> will needlessly throw NPE in WebSessionFilter:1001 and confuse web server.
> Should output "OK" when fixed.
> Discussion:
> By the way, letting the web server to get hold on Sessions that it creates
> for us causes additional problems: it's going to store these sessions in
> parallel with Ignite, consuming memory in the process that first saw a given
> session. We should probably have (possibly a third party) an Ignite-using
> Manager implementation for Tomcat specifically. It will be much simpler than
> filter-based approach while performing better.
> Or maybe we should create our own Sessions that we never allow the web server
> to see.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
