Re: Fwd: Re: Struts2 login action class seems to be reused

2018-03-02 Thread Prasanth 

Hi Norbert,

Struts1 actions are thread safe (no instance variables). The login 
action has been moved to Struts2 with instance variables for username, 
password and the issue is coming up with this new struts2 action. Which 
is used for both displaying login page and also taking username/password 
when the form is submitted.


Thanks,
Prasanth

On 3/2/2018 5:55 PM, Norbert Hirneisen wrote:

Hi Prasanth,

are you sure all your struts1 code is thread safe ? I had some similiar
problems in a struts1 application. After removing all action class
properties the problem was solved. Struts2 should be thread safe. But
your problems looks to me like a problem with thread safety.

Best regards,

Norbert

science + communication & HaNo Systems

Bonn/Ho-Chi-Minh


Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
I was able to replicate the issue today. Asked few users to keep 
logging in and ran jmeter to access login page, with out putting any 
username or password. Out of the 100 attempts 2 attempts were
successful in getting in with out username/password. I am seeing 
database login entries for these two. Which would happen only if a 
valid session is not present and user has provided username/password.


Thanks,
Prasanth

On 03/01/2018 02:27 PM, Prasanth wrote:

Hi,

I have an application which uses both struts1 & struts2. The login 
action was recently moved to struts2. Immediately after the 
deployment we were notified that one user is seeing a different user
information, so we had to move to older war files. I am not able to 
replicate it. But after investigating the logs it seems like couple 
users were logged in as soon as they requested the login page.
For the database entry to happen it has to verify the username and 
password in the action class, but the fact that there is no POST 
entry at that time from that IP in my access log makes me believe
that the action class some how already had that information from a 
prior user.


I do have a login filter to check if users are logged in when 
accessing other pages. In this filter I have the below two lines, we 
had to do this as we will have requests forwarded from one
application to another and when that happens we are getting class 
cast exception for ActionMapping class and valueStack. Not sure if 
the behavior is a side effect of having the below lines.


 request.setAttribute("struts.actionMapping", new 
ActionMapping());

 request.setAttribute("struts.valueStack", null);

We are using Struts 2.3.34 and Wildfly.

Appreciate any insights you might have.

Thanks,
Prasanth







-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org




-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Fwd: Re: Struts2 login action class seems to be reused

2018-03-02 Thread Norbert Hirneisen 

Hi Prasanth,

are you sure all your struts1 code is thread safe ? I had some similiar
problems in a struts1 application. After removing all action class
properties the problem was solved. Struts2 should be thread safe. But
your problems looks to me like a problem with thread safety.

Best regards,

Norbert

science + communication & HaNo Systems

Bonn/Ho-Chi-Minh


Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:

I was able to replicate the issue today. Asked few users to keep logging in and 
ran jmeter to access login page, with out putting any username or password. Out 
of the 100 attempts 2 attempts were
successful in getting in with out username/password. I am seeing database login 
entries for these two. Which would happen only if a valid session is not 
present and user has provided username/password.

Thanks,
Prasanth

On 03/01/2018 02:27 PM, Prasanth wrote:

Hi,

I have an application which uses both struts1 & struts2. The login action was 
recently moved to struts2. Immediately after the deployment we were notified that 
one user is seeing a different user
information, so we had to move to older war files. I am not able to replicate 
it. But after investigating the logs it seems like couple users were logged in 
as soon as they requested the login page.
For the database entry to happen it has to verify the username and password in 
the action class, but the fact that there is no POST entry at that time from 
that IP in my access log makes me believe
that the action class some how already had that information from a prior user.

I do have a login filter to check if users are logged in when accessing other 
pages. In this filter I have the below two lines, we had to do this as we will 
have requests forwarded from one
application to another and when that happens we are getting class cast 
exception for ActionMapping class and valueStack. Not sure if the behavior is a 
side effect of having the below lines.

             request.setAttribute("struts.actionMapping", new ActionMapping());
             request.setAttribute("struts.valueStack", null);

We are using Struts 2.3.34 and Wildfly.

Appreciate any insights you might have.

Thanks,
Prasanth







-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org