Re: Struts2 login action class seems to be reused

2018-05-18 Thread Prasanth
The forward happens only to LoginAction. In some cases a PostBack will work but in cases where we have given the end user a choice of applications PostBack will not work as browser has to post back the 1st request information rather than the second request information. Agree I guess we have to

Re: Struts2 login action class seems to be reused

2018-05-17 Thread Yasser Zamani
On 5/16/2018 11:51 PM, Prasanth wrote: > Would struts2 call this setRequest method even if the class is implementing > just ServletRequestAware? No. Additionally Struts RequestAware method signature is setRequest(Map request); i.e. it's parameter is Map not ServletRequest. >

Re: Struts2 login action class seems to be reused

2018-05-16 Thread Prasanth
Another update,  the LoginAction in Context2 had the below methods, two methods to set the request. May be I have done RequestAware and then realized it should be ServletRequestAware and did not delete the setRequest method. I think having the setRequest is the culprit for the invalid session

Re: Struts2 login action class seems to be reused

2018-05-16 Thread Prasanth
We use the path as / for the cookie path that allows the session to be shared between context1 and context2. The JSESSIONID also remains the same when the request is forwarded. Martin asked me if we the action is session aware. It was not implementing SessionAware interface even though session

Re: Struts2 login action class seems to be reused

2018-05-16 Thread Yasser Zamani
On 5/16/2018 7:23 PM, Prasanth Pasala wrote: > Exception: java.lang.IllegalStateException: UT10: Session is invalid > r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op > at > io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481 > at >

Re: Struts2 login action class seems to be reused

2018-05-16 Thread Prasanth
; M- > NB: I once contracted to the company that bought wildfly..we had to figure > configuration by ourselves > > > *From:* Prasanth Pasala <ppas...@pangburngroup.com> &g

Re: Struts2 login action class seems to be reused

2018-05-16 Thread Prasanth Pasala
Below is a complete stack trace. Exception: java.lang.IllegalStateException: UT10: Session is invalid r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op at io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481 at

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Yasser Zamani
On 5/16/2018 6:59 AM, Prasanth Pasala wrote: > We have two applications (websites) to make it easier for users we have a > third site that acts as a common login place. Once the user enters the > username and password it determines the right site to use and does a forward > to that context

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Prasanth Pasala
>> > Yes, there is! I found it and implemented this solution: A class >> > extending org.apache.catalina.session.StandardManager and >overriding >> > the method public Session findSession(String id) throws IOException >- >> > simply removing quotation marks, if

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Jaikiran Pai
-- *From:* Prasanth Pasala <ppas...@pangburngroup.com> *Sent:* Tuesday, May 15, 2018 11:42 AM *To:* user@struts.apache.org *Subject:* Re: Struts2 login action class seems to be reused See below the header information when the exception occurred. Strange thing is JMete

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Martin Gainty
> Sent: Tuesday, May 15, 2018 11:42 AM To: user@struts.apache.org Subject: Re: Struts2 login action class seems to be reused See below the header information when the exception occurred. Strange thing is JMeter is saying it did not send any cookie (which is want I would except in this case as it

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Prasanth Pasala
sAS > version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3 > > > MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and > getting jboss-web container > > hth > martin > __________________ > > > > > > From: Norbert Hirneisen <n

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Prasanth Pasala
ation Server JBossAS > version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3 > > > MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and > getting jboss-web container > > hth > martin > __________________ >

Re: Re: Struts2 login action class seems to be reused

2018-05-15 Thread Martin Gainty
rsonally i wouldnt muck with TC i would suggest upgrading wildfly and getting jboss-web container hth martin __ From: Norbert Hirneisen <no...@s2you.de> Sent: Friday, March 2, 2018 6:55 PM To: user@struts.apa

Re: Struts2 login action class seems to be reused

2018-05-15 Thread Yasser Zamani
On 5/15/2018 12:45 AM, Prasanth Pasala wrote: > A different issue is coming up now after the get methods are removed.  > Getting the below exception some times when you request the login page, at > which point the browser doesn't have the session id > yet, the session id mentioned would be a

Re: Struts2 login action class seems to be reused

2018-05-14 Thread Prasanth Pasala
A different issue is coming up now after the get methods are removed.  Getting the below exception some times when you request the login page, at which point the browser doesn't have the session id yet, the session id mentioned would be a session id from a previous request (from another thread,

Re: Struts2 login action class seems to be reused

2018-04-24 Thread Prasanth Pasala
I have removed the get methods from the LoginAction of /Context2 and that seems to solve the problem. So seems like the LoginAction objects created because of FORWARD some how are in the stack while a LoginAction is created due to a REQUEST. Wondering if this can be replicated without having

Re: Struts2 login action class seems to be reused

2018-04-24 Thread Yasser Zamani
On 4/23/2018 11:50 PM, Prasanth Pasala wrote: > Get rid of the get methods in LoginAction, is this in /Context2 (application > where the issue is occurring) or /Context1 (which forwards the requests to > /Context2)? > That contexts who forwards request (Context1 I think) but you may do for

Re: Struts2 login action class seems to be reused

2018-04-23 Thread Prasanth Pasala
Get rid of the get methods in LoginAction, is this in /Context2 (application where the issue is occurring) or /Context1 (which forwards the requests to /Context2)? Yes exactly. The new log shows, your previous contexts actions (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in

Re: Struts2 login action class seems to be reused

2018-04-23 Thread Yasser Zamani
On 4/23/2018 10:12 PM, Prasanth Pasala wrote: > The user is inputting username and password in /Context1, if I send a > redirect they would have to enter username/password again in /Context2. > No, you already have them. I think you can use Struts PostbackResult [1] in /Context1/LoginAction

Re: Struts2 login action class seems to be reused

2018-04-23 Thread Prasanth Pasala
The two LoginAction classes below are from the same context (/Context2). Context1 LoginAction would have a different package name. The issue occurs when a user is requesting /Context2 directly rather than when the request is forwarded, if the request is forwarded from /Context1 it would have

Re: Struts2 login action class seems to be reused

2018-04-23 Thread Yasser Zamani
On 4/23/2018 8:04 PM, Prasanth Pasala wrote: > Found this one also but for almost all, the root size was 3. Below one was > anomaly. > Root Size: 4 > Result: null > Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d > Object: com.nqadmin.webaccess.LoginAction@7f716c46 > Object:

Re: Struts2 login action class seems to be reused

2018-04-23 Thread Prasanth Pasala
Found this one also but for almost all, the root size was 3. Below one was anomaly. Root Size: 4 Result: null Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d Object: com.nqadmin.webaccess.LoginAction@7f716c46 Object: com.nqadmin.webaccess.LoginAction@35224c2f Also found that the

Re: Struts2 login action class seems to be reused

2018-04-23 Thread Prasanth Pasala
Below is the result of the new logging. Root Size: 3 Result: null Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d Object: com.xx.webaccess.LoginAction@40c80ce8 Thanks, Prasanth On 04/21/2018 05:09 AM, Yasser Zamani wrote: > > On 4/19/2018 4:39 PM, Prasanth Pasala wrote: >>

Re: Struts2 login action class seems to be reused

2018-04-21 Thread Yasser Zamani
On 4/19/2018 4:39 PM, Prasanth Pasala wrote: > There is a index.jsp which is defined as default page in web.xml it just > forwards the request to Login.action. There is no chaining of actions in > struts itself. We do have a LoginFilter which verifies > if a user is logged in. > So maybe

Re: Struts2 login action class seems to be reused

2018-04-19 Thread Prasanth Pasala
There is a index.jsp which is defined as default page in web.xml it just forwards the request to Login.action. There is no chaining of actions in struts itself. We do have a LoginFilter which verifies if a user is logged in. Thanks, Prasanth On 04/19/2018 03:26 AM, Yasser Zamani wrote: > > On

Re: Struts2 login action class seems to be reused

2018-04-19 Thread Yasser Zamani
On 4/19/2018 7:21 AM, Prasanth Pasala wrote: >   > com.opensymphony.xwork2.interceptor.ChainingInterceptor.copyStack(ChainingInterceptor.java:153) >   > com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:143) Thanks! These lines show Struts doesn't set

Re: Struts2 login action class seems to be reused

2018-04-18 Thread Prasanth Pasala
Below is the stack trace for setting of username. So struts2 has set the username, but that name doesn't exist in the request object. Struts Data: Username: jsmith Action: Login Request Data: Username: null Action: null java.lang.Thread.getStackTrace(Thread.java:1559)  

Re: Struts2 login action class seems to be reused

2018-04-17 Thread Yasser Zamani
On 4/16/2018 7:19 PM, Prasanth Pasala wrote: > So I am wondering where did these values come from into the instance > variables? Great! Please also get the current stack trace inside your action's setUsername method and save it in a private string field inside your action. Then when action and

Re: Struts2 login action class seems to be reused

2018-04-16 Thread Prasanth Pasala
Finally we redeployed the code with an added check to make sure the instance variables populated by struts match the request parameters. With in few hours of deployments we got emails indicating that the values populated into the instance variables don't match those in request parameters. Below

Re: Struts2 login action class seems to be reused

2018-03-17 Thread Yasser Zamani
On 3/16/2018 11:00 PM, Prasanth Pasala wrote: > There is only one reference to Util.authenticate in the project and that is > in LoginAction. > If (those log record insertions are only possible via LoginAction.execute method && IP field value of them are different and are consistent with

Re: Struts2 login action class seems to be reused

2018-03-16 Thread Prasanth Pasala
There is only one reference to Util.authenticate in the project and that is in LoginAction. On 03/16/2018 02:13 PM, Yasser Zamani wrote: > And you confirm that those log record insertions are only possible via > LoginAction.execute method? Right? Or util.authenticate are called elsewhere >

Re: Struts2 login action class seems to be reused

2018-03-16 Thread Yasser Zamani
And you confirm that those log record insertions are only possible via LoginAction.execute method? Right? Or util.authenticate are called elsewhere also? On Mar 16, 2018, at 9:45PM, Prasanth Pasala > wrote: We have a pretty standard

Re: Struts2 login action class seems to be reused

2018-03-16 Thread Prasanth Pasala
We have a pretty standard struts.xml just declaration of action and the class along with the results (tiles results). Nothing other than that. On 03/16/2018 11:55 AM, Yasser Zamani wrote: > > On 3/16/2018 1:49 AM, Prasanth Pasala wrote: >> We do have login time, using that and the IP to

Re: Struts2 login action class seems to be reused

2018-03-16 Thread Yasser Zamani
On 3/16/2018 1:49 AM, Prasanth Pasala wrote: > We do have login time, using that and the IP to correlate that with the > access logs. Not all login entries have corresponding POST entries in access > log, so those would be our problems occurrences. > They actual correspond to a GET entry from

Re: Struts2 login action class seems to be reused

2018-03-15 Thread Prasanth Pasala
We do have login time, using that and the IP to correlate that with the access logs. Not all login entries have corresponding POST entries in access log, so those would be our problems occurrences. They actual correspond to a GET entry from a user. IP of the GET request of User1 matches with

Re: Struts2 login action class seems to be reused

2018-03-15 Thread Yasser Zamani
On 3/15/2018 5:21 PM, Prasanth Pasala wrote: > User2 would have logged in some time before that, some times with in a minute > before that. I haven't seen any requests from User2 exactly at the time of > GET request from User1. It's strange :) Are login log records have same field values for

Re: Struts2 login action class seems to be reused

2018-03-15 Thread Prasanth Pasala
User2 would have logged in some time before that, some times with in a minute before that. I haven't seen any requests from User2 exactly at the time of GET request from User1. Thanks, Prasanth On 03/15/2018 04:45 AM, Yasser Zamani wrote: > > On 3/14/2018 5:43 PM, Prasanth Pasala wrote: >> We

Re: Struts2 login action class seems to be reused

2018-03-15 Thread Yasser Zamani
On 3/14/2018 5:43 PM, Prasanth Pasala wrote: > We had a user report it soon after the deployment. After that we started > looking into the specific user who reported (User1) and the user (whose > information was seen by the reporting user) say User2. > We realized there are login entries from

Re: Struts2 login action class seems to be reused

2018-03-14 Thread Prasanth Pasala
We had a user report it soon after the deployment. After that we started looking into the specific user who reported (User1) and the user (whose information was seen by the reporting user) say User2. We realized there are login entries from same IP for both of these users. In the access log of

Re: Struts2 login action class seems to be reused

2018-03-13 Thread Yasser Zamani
On 3/10/2018 1:22 AM, Prasanth Pasala wrote: > Ran tests with 1000 users logging in in 60sec while simultaneously 1000 users > just requesting login page in 60 sec to see if any of them would get in with > out username/password. No luck. System seems > to be working properly. Also tried

Re: Struts2 login action class seems to be reused

2018-03-09 Thread Prasanth Pasala
Ran tests with 1000 users logging in in 60sec while simultaneously 1000 users just requesting login page in 60 sec to see if any of them would get in with out username/password. No luck. System seems to be working properly. Also tried increasing it to 2000 it still worked as it should with out

Re: Struts2 login action class seems to be reused

2018-03-08 Thread Yasser Zamani
On 3/8/2018 6:42 PM, Prasanth Pasala wrote: > Wish I was able to consistently reproduce it. I have two thread groups in > JMeter one thread group requests login page then logs in. Another thread > group just requests login page. I have tried this > with 100 users, 250 users in each thread

Re: Struts2 login action class seems to be reused

2018-03-08 Thread Prasanth Pasala
Wish I was able to consistently reproduce it. I have two thread groups in JMeter one thread group requests login page then logs in. Another thread group just requests login page. I have tried this with 100 users, 250 users in each thread group. I have varied the ramp up times from 60sec to

Re: Struts2 login action class seems to be reused

2018-03-08 Thread Yasser Zamani
On 3/7/2018 11:23 PM, Prasanth Pasala wrote: > If it is a session crossover we would display another user information > without making a login entry. In the cases where we had issue the code > recognized that there is no active session and went to the > authentication part, authenticated the

Re: Struts2 login action class seems to be reused

2018-03-07 Thread Prasanth Pasala
Thanks for looking into this Yasser.  In the current setup we have, we don't have a cluster, it is the only server handling all requests. If it is a session crossover we would display another user information without making a login entry. In the cases where we had issue the code recognized that

Re: Struts2 login action class seems to be reused

2018-03-07 Thread Yasser Zamani
On 3/7/2018 7:34 PM, Prasanth wrote: > I can't say that 2 percent of users were able to get in without > username/password. As I have ran the JMeter tests a lot of times (each run > with 100 users). Only during one of those runs of JMeter I > had 2 requests get users home page when

Re: Struts2 login action class seems to be reused

2018-03-07 Thread Prasanth
/context1 is used just for directing users to the right application (or context). Session is really maintained by /context2. Users can login directly in /context2 or they can input username and password in /context1 and they will be forwarded to the right context on of which is /context2. So

Re: Struts2 login action class seems to be reused

2018-03-07 Thread Yasser Zamani
On 3/6/2018 9:42 PM, Prasanth Pasala wrote: > In StrutsPrepareAndExecuteFilter below is the line that gets the action > mapping, since the forceLookup is set to true the PrepareOperations class > might be creating it again. > ActionMapping mapping = prepare.findActionMapping(request, response,

Re: Struts2 login action class seems to be reused

2018-03-07 Thread Yasser Zamani
On 3/5/2018 7:48 PM, Prasanth wrote: > For replicating the issue I was directly accessing /context2/Login.action. So > /context1 was not used in testing. Please let me repeat what I understood; When some users are signed in into /context1, you browses /context2/Login.action via JMeter empty

Re: Struts2 login action class seems to be reused

2018-03-07 Thread Prasanth Pasala
I am not defining any default action. I would get the below exception if I set the ActionMapping to null. For some reason the object doesn't go away, if I set it to null. After setting it to null using request.setAttribute("struts.actionMapping", null);    I can get it using getAttribute. The

Re: Struts2 login action class seems to be reused

2018-03-07 Thread Prasanth Pasala
I am not using Spring. Using Struts1, Struts 2 (2.3.34), tiles 2.0.4 On 03/05/2018 11:57 AM, Adam Brin wrote: > What are the annotations on the class? Is it possible that you're using > Spring, and not declaring "prototype" scope. eg: > > @Scope("prototype") > > On Mon, Mar 5, 2018 at 10:49 AM,

Re: Struts2 login action class seems to be reused

2018-03-05 Thread Adam Brin
What are the annotations on the class? Is it possible that you're using Spring, and not declaring "prototype" scope. eg: @Scope("prototype") On Mon, Mar 5, 2018 at 10:49 AM, Yasser Zamani wrote: > > > On 3/5/2018 7:48 PM, Prasanth wrote: > > But the Login filter had

Re: Struts2 login action class seems to be reused

2018-03-05 Thread Yasser Zamani
On 3/5/2018 7:48 PM, Prasanth wrote: > But the Login filter had the below lines to make sure forwarded requests from > /context1 > would work. > > request.setAttribute("struts.actionMapping", new ActionMapping()); Please let me discuss this line first of all. I'm still surprised how context2

Re: Struts2 login action class seems to be reused

2018-03-05 Thread Prasanth
Yes, login page is accessible always. Direct jsp access is not allowed, it has to go through the actions. When a user requests /Login.action login jsp page is displayed. When the user submits username and password (Post to Login.action) the user is authenticated and home page is displayed by

Re: Struts2 login action class seems to be reused

2018-03-03 Thread Yasser Zamani
On 3/3/2018 12:37 AM, Prasanth Pasala wrote: > I was able to replicate the issue today. Asked few users to keep logging in > and ran jmeter to access login page, with out putting any username or > password. Out of the 100 attempts 2 attempts were > successful in getting in with out

Re: Fwd: Re: Struts2 login action class seems to be reused

2018-03-02 Thread Prasanth
Hi Norbert, Struts1 actions are thread safe (no instance variables). The login action has been moved to Struts2 with instance variables for username, password and the issue is coming up with this new struts2 action. Which is used for both displaying login page and also taking

Fwd: Re: Struts2 login action class seems to be reused

2018-03-02 Thread Norbert Hirneisen
Hi Prasanth, are you sure all your struts1 code is thread safe ? I had some similiar problems in a struts1 application. After removing all action class properties the problem was solved. Struts2 should be thread safe. But your problems looks to me like a problem with thread safety. Best

Re: Struts2 login action class seems to be reused

2018-03-02 Thread Prasanth Pasala
I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were successful in getting in with out username/password. I am seeing database login entries for these