Re: Struts2 login action class seems to be reused
The forward happens only to LoginAction. In some cases a PostBack will work but in cases where we have given the end user a choice of applications PostBack will not work as browser has to post back the 1st request information rather than the second request information. Agree I guess we have to make sure we don't have any get methods in the second application LoginAction to avoid similar issues. We have removed the getUsername, getPassword, getAction methods which has stopped the issue of having login credentials in the LoginAction when those are not submitted by user. Now I have removed the setRequest method (not getRequest) and that seems to solve the session invalid exception. May be I can remove the getRequest also as this is not really needed. We have one more get method getMessage this is used to display error messages on login page, which we probably need to keep but should not cause any issues as this data does not change site behavior but I might set this to empty at the start of execute (effectively clearing, if this is set from old action). Thanks, Prasanth On 05/17/2018 06:11 AM, Yasser Zamani wrote: > > On 5/16/2018 11:51 PM, Prasanth wrote: >> Would struts2 call this setRequest method even if the class is implementing >> just ServletRequestAware? > No. Additionally Struts RequestAware method signature is > setRequest(Maprequest); i.e. it's parameter is Map not > ServletRequest. > >> Any insights as to why this additional setRequest method causes the problem? > Yes. It's same as your issue with username/password copy from previous > action. Your previous action is in value stack (I don't know why! see > [1]) ChainingInterceptor thinks it's a chain result, so, calls > getRequest on previous action and then calls setRequest on your current > action with returned value (i.e. copies this value from previous action > and overrides your private request field inside your action). > > You can fix this also by removing getRequest method which disables > ChainingInterceptor to copies this. > > But you may encounter several same issues when you have both setX and > getX methods on your actions. > > [1] So, as I mentioned before, could you please rewrite all of your > FORWARDs with Struts ServletRedirect or PostBack results (also revert > back all removed getter methods)? this shows us if FORWARDs are root > cause of these issues or not. Then we can investigate more on other > possible causes. > > Regards. > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 5/16/2018 11:51 PM, Prasanth wrote: > Would struts2 call this setRequest method even if the class is implementing > just ServletRequestAware? No. Additionally Struts RequestAware method signature is setRequest(Maprequest); i.e. it's parameter is Map not ServletRequest. > Any insights as to why this additional setRequest method causes the problem? Yes. It's same as your issue with username/password copy from previous action. Your previous action is in value stack (I don't know why! see [1]) ChainingInterceptor thinks it's a chain result, so, calls getRequest on previous action and then calls setRequest on your current action with returned value (i.e. copies this value from previous action and overrides your private request field inside your action). You can fix this also by removing getRequest method which disables ChainingInterceptor to copies this. But you may encounter several same issues when you have both setX and getX methods on your actions. [1] So, as I mentioned before, could you please rewrite all of your FORWARDs with Struts ServletRedirect or PostBack results (also revert back all removed getter methods)? this shows us if FORWARDs are root cause of these issues or not. Then we can investigate more on other possible causes. Regards.
Re: Struts2 login action class seems to be reused
Another update, the LoginAction in Context2 had the below methods, two methods to set the request. May be I have done RequestAware and then realized it should be ServletRequestAware and did not delete the setRequest method. I think having the setRequest is the culprit for the invalid session exception. I have went back and forth and when I have this method I can reproduce the error and when I remove this method I don't get the error. While implementing the SessionAware I removed this additional method also, so it worked but I was thinking that SessionAware implementation solved the issue. Any insights as to why this additional setRequest method causes the problem? Would struts2 call this setRequest method even if the class is implementing just ServletRequestAware? @Override public void *setServletRequest*(HttpServletRequest request) { this.request = request; } /** * @return the request */ public HttpServletRequest getRequest() { return this.request; } /** * @param aRequest the request to set */ public void *setRequest*(HttpServletRequest aRequest) { this.request = aRequest; } Thanks, Prasanth On 05/16/2018 12:44 PM, Prasanth wrote: > We use the path as / for the cookie path that allows the session to be shared > between context1 and context2. The JSESSIONID also remains the same when the > request is forwarded. > > Martin asked me if the action is session aware. It was not implementing > SessionAware interface even though session was accessed (using > request.getSession()). Artifact of code from struts1, that > part of the code did not change when we moved the action to struts2. So > decided to change it and use the session map provided by struts2. Once I have > added SessionAware I am not able to reproduce > the session invalid exception, did not have a problem reproducing the issue > before. Is this expected? > > Thanks, > Prasanth > > On 05/16/2018 10:40 AM, Yasser Zamani wrote: >> On 5/16/2018 7:23 PM, Prasanth wrote: >>> Exception: java.lang.IllegalStateException: UT10: Session is invalid >>> r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op >>> at >>> io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481 >>> at >>> io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122 >>> at com.xx.xx.LoginAction.execute(LoginAction.java:76 >> Could you see if "Best Practices: Cross-Context Dispatching and Session >> Handling" [1] fixes your issue? However, it's about Servlets not Struts. >> >> Regards. >> >> [1] http://satworks.blogspot.com/2011/07/best-practices-cross-context.html >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >
Re: Struts2 login action class seems to be reused
We use the path as / for the cookie path that allows the session to be shared between context1 and context2. The JSESSIONID also remains the same when the request is forwarded. Martin asked me if we the action is session aware. It was not implementing SessionAware interface even though session was accessed (using request.getSession()). Artifact of code from struts1, that part of the code did not change when we move the action to struts2. So decided to change it and use the session map provided by struts2. Once I have added SessionAware I am not able to reproduce the session invalid exception, did not have a problem reproducing the issue before. Is this expected? Thanks, Prasanth On 05/16/2018 10:40 AM, Yasser Zamani wrote: > > On 5/16/2018 7:23 PM, Prasanth wrote: >> Exception: java.lang.IllegalStateException: UT10: Session is invalid >> r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op >> at >> io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481 >> at >> io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122 >> at com.xx.xx.LoginAction.execute(LoginAction.java:76 > Could you see if "Best Practices: Cross-Context Dispatching and Session > Handling" [1] fixes your issue? However, it's about Servlets not Struts. > > Regards. > > [1] http://satworks.blogspot.com/2011/07/best-practices-cross-context.html > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 5/16/2018 7:23 PM, Prasanth Pasala wrote: > Exception: java.lang.IllegalStateException: UT10: Session is invalid > r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op > at > io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481 > at > io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122 > at com.xx.xx.LoginAction.execute(LoginAction.java:76 Could you see if "Best Practices: Cross-Context Dispatching and Session Handling" [1] fixes your issue? However, it's about Servlets not Struts. Regards. [1] http://satworks.blogspot.com/2011/07/best-practices-cross-context.html - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
Martin, We have the cookie config in the application. 20 / true true Thanks, Prasanth On 05/15/2018 04:03 PM, Martin Gainty wrote: > > 8443 indicates secure connection so perhaps a misconfig with wildfly > standalone.xml (see below) > > > > > > > > https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration > Admin Guide - WildFly 10 - Project Documentation Editor > <https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration> > docs.jboss.org > Target audience. This document is a guide to the setup, administration, and > configuration of WildFly. Prerequisites. Before continuing, you should know > how to download, install and run WildFly. > > ? > > can you ping wildfly userlist ? > https://developer.jboss.org/en/wildfly > Space: WildFly |JBoss Developer <https://developer.jboss.org/en/wildfly> > developer.jboss.org > Log in to follow, share, and participate in this community. Not a member? > Join Now! > > > jaikiran is a good resource that i met on a different userlist..i would > definitely ping him > stay in touch/let me know if setting session-cookie in standalone.xml works > > M- > NB: I once contracted to the company that bought wildfly..we had to figure > configuration by ourselves > > > *From:* Prasanth Pasala <ppas...@pangburngroup.com> > *Sent:* Tuesday, May 15, 2018 11:42 AM > *To:* user@struts.apache.org > *Subject:* Re: Struts2 login action class seems to be reused > > See below the header information when the exception occurred. Strange thing > is JMeter is saying it did not send any cookie (which is want I would except > in this case as it is just requesting the login > page) > > Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ. > (xx - is the machine name on which wildfly is running) > Connection: keep-alive > User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) > Host: dev.secure.xxx.com:8443 > Content-Length: 46 > Content-Type: application/x-www-form-urlencoded > > 10:09:09,150 ERROR > [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default > task-20) Exception occurred during processing request: UT10: Session is > invalid > ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: > UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ > > From JMeter--- > GET https://dev.secure.pangburngroup.com:8443/participant/ > > GET data: > > > [no cookies] > > Request Headers: > Connection: keep-alive > Host: dev.secure.xxx.com:8443 > User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) > -- > > Thanks, > Prasanth > > On 05/15/2018 07:44 AM, Martin Gainty wrote: > > Hi Norbert/Prasanth > > > > Struts2 login action problem has morphed to "Invalid Session State"with > > Wildfly's implementation of TC 5.5 > > > > https://en.wikipedia.org/wiki/WildFly > > <https://en.wikipedia.org/wiki/WildFly> > > > > [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly > <https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly>> > > > > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly> > > en.wikipedia.org > > WildFly, formerly known as JBoss AS, or simply JBoss, is an application > > server authored by JBoss, now developed by Red Hat.WildFly is written in > > Java and implements the Java Platform, Enterprise > Edition (Java EE) specification. > > > > > > MG>as a debugging exercise I would dump HTTP Header attributes with > > > > http://livehttpheaders.mozdev.org/ <http://livehttpheaders.mozdev.org/> > > > > mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/> > > livehttpheaders.mozdev.org > > Welcome to the livehttpheaders project.. The goal of this project is to > > adds information about the HTTP headers in two ways: First by adding a > > 'Headers' tab in 'View Page Info' of a web page. > > > > > > MG>then
Re: Struts2 login action class seems to be reused
Below is a complete stack trace. Exception: java.lang.IllegalStateException: UT10: Session is invalid r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op at io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481 at io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122 at com.xx.xx.LoginAction.execute(LoginAction.java:76 at sun.reflect.GeneratedMethodAccessor147.invoke(null:-1 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43 at java.lang.reflect.Method.invoke(Method.java:498 at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:897 at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1299 at ognl.ObjectMethodAccessor.callMethod(ObjectMethodAccessor.java:68 at com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethodWithDebugInfo(XWorkMethodAccessor.java:117 at com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethod(XWorkMethodAccessor.java:108 at ognl.OgnlRuntime.callMethod(OgnlRuntime.java:1375 at ognl.ASTMethod.getValueBody(ASTMethod.java:91 at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212 at ognl.SimpleNode.getValue(SimpleNode.java:258 at ognl.Ognl.getValue(Ognl.java:470 at ognl.Ognl.getValue(Ognl.java:434 at com.opensymphony.xwork2.ognl.OgnlUtil$3.execute(OgnlUtil.java:362 at com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecuteMethod(OgnlUtil.java:414 at com.opensymphony.xwork2.ognl.OgnlUtil.callMethod(OgnlUtil.java:360 at com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:430 at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:290 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251 at org.apache.struts2.interceptor.DeprecationInterceptor.intercept(DeprecationInterceptor.java:41 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:256 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:168 at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:265 at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:76 at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:138 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229 at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229 at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:191 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:73 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at org.apache.struts2.interceptor.DateTextFieldInterceptor.intercept(DateTextFieldInterceptor.java:125 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:253 at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245 at
Re: Struts2 login action class seems to be reused
On 5/16/2018 6:59 AM, Prasanth Pasala wrote: > We have two applications (websites) to make it easier for users we have a > third site that acts as a common login place. Once the user enters the > username and password it determines the right site to use and does a forward > to that context (applications hosted in the same host). > > When using struts1 everything was fine. When we moved to struts2 we started > getting crossed logins. When a user gets to login page the action would get > populated with a username and password used by some other user. This happens > only if a request with this information is forwarded from one context to > another. > > With some help from struts mailing list it was determined that some how old > actions are in the stack and if we remove get methods struts2 would not be > able to pull that data and put in the current value stack. So we did it and > when we started testing we are getting session invalid exceptions. Again this > happens only if there are users logging in context1 and that request is > forwarded to context2. If the login activity is done directly in context2 the > issue does not arise. Could you post the complete stacktrace of invalid session exception? I think knowing where and why tries to access session may help. Regards.
Re: Struts2 login action class seems to be reused
We have two applications (websites) to make it easier for users we have a third site that acts as a common login place. Once the user enters the username and password it determines the right site to use and does a forward to that context (applications hosted in the same host). When using struts1 everything was fine. When we moved to struts2 we started getting crossed logins. When a user gets to login page the action would get populated with a username and password used by some other user. This happens only if a request with this information is forwarded from one context to another. With some help from struts mailing list it was determined that some how old actions are in the stack and if we remove get methods struts2 would not be able to pull that data and put in the current value stack. So we did it and when we started testing we are getting session invalid exceptions. Again this happens only if there are users logging in context1 and that request is forwarded to context2. If the login activity is done directly in context2 the issue does not arise. Thanks Prasanth On May 15, 2018 8:45:25 PM CDT, Jaikiran Pai <jai.forums2...@gmail.com> wrote: >I don't have enough context of this discussion, but looking briefly at >this, it looks like you are using Apache HTTP client (probably with >pooled connections) and it seems like a connection reuse for a >subsequent login request is sending a Cookie with the request (when it >shouldn't?). > > >If that's the case, then it looks like the Apache HTTP client's auto >Cookie management is coming into picture where it "auto attaches" the >Cookie, obtained from a previous response on that connection, to the >new >request on that reused connection. Apache HTTP client allows you to >configure this behaviour by setting a cookie policy management. I guess > >you probably want to use the "ignoreCookies" policy in your case, since > >you want to manage setting the Cookie to the requests yourself. The >Apache HTTP client documentation[1] has more information. Something >like: > > > final HttpClientBuilder httpClientBuilder = > final RequestConfig.Builder requestConfigBuilder = >RequestConfig.custom(); > ... >requestConfigBuilder.setCookieSpec(org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES); > ... >httpClientBuilder.setDefaultRequestConfig(requestConfigBuilder.build()); > > >[1] For 3.x version (I couldn't find one for 4.x which you seem to be >using) https://hc.apache.org/httpclient-3.x/cookies.html > >[2] >https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html > > >-Jaikiran > > >On 16/05/18 2:33 AM, Martin Gainty wrote: >> >> 8443 indicates secure connection so perhaps a misconfig with >> wildfly standalone.xml (see below) >> >> >> >> >> >> >> >> >https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration > >> >> Admin Guide - WildFly 10 - Project Documentation Editor >> ><https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration> >> docs.jboss.org >> Target audience. This document is a guide to the setup, >> administration, and configuration of WildFly. Prerequisites. Before >> continuing, you should know how to download, install and run WildFly. >> >> ? >> >> can you ping wildfly userlist ? >> https://developer.jboss.org/en/wildfly >> Space: WildFly |JBoss Developer ><https://developer.jboss.org/en/wildfly> >> developer.jboss.org >> Log in to follow, share, and participate in this community. Not a >> member? Join Now! >> >> >> jaikiran is a good resource that i met on a different userlist..i >> would definitely ping him >> stay in touch/let me know if setting session-cookie in >standalone.xml >> works >> >> M- >> NB: I once contracted to the company that bought wildfly..we had to >> figure configuration by ourselves >> >> > >> *From:* Prasanth Pasala <ppas...@pangburngroup.com> >> *Sent:* Tuesday, May 15, 2018 11:42 AM >> *To:* user@struts.apache.org >> *Subject:* Re: Struts2 login action class seems to be reused >> See below the header information when the exception occurred. Strange > >> thing is JMeter is saying it did not send any cookie (which is want I > >> would except in this case as it is just requesting the login >> page) >> >> Cookie: JSESSIONID=ZclUN41sWwTsPGRw
Re: Struts2 login action class seems to be reused
I don't have enough context of this discussion, but looking briefly at this, it looks like you are using Apache HTTP client (probably with pooled connections) and it seems like a connection reuse for a subsequent login request is sending a Cookie with the request (when it shouldn't?). If that's the case, then it looks like the Apache HTTP client's auto Cookie management is coming into picture where it "auto attaches" the Cookie, obtained from a previous response on that connection, to the new request on that reused connection. Apache HTTP client allows you to configure this behaviour by setting a cookie policy management. I guess you probably want to use the "ignoreCookies" policy in your case, since you want to manage setting the Cookie to the requests yourself. The Apache HTTP client documentation[1] has more information. Something like: final HttpClientBuilder httpClientBuilder = final RequestConfig.Builder requestConfigBuilder = RequestConfig.custom(); ... requestConfigBuilder.setCookieSpec(org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES); ... httpClientBuilder.setDefaultRequestConfig(requestConfigBuilder.build()); [1] For 3.x version (I couldn't find one for 4.x which you seem to be using) https://hc.apache.org/httpclient-3.x/cookies.html [2] https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html -Jaikiran On 16/05/18 2:33 AM, Martin Gainty wrote: 8443 indicates secure connection so perhaps a misconfig with wildfly standalone.xml (see below) https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration Admin Guide - WildFly 10 - Project Documentation Editor <https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration> docs.jboss.org Target audience. This document is a guide to the setup, administration, and configuration of WildFly. Prerequisites. Before continuing, you should know how to download, install and run WildFly. ? can you ping wildfly userlist ? https://developer.jboss.org/en/wildfly Space: WildFly |JBoss Developer <https://developer.jboss.org/en/wildfly> developer.jboss.org Log in to follow, share, and participate in this community. Not a member? Join Now! jaikiran is a good resource that i met on a different userlist..i would definitely ping him stay in touch/let me know if setting session-cookie in standalone.xml works M- NB: I once contracted to the company that bought wildfly..we had to figure configuration by ourselves *From:* Prasanth Pasala <ppas...@pangburngroup.com> *Sent:* Tuesday, May 15, 2018 11:42 AM *To:* user@struts.apache.org *Subject:* Re: Struts2 login action class seems to be reused See below the header information when the exception occurred. Strange thing is JMeter is saying it did not send any cookie (which is want I would except in this case as it is just requesting the login page) Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ. (xx - is the machine name on which wildfly is running) Connection: keep-alive User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) Host: dev.secure.xxx.com:8443 Content-Length: 46 Content-Type: application/x-www-form-urlencoded 10:09:09,150 ERROR [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) Exception occurred during processing request: UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ From JMeter--- GET https://dev.secure.pangburngroup.com:8443/participant/ GET data: [no cookies] Request Headers: Connection: keep-alive Host: dev.secure.xxx.com:8443 User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) -- Thanks, Prasanth On 05/15/2018 07:44 AM, Martin Gainty wrote: > Hi Norbert/Prasanth > > Struts2 login action problem has morphed to "Invalid Session State"with Wildfly's implementation of TC 5.5 > > https://en.wikipedia.org/wiki/WildFly <https://en.wikipedia.org/wiki/WildFly> > > [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly <https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly>> > > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly> > en.wikipedia.org > WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by JBoss, now developed by Red Hat.WildFly is
Re: Struts2 login action class seems to be reused
8443 indicates secure connection so perhaps a misconfig with wildfly standalone.xml (see below) https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration Admin Guide - WildFly 10 - Project Documentation Editor<https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration> docs.jboss.org Target audience. This document is a guide to the setup, administration, and configuration of WildFly. Prerequisites. Before continuing, you should know how to download, install and run WildFly. ? can you ping wildfly userlist ? https://developer.jboss.org/en/wildfly Space: WildFly |JBoss Developer<https://developer.jboss.org/en/wildfly> developer.jboss.org Log in to follow, share, and participate in this community. Not a member? Join Now! jaikiran is a good resource that i met on a different userlist..i would definitely ping him stay in touch/let me know if setting session-cookie in standalone.xml works M- NB: I once contracted to the company that bought wildfly..we had to figure configuration by ourselves From: Prasanth Pasala <ppas...@pangburngroup.com> Sent: Tuesday, May 15, 2018 11:42 AM To: user@struts.apache.org Subject: Re: Struts2 login action class seems to be reused See below the header information when the exception occurred. Strange thing is JMeter is saying it did not send any cookie (which is want I would except in this case as it is just requesting the login page) Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.(xx - is the machine name on which wildfly is running) Connection: keep-alive User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) Host: dev.secure.xxx.com:8443 Content-Length: 46 Content-Type: application/x-www-form-urlencoded 10:09:09,150 ERROR [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) Exception occurred during processing request: UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ From JMeter--- GET https://dev.secure.pangburngroup.com:8443/participant/ GET data: [no cookies] Request Headers: Connection: keep-alive Host: dev.secure.xxx.com:8443 User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) -- Thanks, Prasanth On 05/15/2018 07:44 AM, Martin Gainty wrote: > Hi Norbert/Prasanth > > Struts2 login action problem has morphed to "Invalid Session State"with > Wildfly's implementation of TC 5.5 > > https://en.wikipedia.org/wiki/WildFly > > [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly> > > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly> > en.wikipedia.org > WildFly, formerly known as JBoss AS, or simply JBoss, is an application > server authored by JBoss, now developed by Red Hat.WildFly is written in Java > and implements the Java Platform, Enterprise Edition (Java EE) specification. > > > MG>as a debugging exercise I would dump HTTP Header attributes with > > http://livehttpheaders.mozdev.org/ > > mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/> > livehttpheaders.mozdev.org > Welcome to the livehttpheaders project.. The goal of this project is to adds > information about the HTTP headers in two ways: First by adding a 'Headers' > tab in 'View Page Info' of a web page. > > > MG>then check JSESSIONID > > MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID > MG>and corrected with his own StandardManager findSession method > https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/ > > Yes, there is! I found it and implemented this solution: A class > extending org.apache.catalina.session.StandardManager and overriding > the method public Session findSession(String id) throws IOException - > simply removing quotation marks, if any! Seems to work fine. > Thanks for putting me on the right trail! > > MG>assuming your TC has incorrect StandardManager can you update wildfly with > a more updated version? > MG>here are versions > https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t > true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t> > developer.jboss.org > What version of Apache Tomcat ships with JBoss Application Server JBossAS > version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3 > > > MG>personally i wouldnt muck with TC i would suggest upgrading
Re: Struts2 login action class seems to be reused
See below the header information when the exception occurred. Strange thing is JMeter is saying it did not send any cookie (which is want I would except in this case as it is just requesting the login page) Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ. (xx - is the machine name on which wildfly is running) Connection: keep-alive User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) Host: dev.secure.xxx.com:8443 Content-Length: 46 Content-Type: application/x-www-form-urlencoded 10:09:09,150 ERROR [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) Exception occurred during processing request: UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ From JMeter--- GET https://dev.secure.pangburngroup.com:8443/participant/ GET data: [no cookies] Request Headers: Connection: keep-alive Host: dev.secure.xxx.com:8443 User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151) -- Thanks, Prasanth On 05/15/2018 07:44 AM, Martin Gainty wrote: > Hi Norbert/Prasanth > > Struts2 login action problem has morphed to "Invalid Session State"with > Wildfly's implementation of TC 5.5 > > https://en.wikipedia.org/wiki/WildFly > > [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly> > > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly> > en.wikipedia.org > WildFly, formerly known as JBoss AS, or simply JBoss, is an application > server authored by JBoss, now developed by Red Hat.WildFly is written in Java > and implements the Java Platform, Enterprise Edition (Java EE) specification. > > > MG>as a debugging exercise I would dump HTTP Header attributes with > > http://livehttpheaders.mozdev.org/ > > mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/> > livehttpheaders.mozdev.org > Welcome to the livehttpheaders project.. The goal of this project is to adds > information about the HTTP headers in two ways: First by adding a 'Headers' > tab in 'View Page Info' of a web page. > > > MG>then check JSESSIONID > > MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID > MG>and corrected with his own StandardManager findSession method > https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/ > > Yes, there is! I found it and implemented this solution: A class > extending org.apache.catalina.session.StandardManager and overriding > the method public Session findSession(String id) throws IOException - > simply removing quotation marks, if any! Seems to work fine. > Thanks for putting me on the right trail! > > MG>assuming your TC has incorrect StandardManager can you update wildfly with > a more updated version? > MG>here are versions > https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t > true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t> > developer.jboss.org > What version of Apache Tomcat ships with JBoss Application Server JBossAS > version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3 > > > MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and > getting jboss-web container > > hth > martin > __________________ > > > > > > From: Norbert Hirneisen <no...@s2you.de> > Sent: Friday, March 2, 2018 6:55 PM > To: user@struts.apache.org > Subject: Fwd: Re: Struts2 login action class seems to be reused > > Hi Prasanth, > > are you sure all your struts1 code is thread safe ? I had some similiar > problems in a struts1 application. After removing all action class > properties the problem was solved. Struts2 should be thread safe. But > your problems looks to me like a problem with thread safety. > > Best regards, > > Norbert > > science + communication & HaNo Systems > > Bonn/Ho-Chi-Minh > > > Am 02.03.2018 um 22:07 schrieb Prasanth Pasala: >> I was able to replicate the issue today. Asked few users to keep logging in >> and ran jmeter to access login page, with out putting any username or >> password. Out of the 100 attempts 2 attempts were >> successful in getting in with out username/password. I am seeing database >> login entries for these two. Which would happen only if a valid session is >> not present and user has provided username/
Re: Struts2 login action class seems to be reused
Hi Martin, Thanks for the response. We are using Wildfly 11.0.0 Final. I will try to get the HTTP header dump. Thanks, Prasanth On 05/15/2018 07:44 AM, Martin Gainty wrote: > Hi Norbert/Prasanth > > Struts2 login action problem has morphed to "Invalid Session State"with > Wildfly's implementation of TC 5.5 > > https://en.wikipedia.org/wiki/WildFly > > [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly> > > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly> > en.wikipedia.org > WildFly, formerly known as JBoss AS, or simply JBoss, is an application > server authored by JBoss, now developed by Red Hat.WildFly is written in Java > and implements the Java Platform, Enterprise Edition (Java EE) specification. > > > MG>as a debugging exercise I would dump HTTP Header attributes with > > http://livehttpheaders.mozdev.org/ > > mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/> > livehttpheaders.mozdev.org > Welcome to the livehttpheaders project.. The goal of this project is to adds > information about the HTTP headers in two ways: First by adding a 'Headers' > tab in 'View Page Info' of a web page. > > > MG>then check JSESSIONID > > MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID > MG>and corrected with his own StandardManager findSession method > https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/ > > Yes, there is! I found it and implemented this solution: A class > extending org.apache.catalina.session.StandardManager and overriding > the method public Session findSession(String id) throws IOException - > simply removing quotation marks, if any! Seems to work fine. > Thanks for putting me on the right trail! > > MG>assuming your TC has incorrect StandardManager can you update wildfly with > a more updated version? > MG>here are versions > https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t > true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t> > developer.jboss.org > What version of Apache Tomcat ships with JBoss Application Server JBossAS > version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3 > > > MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and > getting jboss-web container > > hth > martin > __________________ > > > > > > From: Norbert Hirneisen <no...@s2you.de> > Sent: Friday, March 2, 2018 6:55 PM > To: user@struts.apache.org > Subject: Fwd: Re: Struts2 login action class seems to be reused > > Hi Prasanth, > > are you sure all your struts1 code is thread safe ? I had some similiar > problems in a struts1 application. After removing all action class > properties the problem was solved. Struts2 should be thread safe. But > your problems looks to me like a problem with thread safety. > > Best regards, > > Norbert > > science + communication & HaNo Systems > > Bonn/Ho-Chi-Minh > > > Am 02.03.2018 um 22:07 schrieb Prasanth Pasala: >> I was able to replicate the issue today. Asked few users to keep logging in >> and ran jmeter to access login page, with out putting any username or >> password. Out of the 100 attempts 2 attempts were >> successful in getting in with out username/password. I am seeing database >> login entries for these two. Which would happen only if a valid session is >> not present and user has provided username/password. >> >> Thanks, >> Prasanth >> >> On 03/01/2018 02:27 PM, Prasanth wrote: >>> Hi, >>> >>> I have an application which uses both struts1 & struts2. The login action >>> was recently moved to struts2. Immediately after the deployment we were >>> notified that one user is seeing a different user >>> information, so we had to move to older war files. I am not able to >>> replicate it. But after investigating the logs it seems like couple users >>> were logged in as soon as they requested the login page. >>> For the database entry to happen it has to verify the username and password >>> in the action class, but the fact that there is no POST entry at that time >>> from that IP in my access log makes me believe >>> that the action class some how already had that information from a prior >>> user. >>> >>> I do have a login filter to check if users are logged in when accessing >>> other pages. In this
Re: Re: Struts2 login action class seems to be reused
Hi Norbert/Prasanth Struts2 login action problem has morphed to "Invalid Session State"with Wildfly's implementation of TC 5.5 https://en.wikipedia.org/wiki/WildFly [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly> WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly> en.wikipedia.org WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by JBoss, now developed by Red Hat.WildFly is written in Java and implements the Java Platform, Enterprise Edition (Java EE) specification. MG>as a debugging exercise I would dump HTTP Header attributes with http://livehttpheaders.mozdev.org/ mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/> livehttpheaders.mozdev.org Welcome to the livehttpheaders project.. The goal of this project is to adds information about the HTTP headers in two ways: First by adding a 'Headers' tab in 'View Page Info' of a web page. MG>then check JSESSIONID MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID MG>and corrected with his own StandardManager findSession method https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/ Yes, there is! I found it and implemented this solution: A class extending org.apache.catalina.session.StandardManager and overriding the method public Session findSession(String id) throws IOException - simply removing quotation marks, if any! Seems to work fine. Thanks for putting me on the right trail! MG>assuming your TC has incorrect StandardManager can you update wildfly with a more updated version? MG>here are versions https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t> developer.jboss.org What version of Apache Tomcat ships with JBoss Application Server JBossAS version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3 MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and getting jboss-web container hth martin __ From: Norbert Hirneisen <no...@s2you.de> Sent: Friday, March 2, 2018 6:55 PM To: user@struts.apache.org Subject: Fwd: Re: Struts2 login action class seems to be reused Hi Prasanth, are you sure all your struts1 code is thread safe ? I had some similiar problems in a struts1 application. After removing all action class properties the problem was solved. Struts2 should be thread safe. But your problems looks to me like a problem with thread safety. Best regards, Norbert science + communication & HaNo Systems Bonn/Ho-Chi-Minh Am 02.03.2018 um 22:07 schrieb Prasanth Pasala: > I was able to replicate the issue today. Asked few users to keep logging in > and ran jmeter to access login page, with out putting any username or > password. Out of the 100 attempts 2 attempts were > successful in getting in with out username/password. I am seeing database > login entries for these two. Which would happen only if a valid session is > not present and user has provided username/password. > > Thanks, > Prasanth > > On 03/01/2018 02:27 PM, Prasanth wrote: >> Hi, >> >> I have an application which uses both struts1 & struts2. The login action >> was recently moved to struts2. Immediately after the deployment we were >> notified that one user is seeing a different user >> information, so we had to move to older war files. I am not able to >> replicate it. But after investigating the logs it seems like couple users >> were logged in as soon as they requested the login page. >> For the database entry to happen it has to verify the username and password >> in the action class, but the fact that there is no POST entry at that time >> from that IP in my access log makes me believe >> that the action class some how already had that information from a prior >> user. >> >> I do have a login filter to check if users are logged in when accessing >> other pages. In this filter I have the below two lines, we had to do this as >> we will have requests forwarded from one >> application to another and when that happens we are getting class cast >> exception for ActionMapping class and valueStack. Not sure if the behavior >> is a side effect of having the below lines. >> >> request.setAttribute("struts.actionMapping", new >> ActionMapping()); >> request.setAttribute("struts.valueStack", null); >> >> We are using Struts 2.3.34 and Wildfly. >> >> Appreciate any insights you might have. >> >> Thanks, >> Prasanth >> >> > - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
On 5/15/2018 12:45 AM, Prasanth Pasala wrote: > A different issue is coming up now after the get methods are removed. > Getting the below exception some times when you request the login page, at > which point the browser doesn't have the session id > yet, the session id mentioned would be a session id from a previous request > (from another thread, in JMeter testing). Wonder if, some how this data > (session id) is also moved by struts2 when copying > data from the other LoginAction that is lingering from old requests. > > Thanks, > Prasanth > > Exception: java.lang.IllegalStateException: UT10: Session is invalid > JVoo5BkMlzTpOavsEe7_NjS0MzTXDlhYtlSviiGR AFAIK session is completely managed by browser and app server e.g. tomcat; So I think this isn't a Struts issue. Regards.
Re: Struts2 login action class seems to be reused
A different issue is coming up now after the get methods are removed. Getting the below exception some times when you request the login page, at which point the browser doesn't have the session id yet, the session id mentioned would be a session id from a previous request (from another thread, in JMeter testing). Wonder if, some how this data (session id) is also moved by struts2 when copying data from the other LoginAction that is lingering from old requests. Thanks, Prasanth Exception: java.lang.IllegalStateException: UT10: Session is invalid JVoo5BkMlzTpOavsEe7_NjS0MzTXDlhYtlSviiGR On 04/24/2018 09:00 AM, Prasanth Pasala wrote: > I have removed the get methods from the LoginAction of /Context2 and that > seems to solve the problem. So seems like the LoginAction objects created > because of FORWARD some how are in the stack while a > LoginAction is created due to a REQUEST. Wondering if this can be replicated > without having two contexts. If there is a FORWARD within the context and the > same action can also be initiated by direct > REQUEST wonder if the same issue will crop up. > > Thanks, > Prasanth > > On 04/24/2018 01:52 AM, Yasser Zamani wrote: >> On 4/23/2018 11:50 PM, Prasanth Pasala wrote: >>> Get rid of the get methods in LoginAction, is this in /Context2 >>> (application where the issue is occurring) or /Context1 (which forwards the >>> requests to /Context2)? >>> >> That contexts who forwards request (Context1 I think) but you may do for >> all to be sure. However, I still prefer rewriting FORWARD with REDIRECT >> or POSTBACK to prevent future possible issues. >> >>> Yes exactly. The new log shows, your previous contexts actions >>> (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in >>> current context because you forward same request which includes previous >>> context data, then, Struts ChainInterceptor copies data from previous to >>> current action :S . As currently Struts cannot handle forwarded requests >>> well, could you please try REDIRECT instead? sendRedirect asks user >>> browser to continue with a new request. >>> >>> Still not sure about the above comment. So the ChainInterceptor is getting >>> data from an action that occurred before and is not part of current request? >> Struts has a stack. ChainResult push current action to stack for next >> action. In next action, ChainInterceptor pops it and copies values. Now >> you have two actions in stack (I don't know how but seems it's because >> of forward same request which has previous context1 stack) and >> ChainInterceptor thinks ChainResult has pushed that and then pops and >> copies them into current action. >> >> Regards. >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >
Re: Struts2 login action class seems to be reused
I have removed the get methods from the LoginAction of /Context2 and that seems to solve the problem. So seems like the LoginAction objects created because of FORWARD some how are in the stack while a LoginAction is created due to a REQUEST. Wondering if this can be replicated without having two contexts. If there is a FORWARD within the context and the same action can also be initiated by direct REQUEST wonder if the same issue will crop up. Thanks, Prasanth On 04/24/2018 01:52 AM, Yasser Zamani wrote: > > On 4/23/2018 11:50 PM, Prasanth Pasala wrote: >> Get rid of the get methods in LoginAction, is this in /Context2 (application >> where the issue is occurring) or /Context1 (which forwards the requests to >> /Context2)? >> > That contexts who forwards request (Context1 I think) but you may do for > all to be sure. However, I still prefer rewriting FORWARD with REDIRECT > or POSTBACK to prevent future possible issues. > >> Yes exactly. The new log shows, your previous contexts actions >> (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in >> current context because you forward same request which includes previous >> context data, then, Struts ChainInterceptor copies data from previous to >> current action :S . As currently Struts cannot handle forwarded requests >> well, could you please try REDIRECT instead? sendRedirect asks user >> browser to continue with a new request. >> >> Still not sure about the above comment. So the ChainInterceptor is getting >> data from an action that occurred before and is not part of current request? > Struts has a stack. ChainResult push current action to stack for next > action. In next action, ChainInterceptor pops it and copies values. Now > you have two actions in stack (I don't know how but seems it's because > of forward same request which has previous context1 stack) and > ChainInterceptor thinks ChainResult has pushed that and then pops and > copies them into current action. > > Regards. > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 4/23/2018 11:50 PM, Prasanth Pasala wrote: > Get rid of the get methods in LoginAction, is this in /Context2 (application > where the issue is occurring) or /Context1 (which forwards the requests to > /Context2)? > That contexts who forwards request (Context1 I think) but you may do for all to be sure. However, I still prefer rewriting FORWARD with REDIRECT or POSTBACK to prevent future possible issues. > > Yes exactly. The new log shows, your previous contexts actions > (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in > current context because you forward same request which includes previous > context data, then, Struts ChainInterceptor copies data from previous to > current action :S . As currently Struts cannot handle forwarded requests > well, could you please try REDIRECT instead? sendRedirect asks user > browser to continue with a new request. > > Still not sure about the above comment. So the ChainInterceptor is getting > data from an action that occurred before and is not part of current request? Struts has a stack. ChainResult push current action to stack for next action. In next action, ChainInterceptor pops it and copies values. Now you have two actions in stack (I don't know how but seems it's because of forward same request which has previous context1 stack) and ChainInterceptor thinks ChainResult has pushed that and then pops and copies them into current action. Regards. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
Get rid of the get methods in LoginAction, is this in /Context2 (application where the issue is occurring) or /Context1 (which forwards the requests to /Context2)? Yes exactly. The new log shows, your previous contexts actions (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in current context because you forward same request which includes previous context data, then, Struts ChainInterceptor copies data from previous to current action :S . As currently Struts cannot handle forwarded requests well, could you please try REDIRECT instead? sendRedirect asks user browser to continue with a new request. Still not sure about the above comment. So the ChainInterceptor is getting data from an action that occurred before and is not part of current request? Thanks, Prasanth On 04/23/2018 01:27 PM, Yasser Zamani wrote: > > On 4/23/2018 10:12 PM, Prasanth Pasala wrote: >> The user is inputting username and password in /Context1, if I send a >> redirect they would have to enter username/password again in /Context2. >> > No, you already have them. I think you can use Struts PostbackResult [1] > in /Context1/LoginAction like below: > > /Context2/LoginAction > >> May be for LoginAction in /Context2 I can remove instance variables (so that >> struts doesn't set any values) I will directly access the request object to >> get username and password to validate. > The simpler solution is deleting getUsername and getPassword methods > from LoginAction which disables ChainInterceptor to copies them and > solves this issue! But I'm worry about other issues caused by FORWARD, > so please try replacing all of them as I mentioned above. > > [1] https://struts.apache.org/core-developers/postback-result.html > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 4/23/2018 10:12 PM, Prasanth Pasala wrote: > The user is inputting username and password in /Context1, if I send a > redirect they would have to enter username/password again in /Context2. > No, you already have them. I think you can use Struts PostbackResult [1] in /Context1/LoginAction like below: /Context2/LoginAction > May be for LoginAction in /Context2 I can remove instance variables (so that > struts doesn't set any values) I will directly access the request object to > get username and password to validate. The simpler solution is deleting getUsername and getPassword methods from LoginAction which disables ChainInterceptor to copies them and solves this issue! But I'm worry about other issues caused by FORWARD, so please try replacing all of them as I mentioned above. [1] https://struts.apache.org/core-developers/postback-result.html
Re: Struts2 login action class seems to be reused
The two LoginAction classes below are from the same context (/Context2). Context1 LoginAction would have a different package name. The issue occurs when a user is requesting /Context2 directly rather than when the request is forwarded, if the request is forwarded from /Context1 it would have the username and password in the request and those seems to be working fine. The issue is when there are requests forwarded from /Context1 with username and password and later on there is a GET request to /Context2 LoginAction (no username/password in request, so should display login page). Now some how struts is using data from the old forwarded requests (sent from Context1) for a request made directly to Context2. The user is inputting username and password in /Context1, if I send a redirect they would have to enter username/password again in /Context2. May be for LoginAction in /Context2 I can remove instance variables (so that struts doesn't set any values) I will directly access the request object to get username and password to validate. Thanks, Prasanth On 04/23/2018 12:31 PM, Yasser Zamani wrote: > > On 4/23/2018 8:04 PM, Prasanth Pasala wrote: >> Found this one also but for almost all, the root size was 3. Below one was >> anomaly. >> Root Size: 4 >> Result: null >> Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d >> Object: com.nqadmin.webaccess.LoginAction@7f716c46 >> Object: com.nqadmin.webaccess.LoginAction@35224c2f >> >> Also found that the issue doesn't come up if I am logging in only to the >> second website (/context2). The issue only comes up if there are users >> logging in via context1, whose login request is >> forwarded to context2. > Yes exactly. The new log shows, your previous contexts actions > (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in > current context because you forward same request which includes previous > context data, then, Struts ChainInterceptor copies data from previous to > current action :S . As currently Struts cannot handle forwarded requests > well, could you please try REDIRECT instead? sendRedirect asks user > browser to continue with a new request. > > Regards. > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 4/23/2018 8:04 PM, Prasanth Pasala wrote: > Found this one also but for almost all, the root size was 3. Below one was > anomaly. > Root Size: 4 > Result: null > Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d > Object: com.nqadmin.webaccess.LoginAction@7f716c46 > Object: com.nqadmin.webaccess.LoginAction@35224c2f > > Also found that the issue doesn't come up if I am logging in only to the > second website (/context2). The issue only comes up if there are users > logging in via context1, whose login request is > forwarded to context2. Yes exactly. The new log shows, your previous contexts actions (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in current context because you forward same request which includes previous context data, then, Struts ChainInterceptor copies data from previous to current action :S . As currently Struts cannot handle forwarded requests well, could you please try REDIRECT instead? sendRedirect asks user browser to continue with a new request. Regards.
Re: Struts2 login action class seems to be reused
Found this one also but for almost all, the root size was 3. Below one was anomaly. Root Size: 4 Result: null Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d Object: com.nqadmin.webaccess.LoginAction@7f716c46 Object: com.nqadmin.webaccess.LoginAction@35224c2f Also found that the issue doesn't come up if I am logging in only to the second website (/context2). The issue only comes up if there are users logging in via context1, whose login request is forwarded to context2. Since it have been a while including the details of how our setup works. Context 2 & Context 3 are two websites and depending on user type they have to login to one or the other. To make it easy for the user we have Context1 where we allow users to login this site checks the database and determines which site they need to be logging into and forwards the login request to Context2 or Context3. We have users who would login to the right context and some who utilize Context1 to login. Thanks, Prasanth On 04/23/2018 09:42 AM, Prasanth Pasala wrote: > Below is the result of the new logging. > > Root Size: 3 > Result: null > Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d > Object: com.xx.webaccess.LoginAction@40c80ce8 > > Thanks, > Prasanth > > On 04/21/2018 05:09 AM, Yasser Zamani wrote: >> On 4/19/2018 4:39 PM, Prasanth Pasala wrote: >>> There is a index.jsp which is defined as default page in web.xml it just >>> forwards the request to Login.action. There is no chaining of actions in >>> struts itself. We do have a LoginFilter which verifies >>> if a user is logged in. >>> >> So maybe there is a bug with chain interceptor! Could you please use >> following code in your action setUsername method (save it's log in a >> private string field in your action). Then print it when your action >> data are not consistent with request params. >> >> String log = ""; >> ActionInvocation invocation= ActionContext.getActionInvocation(); >> ValueStack stack = invocation.getStack(); >> CompoundRoot root = stack.getRoot(); >> log += "Root Size: " + root.size(); >> Result result = invocation.getResult(); >> log += "\r\nResult: " + result; >> List list = new ArrayList(root); >> list.remove(0); >> Collections.reverse(list); >> for (Object object : list) { >> log += "\r\nObject: " + object; >> } >> this.log = log; //saves for possible future use >> >> Thanks! >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
Below is the result of the new logging. Root Size: 3 Result: null Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d Object: com.xx.webaccess.LoginAction@40c80ce8 Thanks, Prasanth On 04/21/2018 05:09 AM, Yasser Zamani wrote: > > On 4/19/2018 4:39 PM, Prasanth Pasala wrote: >> There is a index.jsp which is defined as default page in web.xml it just >> forwards the request to Login.action. There is no chaining of actions in >> struts itself. We do have a LoginFilter which verifies >> if a user is logged in. >> > So maybe there is a bug with chain interceptor! Could you please use > following code in your action setUsername method (save it's log in a > private string field in your action). Then print it when your action > data are not consistent with request params. > > String log = ""; > ActionInvocation invocation= ActionContext.getActionInvocation(); > ValueStack stack = invocation.getStack(); > CompoundRoot root = stack.getRoot(); > log += "Root Size: " + root.size(); > Result result = invocation.getResult(); > log += "\r\nResult: " + result; > List list = new ArrayList(root); > list.remove(0); > Collections.reverse(list); > for (Object object : list) { > log += "\r\nObject: " + object; > } > this.log = log; //saves for possible future use > > Thanks! > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
On 4/19/2018 4:39 PM, Prasanth Pasala wrote: > There is a index.jsp which is defined as default page in web.xml it just > forwards the request to Login.action. There is no chaining of actions in > struts itself. We do have a LoginFilter which verifies > if a user is logged in. > So maybe there is a bug with chain interceptor! Could you please use following code in your action setUsername method (save it's log in a private string field in your action). Then print it when your action data are not consistent with request params. String log = ""; ActionInvocation invocation= ActionContext.getActionInvocation(); ValueStack stack = invocation.getStack(); CompoundRoot root = stack.getRoot(); log += "Root Size: " + root.size(); Result result = invocation.getResult(); log += "\r\nResult: " + result; List list = new ArrayList(root); list.remove(0); Collections.reverse(list); for (Object object : list) { log += "\r\nObject: " + object; } this.log = log; //saves for possible future use Thanks!
Re: Struts2 login action class seems to be reused
There is a index.jsp which is defined as default page in web.xml it just forwards the request to Login.action. There is no chaining of actions in struts itself. We do have a LoginFilter which verifies if a user is logged in. Thanks, Prasanth On 04/19/2018 03:26 AM, Yasser Zamani wrote: > > On 4/19/2018 7:21 AM, Prasanth Pasala wrote: >> >> com.opensymphony.xwork2.interceptor.ChainingInterceptor.copyStack(ChainingInterceptor.java:153) >> >> com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:143) > Thanks! These lines show Struts doesn't set username from a request > parameter, but it seems that you have a chain result to login action > which sets username from it's previous action's getUsername! Could you > verify these via reviewing your struts.xml finding an action that has a > chain result to login action? > > Thanks in advance! > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 4/19/2018 7:21 AM, Prasanth Pasala wrote: > > com.opensymphony.xwork2.interceptor.ChainingInterceptor.copyStack(ChainingInterceptor.java:153) > > com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:143) Thanks! These lines show Struts doesn't set username from a request parameter, but it seems that you have a chain result to login action which sets username from it's previous action's getUsername! Could you verify these via reviewing your struts.xml finding an action that has a chain result to login action? Thanks in advance! - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
Below is the stack trace for setting of username. So struts2 has set the username, but that name doesn't exist in the request object. Struts Data: Username: jsmith Action: Login Request Data: Username: null Action: null java.lang.Thread.getStackTrace(Thread.java:1559) com.x.webaccess.LoginAction.setUsername(LoginAction.java:273) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:897) ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1299) ognl.OgnlRuntime.setMethodValue(OgnlRuntime.java:1508) ognl.ObjectPropertyAccessor.setPossibleProperty(ObjectPropertyAccessor.java:85) ognl.ObjectPropertyAccessor.setProperty(ObjectPropertyAccessor.java:162) com.opensymphony.xwork2.ognl.accessor.ObjectAccessor.setProperty(ObjectAccessor.java:27) ognl.OgnlRuntime.setProperty(OgnlRuntime.java:2437) ognl.ASTProperty.setValueBody(ASTProperty.java:127) ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220) ognl.SimpleNode.setValue(SimpleNode.java:301) ognl.Ognl.setValue(Ognl.java:713) com.opensymphony.xwork2.ognl.OgnlUtil$6.execute(OgnlUtil.java:504) com.opensymphony.xwork2.ognl.OgnlUtil$6.execute(OgnlUtil.java:501) com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:393) com.opensymphony.xwork2.ognl.OgnlUtil.copy(OgnlUtil.java:501) com.opensymphony.xwork2.ognl.OgnlReflectionProvider.copy(OgnlReflectionProvider.java:73) com.opensymphony.xwork2.interceptor.ChainingInterceptor.copyStack(ChainingInterceptor.java:153) com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:143) com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245) com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171) com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245) com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:140) com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245) org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164) com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245) com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:193) com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245) com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:189) com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245) org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:54) org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:575) org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:81) org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:99) io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) com.x.webaccess.LoginFilter.doFilter(LoginFilter.java:52) io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274) io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209) io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221) io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(RequestDispatcherImpl.java:147) io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:111) org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:722) org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:695)
Re: Struts2 login action class seems to be reused
On 4/16/2018 7:19 PM, Prasanth Pasala wrote: > So I am wondering where did these values come from into the instance > variables? Great! Please also get the current stack trace inside your action's setUsername method and save it in a private string field inside your action. Then when action and request data mismatched, also print this string which answers where did these values come from. Thanks in advance! - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
Finally we redeployed the code with an added check to make sure the instance variables populated by struts match the request parameters. With in few hours of deployments we got emails indicating that the values populated into the instance variables don't match those in request parameters. Below you can see the difference between the instance variable and the values in the request object. The code is also updated to store the hash code of Login action for each login, so that we can see if the object is reused. Surprisingly the hash code doesn't match with any of the hash codes stored for successful logins. When the emails are triggered there is only a GET request for the Login action (which should display the login page, on the user enters the username & password it is submitted via POST). So I am wondering where did these values come from into the instance variables? - Struts data doesn't match that in request object. Struts Data: Username: jsmith Action: Login Request Data: Username: null Action: null Object Hash: 1573857416 - Thanks, Prasanth On 03/16/2018 02:30 PM, Prasanth Pasala wrote: > There is only one reference to Util.authenticate in the project and that is > in LoginAction. > > On 03/16/2018 02:13 PM, Yasser Zamani wrote: >> And you confirm that those log record insertions are only possible via >> LoginAction.execute method? Right? Or util.authenticate are called elsewhere >> also? >> On Mar 16, 2018, at 9:45PM, Prasanth Pasala >>> wrote: >> >> We have a pretty standard struts.xml just declaration of action and the >> class along with the results (tiles results). Nothing other than that. >> >> On 03/16/2018 11:55 AM, Yasser Zamani wrote: >> >> On 3/16/2018 1:49 AM, Prasanth Pasala wrote: >> We do have login time, using that and the IP to correlate that with the >> access logs. Not all login entries have corresponding POST entries in access >> log, so those would be our problems occurrences. >> They actual correspond to a GET entry from a user. >> >> IP of the GET request of User1 matches with the login record in the >> database (login would be for User2 id and IP from User1 GET). So it looks as >> if the same user logged in from two different IPs >> around the same time, which shouldn't be the case. >> I'm almost sure Struts always asks object factory to create the action >> on each request. This is belong to object factory if create a new one >> object of that action, or no, reuse a previous one object of an action. >> So have you set any specific object factory via struts.xml? >> >> >> >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> >
Re: Struts2 login action class seems to be reused
On 3/16/2018 11:00 PM, Prasanth Pasala wrote: > There is only one reference to Util.authenticate in the project and that is > in LoginAction. > If (those log record insertions are only possible via LoginAction.execute method && IP field value of them are different and are consistent with access log of that POST and GET request) then it seems you're right! i.e. one specific object of LoginAction has executed both requests, POST from User2 then GET from User1!! To confirm these, could you please change your code as below: if(censusID == -1) { message = "Invalid username/password specified"; result = "failed"; } else { new com.x.x.model.Logger().loggedIn(censusID, remoteHost, System.identityHashCode(this)); i.e. also log the identity hash code of the LoginAction object to see if both records are inserted via a same action object. Thanks in advance for your support! > On 03/16/2018 02:13 PM, Yasser Zamani wrote: >> And you confirm that those log record insertions are only possible via >> LoginAction.execute method? Right? Or util.authenticate are called elsewhere >> also? >> On Mar 16, 2018, at 9:45PM, Prasanth Pasala >>> wrote: >> >> We have a pretty standard struts.xml just declaration of action and the >> class along with the results (tiles results). Nothing other than that. >> >> On 03/16/2018 11:55 AM, Yasser Zamani wrote: >> >> On 3/16/2018 1:49 AM, Prasanth Pasala wrote: >> We do have login time, using that and the IP to correlate that with the >> access logs. Not all login entries have corresponding POST entries in access >> log, so those would be our problems occurrences. >> They actual correspond to a GET entry from a user. >> >> IP of the GET request of User1 matches with the login record in the >> database (login would be for User2 id and IP from User1 GET). So it looks as >> if the same user logged in from two different IPs >> around the same time, which shouldn't be the case. >> I'm almost sure Struts always asks object factory to create the action >> on each request. This is belong to object factory if create a new one >> object of that action, or no, reuse a previous one object of an action. >> So have you set any specific object factory via struts.xml? >> >> >> >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> > > - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
There is only one reference to Util.authenticate in the project and that is in LoginAction. On 03/16/2018 02:13 PM, Yasser Zamani wrote: > And you confirm that those log record insertions are only possible via > LoginAction.execute method? Right? Or util.authenticate are called elsewhere > also? > On Mar 16, 2018, at 9:45PM, Prasanth Pasala >> wrote: > > We have a pretty standard struts.xml just declaration of action and the class > along with the results (tiles results). Nothing other than that. > > On 03/16/2018 11:55 AM, Yasser Zamani wrote: > > On 3/16/2018 1:49 AM, Prasanth Pasala wrote: > We do have login time, using that and the IP to correlate that with the > access logs. Not all login entries have corresponding POST entries in access > log, so those would be our problems occurrences. > They actual correspond to a GET entry from a user. > > IP of the GET request of User1 matches with the login record in the database > (login would be for User2 id and IP from User1 GET). So it looks as if the > same user logged in from two different IPs > around the same time, which shouldn't be the case. > I'm almost sure Struts always asks object factory to create the action > on each request. This is belong to object factory if create a new one > object of that action, or no, reuse a previous one object of an action. > So have you set any specific object factory via struts.xml? > > > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts2 login action class seems to be reused
And you confirm that those log record insertions are only possible via LoginAction.execute method? Right? Or util.authenticate are called elsewhere also? On Mar 16, 2018, at 9:45PM, Prasanth Pasala> wrote: We have a pretty standard struts.xml just declaration of action and the class along with the results (tiles results). Nothing other than that. On 03/16/2018 11:55 AM, Yasser Zamani wrote: On 3/16/2018 1:49 AM, Prasanth Pasala wrote: We do have login time, using that and the IP to correlate that with the access logs. Not all login entries have corresponding POST entries in access log, so those would be our problems occurrences. They actual correspond to a GET entry from a user. IP of the GET request of User1 matches with the login record in the database (login would be for User2 id and IP from User1 GET). So it looks as if the same user logged in from two different IPs around the same time, which shouldn't be the case. I'm almost sure Struts always asks object factory to create the action on each request. This is belong to object factory if create a new one object of that action, or no, reuse a previous one object of an action. So have you set any specific object factory via struts.xml? To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
We have a pretty standard struts.xml just declaration of action and the class along with the results (tiles results). Nothing other than that. On 03/16/2018 11:55 AM, Yasser Zamani wrote: > > On 3/16/2018 1:49 AM, Prasanth Pasala wrote: >> We do have login time, using that and the IP to correlate that with the >> access logs. Not all login entries have corresponding POST entries in access >> log, so those would be our problems occurrences. >> They actual correspond to a GET entry from a user. >> >> IP of the GET request of User1 matches with the login record in the database >> (login would be for User2 id and IP from User1 GET). So it looks as if the >> same user logged in from two different IPs >> around the same time, which shouldn't be the case. > I'm almost sure Struts always asks object factory to create the action > on each request. This is belong to object factory if create a new one > object of that action, or no, reuse a previous one object of an action. > So have you set any specific object factory via struts.xml? > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 3/16/2018 1:49 AM, Prasanth Pasala wrote: > We do have login time, using that and the IP to correlate that with the > access logs. Not all login entries have corresponding POST entries in access > log, so those would be our problems occurrences. > They actual correspond to a GET entry from a user. > > IP of the GET request of User1 matches with the login record in the database > (login would be for User2 id and IP from User1 GET). So it looks as if the > same user logged in from two different IPs > around the same time, which shouldn't be the case. I'm almost sure Struts always asks object factory to create the action on each request. This is belong to object factory if create a new one object of that action, or no, reuse a previous one object of an action. So have you set any specific object factory via struts.xml? - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
We do have login time, using that and the IP to correlate that with the access logs. Not all login entries have corresponding POST entries in access log, so those would be our problems occurrences. They actual correspond to a GET entry from a user. IP of the GET request of User1 matches with the login record in the database (login would be for User2 id and IP from User1 GET). So it looks as if the same user logged in from two different IPs around the same time, which shouldn't be the case. Thanks, Prasanth On 03/15/2018 10:28 AM, Yasser Zamani wrote: > > On 3/15/2018 5:21 PM, Prasanth Pasala wrote: >> User2 would have logged in some time before that, some times with in a >> minute before that. I haven't seen any requests from User2 exactly at the >> time of GET request from User1. > It's strange :) > > Are login log records have same field values for both User1 and User2? > Do you also have login time in there? If so, are they same and are they > consistent with access log times? Are their IP same (while they > shouldn't, right?)? Is the IP of the GET request of User1 (that is > logged in access log by container) same as the IP field value of your > login log records? > > Thanks! > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 3/15/2018 5:21 PM, Prasanth Pasala wrote: > User2 would have logged in some time before that, some times with in a minute > before that. I haven't seen any requests from User2 exactly at the time of > GET request from User1. It's strange :) Are login log records have same field values for both User1 and User2? Do you also have login time in there? If so, are they same and are they consistent with access log times? Are their IP same (while they shouldn't, right?)? Is the IP of the GET request of User1 (that is logged in access log by container) same as the IP field value of your login log records? Thanks!
Re: Struts2 login action class seems to be reused
User2 would have logged in some time before that, some times with in a minute before that. I haven't seen any requests from User2 exactly at the time of GET request from User1. Thanks, Prasanth On 03/15/2018 04:45 AM, Yasser Zamani wrote: > > On 3/14/2018 5:43 PM, Prasanth Pasala wrote: >> We had a user report it soon after the deployment. After that we started >> looking into the specific user who reported (User1) and the user (whose >> information was seen by the reporting user) say User2. >> We realized there are login entries from same IP for both of these users. > As you get IP address from request (rather than Struts action), then it > seems that request (which contains username/password and that same IP > address) is being reused. > >> In the access log of the server there was a POST request for User1 but at >> the time of login entry for User2 there was only a >> GET request. In the time line GET request is first, User1 sees User2's >> information logs out and then login again with their credentials. > At that time when there is a GET request for User1 and this issue > happens, what are logs for User2 at same time? > > Thanks in advance! > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 3/14/2018 5:43 PM, Prasanth Pasala wrote: > We had a user report it soon after the deployment. After that we started > looking into the specific user who reported (User1) and the user (whose > information was seen by the reporting user) say User2. > We realized there are login entries from same IP for both of these users. As you get IP address from request (rather than Struts action), then it seems that request (which contains username/password and that same IP address) is being reused. > In the access log of the server there was a POST request for User1 but at the > time of login entry for User2 there was only a > GET request. In the time line GET request is first, User1 sees User2's > information logs out and then login again with their credentials. At that time when there is a GET request for User1 and this issue happens, what are logs for User2 at same time? Thanks in advance!
Re: Struts2 login action class seems to be reused
We had a user report it soon after the deployment. After that we started looking into the specific user who reported (User1) and the user (whose information was seen by the reporting user) say User2. We realized there are login entries from same IP for both of these users. In the access log of the server there was a POST request for User1 but at the time of login entry for User2 there was only a GET request. In the time line GET request is first, User1 sees User2's information logs out and then login again with their credentials. Thanks, Prasanth On 03/13/2018 11:41 PM, Yasser Zamani wrote: > > On 3/10/2018 1:22 AM, Prasanth Pasala wrote: >> Ran tests with 1000 users logging in in 60sec while simultaneously 1000 >> users just requesting login page in 60 sec to see if any of them would get >> in with out username/password. No luck. System seems >> to be working properly. Also tried increasing it to 2000 it still worked as >> it should with out the issue coming up. >> >> Would hot deployments cause any issue? > Without reproducing it, it's hard to say why this issue happens rarely > :( How did you discover it firstly? Was incorrectly loged in user able > to continue to other pages also as an authenticated user? > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 3/10/2018 1:22 AM, Prasanth Pasala wrote: > Ran tests with 1000 users logging in in 60sec while simultaneously 1000 users > just requesting login page in 60 sec to see if any of them would get in with > out username/password. No luck. System seems > to be working properly. Also tried increasing it to 2000 it still worked as > it should with out the issue coming up. > > Would hot deployments cause any issue? Without reproducing it, it's hard to say why this issue happens rarely :( How did you discover it firstly? Was incorrectly loged in user able to continue to other pages also as an authenticated user?
Re: Struts2 login action class seems to be reused
Ran tests with 1000 users logging in in 60sec while simultaneously 1000 users just requesting login page in 60 sec to see if any of them would get in with out username/password. No luck. System seems to be working properly. Also tried increasing it to 2000 it still worked as it should with out the issue coming up. Would hot deployments cause any issue? Thanks, Prasanth On 03/08/2018 11:53 AM, Yasser Zamani wrote: > > On 3/8/2018 6:42 PM, Prasanth Pasala wrote: >> Wish I was able to consistently reproduce it. I have two thread groups in >> JMeter one thread group requests login page then logs in. Another thread >> group just requests login page. I have tried this >> with 100 users, 250 users in each thread group. I have varied the ramp up >> times from 60sec to 300sec. > I think this is not heavy enough to force race condition on your web > server. Use only ones user which logs in and logs out in a loop. Then, > in another side, Increase users (threads) and decrease the ramp up time > as more as your system does not hang. I remember I was able to ramp up > 300 users (threads) in 15 seconds at my system. > > Regards. > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 3/8/2018 6:42 PM, Prasanth Pasala wrote: > Wish I was able to consistently reproduce it. I have two thread groups in > JMeter one thread group requests login page then logs in. Another thread > group just requests login page. I have tried this > with 100 users, 250 users in each thread group. I have varied the ramp up > times from 60sec to 300sec. I think this is not heavy enough to force race condition on your web server. Use only ones user which logs in and logs out in a loop. Then, in another side, Increase users (threads) and decrease the ramp up time as more as your system does not hang. I remember I was able to ramp up 300 users (threads) in 15 seconds at my system. Regards.
Re: Struts2 login action class seems to be reused
Wish I was able to consistently reproduce it. I have two thread groups in JMeter one thread group requests login page then logs in. Another thread group just requests login page. I have tried this with 100 users, 250 users in each thread group. I have varied the ramp up times from 60sec to 300sec. I have been trying this for the last 10 days. I was successful in reproducing it only during one run, which had 100 users and two of the requests for login page (no username/password) made login entries and got home page. I will keep trying. If I can't reproduce it more often, one solution I am thinking of is comparing the username/password in the action class with the values in the request object itself. If they are different I can send an email with the information and not login the user. Thanks, Prasanth On 03/08/2018 03:13 AM, Yasser Zamani wrote: > > On 3/7/2018 11:23 PM, Prasanth Pasala wrote: >> If it is a session crossover we would display another user information >> without making a login entry. In the cases where we had issue the code >> recognized that there is no active session and went to the >> authentication part, authenticated the user and made a database entry for >> successful login. The authentication is based on the form variables >> populated by struts into the action class. > Ahaa... so, currently the only thing I can imagine is maybe this issue > raises up when you have two simultaneous requests: one with > username/password parameters, the other without (and both without any > active session). Could you please verify this with a lot of such pair > simultaneous requests using JMeter? i.e. create two simultaneous > requests, one of them contains username/password, the other one does > not. Add an assertion to the other one which checks if issue occurs. > Then tell JMeter to run this pair a lot of times, concurrently. > > I hope you'll be able to reproduce the issue which is the half of the > resolution :) > > Regards. > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 3/7/2018 11:23 PM, Prasanth Pasala wrote: > If it is a session crossover we would display another user information > without making a login entry. In the cases where we had issue the code > recognized that there is no active session and went to the > authentication part, authenticated the user and made a database entry for > successful login. The authentication is based on the form variables populated > by struts into the action class. Ahaa... so, currently the only thing I can imagine is maybe this issue raises up when you have two simultaneous requests: one with username/password parameters, the other without (and both without any active session). Could you please verify this with a lot of such pair simultaneous requests using JMeter? i.e. create two simultaneous requests, one of them contains username/password, the other one does not. Add an assertion to the other one which checks if issue occurs. Then tell JMeter to run this pair a lot of times, concurrently. I hope you'll be able to reproduce the issue which is the half of the resolution :) Regards.
Re: Struts2 login action class seems to be reused
Thanks for looking into this Yasser. In the current setup we have, we don't have a cluster, it is the only server handling all requests. If it is a session crossover we would display another user information without making a login entry. In the cases where we had issue the code recognized that there is no active session and went to the authentication part, authenticated the user and made a database entry for successful login. The authentication is based on the form variables populated by struts into the action class. Thanks, Prasanth On 03/07/2018 01:22 PM, Yasser Zamani wrote: > > On 3/7/2018 7:34 PM, Prasanth wrote: >> I can't say that 2 percent of users were able to get in without >> username/password. As I have ran the JMeter tests a lot of times (each run >> with 100 users). Only during one of those runs of JMeter I >> had 2 requests get users home page when Login.action was requested (with out >> username/password). >> >> Below is the Login.action code. Removed the code that fetches the data for >> home page. > Thanks! I see you use session also. > > Looks like a bug with Undertow web server [1]. I'm not familiar with it > so you may open an issue there and copy paste this thread there. They > may have some idea as it seems they have similar issues with session > which I linked below. > > Good luck. > > [1] > https://issues.jboss.org/browse/JBEAP-6683?focusedCommentId=13340535=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13340535 > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 3/7/2018 7:34 PM, Prasanth wrote: > I can't say that 2 percent of users were able to get in without > username/password. As I have ran the JMeter tests a lot of times (each run > with 100 users). Only during one of those runs of JMeter I > had 2 requests get users home page when Login.action was requested (with out > username/password). > > Below is the Login.action code. Removed the code that fetches the data for > home page. Thanks! I see you use session also. Looks like a bug with Undertow web server [1]. I'm not familiar with it so you may open an issue there and copy paste this thread there. They may have some idea as it seems they have similar issues with session which I linked below. Good luck. [1] https://issues.jboss.org/browse/JBEAP-6683?focusedCommentId=13340535=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13340535 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
/context1 is used just for directing users to the right application (or context). Session is really maintained by /context2. Users can login directly in /context2 or they can input username and password in /context1 and they will be forwarded to the right context on of which is /context2. So the login information could come to /context2/Login.action via a direct POST to this action or via a forwarded request from /context1. The testing I have done is completely on /context2. Have some users login at /context2/Login.action while JMeter tries to access /context2/Login.action and another action /context2/PlanList.action (requests to any action other than Login.action will get forwarded to Login.action if the user is not yet logged in). So a direct request to /context/PlanList.action will end up at /context2/Login.action. I can't say that 2 percent of users were able to get in without username/password. As I have ran the JMeter tests a lot of times (each run with 100 users). Only during one of those runs of JMeter I had 2 requests get users home page when Login.action was requested (with out username/password). Below is the Login.action code. Removed the code that fetches the data for home page. Thanks, Prasanth public class LoginAction implements ServletRequestAware{ Logger log = Logger.getLogger(this.getClass()); private HttpServletRequest request; private String message = ""; private String username = ""; private String password = ""; private String action = ""; public String execute() throws Exception { String result = null; boolean displaySuccessPage = false; // SEE IF THE USER SESSION IS ALREADY THERE, IN WHICH CASE NO NEED TO DISPLAY LOGIN PAGE // MOVE TO SUCCESS PAGE Long censusID = null; HttpSession session = request.getSession(false); if(session != null) { if(session.getAttribute("username") != null && session.getAttribute("CensusID") != null) { // GET THE CENSUS ID AND DISPLAY SUCCESS PAGE censusID = (Long) session.getAttribute("CensusID"); if(censusID != null & censusID > 0) { // JUST MADE SURE THAT WE HAVE A VALID CENSUS ID displaySuccessPage = true; } } } // IF ACTION IS LOGOUT THEN LOGOUT THE USER // OR IF THE USER DECLINES DISCLAIMER if( ("Logout".equals(action) || "Decline".equals(action)) || (request.getParameter("Submit") != null && request.getParameter("Submit").trim().equals("Logout"))){ // INVALIDATE THE SESSION request.getSession().invalidate(); message = "You have been successfully logged out"; username = ""; password = ""; displaySuccessPage = false; result = "secure"; } // IF THE PARTICIPANT HAS ACCEPTED THE DISCLAIMER UPDATE THE DATABASE else if("Accept".equals(action)) { censusID = (Long) request.getSession().getAttribute("_CensusID"); if(censusID != null) { Utils.updateDisclaimerCode(censusID); // SET THE USERNAME & CENSUSID. REMOVE THE TEMPORARY VARIABLES request.getSession().setAttribute("username", request.getSession().getAttribute("_username")); request.getSession().setAttribute("CensusID", request.getSession().getAttribute("_CensusID")); request.getSession().removeAttribute("_username"); request.getSession().removeAttribute("_CensusID"); request.getSession().setAttribute("dispContactInfo", Plans.getDisplayContactInfoCode(censusID)); displaySuccessPage = true; } } // IF USER IS NOT ALREADY AUTHENTICATED else if(!displaySuccessPage){ // IF USERNAME IS NOT PROVIDED DISPLAY LOGIN PAGE if(username.equals("")){ request.getSession().setAttribute("maintenanceMessage", Utils.getMaintenanceMessage()[0]); request.getSession().setAttribute("suppressLogin", Boolean.parseBoolean(Utils.getMaintenanceMessage()[1])); result = "login"; } else{ // USER NAME SPECIFIED SO TRY TO AUTHENTICATE //GET THE IPADDRESS OF THE CLIENT String remoteHost = request.getHeader("X-FORWARDED-FOR"); if(remoteHost == null || "".equals(remoteHost.trim())) { remoteHost = request.getRemoteAddr(); } //AUTHENTICATE USER censusID = Utils.authenticate(username, password, remoteHost); if(censusID == -1) { message = "Invalid username/password specified"; result = "failed"; }
Re: Struts2 login action class seems to be reused
On 3/6/2018 9:42 PM, Prasanth Pasala wrote: > In StrutsPrepareAndExecuteFilter below is the line that gets the action > mapping, since the forceLookup is set to true the PrepareOperations class > might be creating it again. > ActionMapping mapping = prepare.findActionMapping(request, response, true); Thanks a lot! This explains why you don't get an exception. So , please let forget this sub-thread and following up the resolution on my another email in main-thread. Thanks.
Re: Struts2 login action class seems to be reused
On 3/5/2018 7:48 PM, Prasanth wrote: > For replicating the issue I was directly accessing /context2/Login.action. So > /context1 was not used in testing. Please let me repeat what I understood; When some users are signed in into /context1, you browses /context2/Login.action via JMeter empty requests, but about 2 percent of them, successfully sign in into /context2! Did I understand the issue correctly? If so, it's very odd ... and I like strange issues :) Does this issue also happen even when no one is signed in into /context1? If so, does this issue also happen when /context1 is stopped (i.e. /context2 never get any forwarded request from /context1 so far)? I ask these to know if this issue is dependent to the app on /context1 or not. I see you use Undertow web server and I reviewed it and saw it's highly non-blocking async web server. Then ... please add a hidden field to your login.jsp which it's value will be request.getParameter("testIfStrutsReusesAction"). In JMeter add testIfStrutsReusesAction=JMeter to your request parameters. Then re-run JMeter and see if those two successful requests have a hidden field with value "JMeter" in their response?? (also see that other requests must have this hidden field elsewhere there is a problem in your impl of these). I ask these to know if that successful response is really a response for your JMeter request! If none of above were helpful, then could you please share /context2/Login.action? I need to see how do you authenticate? Only via request params? Or session or something else makes sense also? Regards.
Re: Struts2 login action class seems to be reused
I am not defining any default action. I would get the below exception if I set the ActionMapping to null. For some reason the object doesn't go away, if I set it to null. After setting it to null using request.setAttribute("struts.actionMapping", null); I can get it using getAttribute. The object remains even if I do removeAttribute. 11:57:27,509 ERROR [stderr] (default task-32) Caused by: java.lang.ClassCastException: org.apache.struts2.dispatcher.mapper.ActionMapping cannot be cast to org.apache.struts2.dispatcher.mapper.ActionMapping 11:57:27,509 ERROR [stderr] (default task-32) at org.apache.struts2.dispatcher.ng.PrepareOperations.findActionMapping(PrepareOperations.java:163) 11:57:27,509 ERROR [stderr] (default task-32) at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:92) 11:57:27,509 ERROR [stderr] (default task-32) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) 11:57:27,509 ERROR [stderr] (default task-32) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 11:57:27,509 ERROR [stderr] (default task-32) at com.x.xx.LoginFilter.doFilter(LoginFilter.java:52) 11:57:27,509 ERROR [stderr] (default task-32) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) 11:57:27,510 ERROR [stderr] (default task-32) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 11:57:27,510 ERROR [stderr] (default task-32) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 11:57:27,510 ERROR [stderr] (default task-32) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 11:57:27,510 ERROR [stderr] (default task-32) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 11:57:27,510 ERROR [stderr] (default task-32) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 11:57:27,510 ERROR [stderr] (default task-32) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 11:57:27,510 ERROR [stderr] (default task-32) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 11:57:27,510 ERROR [stderr] (default task-32) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274) 11:57:27,510 ERROR [stderr] (default task-32) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209) 11:57:27,510 ERROR [stderr] (default task-32) at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221) 11:57:27,510 ERROR [stderr] (default task-32) ... 128 more Below is what I see by displaying the request.getAttribute("struts.actionMapping") after removeAttribute or after setting it to null. ActionMapping{name='Login', namespace='/', method='null', extension='action', params={}, result=null} In StrutsPrepareAndExecuteFilter below is the line that gets the action mapping, since the forceLookup is set to true the PrepareOperations class might be creating it again. ActionMapping mapping = prepare.findActionMapping(request, response, true); ---PrepareOperations--- public ActionMapping findActionMapping(HttpServletRequest request, HttpServletResponse response, boolean forceLookup) { ActionMapping mapping = (ActionMapping) request.getAttribute(STRUTS_ACTION_MAPPING_KEY); if (mapping == null || forceLookup) { try { mapping = dispatcher.getContainer().getInstance(ActionMapper.class).getMapping(request, dispatcher.getConfigurationManager()); if (mapping != null) { request.setAttribute(STRUTS_ACTION_MAPPING_KEY, mapping); } } catch (Exception ex) { if (dispatcher.isHandleException() || dispatcher.isDevMode()) { dispatcher.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, ex); } } } return mapping; } -- Thanks, Prasanth On 03/05/2018 11:49 AM, Yasser Zamani wrote: > > On 3/5/2018 7:48 PM, Prasanth wrote: >> But the Login filter had the below lines to make sure forwarded requests >> from /context1 >> would work. >> >> request.setAttribute("struts.actionMapping", new ActionMapping()); > Please let me discuss this line first of all. I'm still surprised how > context2 app works with this line! I expect you always get > ConfigurationException or get the result of the default action. Have you > set this filter pattern to being applied only on /Login.action? If so, > still you should get
Re: Struts2 login action class seems to be reused
I am not using Spring. Using Struts1, Struts 2 (2.3.34), tiles 2.0.4 On 03/05/2018 11:57 AM, Adam Brin wrote: > What are the annotations on the class? Is it possible that you're using > Spring, and not declaring "prototype" scope. eg: > > @Scope("prototype") > > On Mon, Mar 5, 2018 at 10:49 AM, Yasser Zamani> wrote: > >> >> On 3/5/2018 7:48 PM, Prasanth wrote: >>> But the Login filter had the below lines to make sure forwarded requests >> from /context1 >>> would work. >>> >>> request.setAttribute("struts.actionMapping", new ActionMapping()); >> Please let me discuss this line first of all. I'm still surprised how >> context2 app works with this line! I expect you always get >> ConfigurationException or get the result of the default action. Have you >> set this filter pattern to being applied only on /Login.action? If so, >> still you should get ConfigurationException or get the result of the >> default action (is /Login.action default?). Or maybe you have put these >> two lines in an if statement like if(request has these attributes){...}? >> If not, then do this please; an if statement for each line. >> >> Could you please try `request.setAttribute("struts.actionMapping", >> null)`? then post back the exception if any (I don't expect any). You >> should set to null or remove the attribute. Any other code is wrong. >> >> Regards. >> >> >
Re: Struts2 login action class seems to be reused
What are the annotations on the class? Is it possible that you're using Spring, and not declaring "prototype" scope. eg: @Scope("prototype") On Mon, Mar 5, 2018 at 10:49 AM, Yasser Zamaniwrote: > > > On 3/5/2018 7:48 PM, Prasanth wrote: > > But the Login filter had the below lines to make sure forwarded requests > from /context1 > > would work. > > > > request.setAttribute("struts.actionMapping", new ActionMapping()); > > Please let me discuss this line first of all. I'm still surprised how > context2 app works with this line! I expect you always get > ConfigurationException or get the result of the default action. Have you > set this filter pattern to being applied only on /Login.action? If so, > still you should get ConfigurationException or get the result of the > default action (is /Login.action default?). Or maybe you have put these > two lines in an if statement like if(request has these attributes){...}? > If not, then do this please; an if statement for each line. > > Could you please try `request.setAttribute("struts.actionMapping", > null)`? then post back the exception if any (I don't expect any). You > should set to null or remove the attribute. Any other code is wrong. > > Regards. > > -- _ Adam Brin Director of Technology, Digital Antiquity 480.965.1278
Re: Struts2 login action class seems to be reused
On 3/5/2018 7:48 PM, Prasanth wrote: > But the Login filter had the below lines to make sure forwarded requests from > /context1 > would work. > > request.setAttribute("struts.actionMapping", new ActionMapping()); Please let me discuss this line first of all. I'm still surprised how context2 app works with this line! I expect you always get ConfigurationException or get the result of the default action. Have you set this filter pattern to being applied only on /Login.action? If so, still you should get ConfigurationException or get the result of the default action (is /Login.action default?). Or maybe you have put these two lines in an if statement like if(request has these attributes){...}? If not, then do this please; an if statement for each line. Could you please try `request.setAttribute("struts.actionMapping", null)`? then post back the exception if any (I don't expect any). You should set to null or remove the attribute. Any other code is wrong. Regards.
Re: Struts2 login action class seems to be reused
Yes, login page is accessible always. Direct jsp access is not allowed, it has to go through the actions. When a user requests /Login.action login jsp page is displayed. When the user submits username and password (Post to Login.action) the user is authenticated and home page is displayed by Login.action. Since the same action handles both displaying login page and validating, if the values are already present (username, password, value of the button clicked) the action will authenticate the user and display home page as it does this it will make a database entry saying xyz user has logged in. Actual Setup: Application 1: /context1 --- User can login here and they will be forwarded to context2. This application uses struts 2.5.14 Application 2: /context2 --- User can login directly in /context 2 (in which case no forwarding). This application uses struts 2.3.34 for login and other actions. There are few actions in struts1 also. For replicating the issue I was directly accessing /context2/Login.action. So /context1 was not used in testing. But the Login filter had the below lines to make sure forwarded requests from /context1 would work. request.setAttribute("struts.actionMapping", new ActionMapping()); request.setAttribute("struts.valueStack", null); The request object type is io.undertow.servlet.spec.HttpServletRequestImpl Thanks, Prasanth On 03/03/2018 04:14 AM, Yasser Zamani wrote: > On 3/3/2018 12:37 AM, Prasanth Pasala wrote: >> I was able to replicate the issue today. Asked few users to keep logging in >> and ran jmeter to access login page, with out putting any username or >> password. Out of the 100 attempts 2 attempts were >> successful in getting in with out username/password. I am seeing database >> login entries for these two. Which would happen only if a valid session is >> not present and user has provided username/password. > Shouldn't login page being accessible always? How do you try access > login page, calling directly to jsp? Or action? How do you authenticate > that access try, via session values? Via request parameters and querying > database? > >> Not sure if the behavior is a side effect of having the below lines. >> >> request.setAttribute("struts.actionMapping", new >> ActionMapping()); >> request.setAttribute("struts.valueStack", null); > Not these lines but I guess you may also remove more things from > forwarded request (e.g. session). Could you please print > request.toString before these lines to see what type is it? Could you > serialize request to a xml to see all values stored in that request? > Anyway, like you, I also think this issue is because of forwarding the > request from Struts1 to Struts2. > > Regards. > > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org >
Re: Struts2 login action class seems to be reused
On 3/3/2018 12:37 AM, Prasanth Pasala wrote: > I was able to replicate the issue today. Asked few users to keep logging in > and ran jmeter to access login page, with out putting any username or > password. Out of the 100 attempts 2 attempts were > successful in getting in with out username/password. I am seeing database > login entries for these two. Which would happen only if a valid session is > not present and user has provided username/password. Shouldn't login page being accessible always? How do you try access login page, calling directly to jsp? Or action? How do you authenticate that access try, via session values? Via request parameters and querying database? > Not sure if the behavior is a side effect of having the below lines. > > request.setAttribute("struts.actionMapping", new > ActionMapping()); > request.setAttribute("struts.valueStack", null); Not these lines but I guess you may also remove more things from forwarded request (e.g. session). Could you please print request.toString before these lines to see what type is it? Could you serialize request to a xml to see all values stored in that request? Anyway, like you, I also think this issue is because of forwarding the request from Struts1 to Struts2. Regards.
Re: Fwd: Re: Struts2 login action class seems to be reused
Hi Norbert, Struts1 actions are thread safe (no instance variables). The login action has been moved to Struts2 with instance variables for username, password and the issue is coming up with this new struts2 action. Which is used for both displaying login page and also taking username/password when the form is submitted. Thanks, Prasanth On 3/2/2018 5:55 PM, Norbert Hirneisen wrote: Hi Prasanth, are you sure all your struts1 code is thread safe ? I had some similiar problems in a struts1 application. After removing all action class properties the problem was solved. Struts2 should be thread safe. But your problems looks to me like a problem with thread safety. Best regards, Norbert science + communication & HaNo Systems Bonn/Ho-Chi-Minh Am 02.03.2018 um 22:07 schrieb Prasanth Pasala: I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were successful in getting in with out username/password. I am seeing database login entries for these two. Which would happen only if a valid session is not present and user has provided username/password. Thanks, Prasanth On 03/01/2018 02:27 PM, Prasanth wrote: Hi, I have an application which uses both struts1 & struts2. The login action was recently moved to struts2. Immediately after the deployment we were notified that one user is seeing a different user information, so we had to move to older war files. I am not able to replicate it. But after investigating the logs it seems like couple users were logged in as soon as they requested the login page. For the database entry to happen it has to verify the username and password in the action class, but the fact that there is no POST entry at that time from that IP in my access log makes me believe that the action class some how already had that information from a prior user. I do have a login filter to check if users are logged in when accessing other pages. In this filter I have the below two lines, we had to do this as we will have requests forwarded from one application to another and when that happens we are getting class cast exception for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having the below lines. request.setAttribute("struts.actionMapping", new ActionMapping()); request.setAttribute("struts.valueStack", null); We are using Struts 2.3.34 and Wildfly. Appreciate any insights you might have. Thanks, Prasanth - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Fwd: Re: Struts2 login action class seems to be reused
Hi Prasanth, are you sure all your struts1 code is thread safe ? I had some similiar problems in a struts1 application. After removing all action class properties the problem was solved. Struts2 should be thread safe. But your problems looks to me like a problem with thread safety. Best regards, Norbert science + communication & HaNo Systems Bonn/Ho-Chi-Minh Am 02.03.2018 um 22:07 schrieb Prasanth Pasala: I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were successful in getting in with out username/password. I am seeing database login entries for these two. Which would happen only if a valid session is not present and user has provided username/password. Thanks, Prasanth On 03/01/2018 02:27 PM, Prasanth wrote: Hi, I have an application which uses both struts1 & struts2. The login action was recently moved to struts2. Immediately after the deployment we were notified that one user is seeing a different user information, so we had to move to older war files. I am not able to replicate it. But after investigating the logs it seems like couple users were logged in as soon as they requested the login page. For the database entry to happen it has to verify the username and password in the action class, but the fact that there is no POST entry at that time from that IP in my access log makes me believe that the action class some how already had that information from a prior user. I do have a login filter to check if users are logged in when accessing other pages. In this filter I have the below two lines, we had to do this as we will have requests forwarded from one application to another and when that happens we are getting class cast exception for ActionMapping class and valueStack. Not sure if the behavior is a side effect of having the below lines. request.setAttribute("struts.actionMapping", new ActionMapping()); request.setAttribute("struts.valueStack", null); We are using Struts 2.3.34 and Wildfly. Appreciate any insights you might have. Thanks, Prasanth - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 login action class seems to be reused
I was able to replicate the issue today. Asked few users to keep logging in and ran jmeter to access login page, with out putting any username or password. Out of the 100 attempts 2 attempts were successful in getting in with out username/password. I am seeing database login entries for these two. Which would happen only if a valid session is not present and user has provided username/password. Thanks, Prasanth On 03/01/2018 02:27 PM, Prasanth wrote: > Hi, > > I have an application which uses both struts1 & struts2. The login action was > recently moved to struts2. Immediately after the deployment we were notified > that one user is seeing a different user > information, so we had to move to older war files. I am not able to replicate > it. But after investigating the logs it seems like couple users were logged > in as soon as they requested the login page. > For the database entry to happen it has to verify the username and password > in the action class, but the fact that there is no POST entry at that time > from that IP in my access log makes me believe > that the action class some how already had that information from a prior user. > > I do have a login filter to check if users are logged in when accessing other > pages. In this filter I have the below two lines, we had to do this as we > will have requests forwarded from one > application to another and when that happens we are getting class cast > exception for ActionMapping class and valueStack. Not sure if the behavior is > a side effect of having the below lines. > > request.setAttribute("struts.actionMapping", new > ActionMapping()); > request.setAttribute("struts.valueStack", null); > > We are using Struts 2.3.34 and Wildfly. > > Appreciate any insights you might have. > > Thanks, > Prasanth > >