Re: Struts2 login action class seems to be reused

[Prasanth]

The forward happens only to LoginAction. In some cases a PostBack will work but 
in cases where we have given the end user a choice of applications PostBack 
will not work as browser has to post back
the 1st request information rather than the second request information.

Agree I guess we have to make sure we don't have any get methods in the second 
application LoginAction to avoid similar issues.

We have removed the getUsername, getPassword, getAction methods which has 
stopped the issue of having login credentials in the LoginAction when those are 
not submitted by user. Now I have removed the
setRequest method (not getRequest) and that seems to solve the session invalid 
exception. May be I can remove the getRequest also as this is not really 
needed. We have one more get method getMessage
this is used to display error messages on login page, which we probably need to 
keep but should not cause any issues as this data does not change site behavior 
but I might set this to empty at the
start of execute (effectively clearing, if this is set from old action).

Thanks,
Prasanth

On 05/17/2018 06:11 AM, Yasser Zamani wrote:
>
> On 5/16/2018 11:51 PM, Prasanth wrote:
>> Would struts2 call this setRequest method even if the class is implementing 
>> just ServletRequestAware?
> No. Additionally Struts RequestAware method signature is
> setRequest(Map request); i.e. it's parameter is Map not
> ServletRequest.
>
>> Any insights as to why this additional setRequest method causes the problem? 
> Yes. It's same as your issue with username/password copy from previous
> action. Your previous action is in value stack (I don't know why! see
> [1]) ChainingInterceptor thinks it's a chain result, so, calls
> getRequest on previous action and then calls setRequest on your current
> action with returned value (i.e. copies this value from previous action
> and overrides your private request field inside your action).
>
> You can fix this also by removing getRequest method which disables
> ChainingInterceptor to copies this.
>
> But you may encounter several same issues when you have both setX and
> getX methods on your actions.
>
> [1] So, as I mentioned before, could you please rewrite all of your
> FORWARDs with Struts ServletRedirect or PostBack results (also revert
> back all removed getter methods)? this shows us if FORWARDs are root
> cause of these issues or not. Then we can investigate more on other
> possible causes.
>
> Regards.
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 5/16/2018 11:51 PM, Prasanth wrote:
> Would struts2 call this setRequest method even if the class is implementing 
> just ServletRequestAware?

No. Additionally Struts RequestAware method signature is
setRequest(Map request); i.e. it's parameter is Map not
ServletRequest.

> Any insights as to why this additional setRequest method causes the problem? 

Yes. It's same as your issue with username/password copy from previous
action. Your previous action is in value stack (I don't know why! see
[1]) ChainingInterceptor thinks it's a chain result, so, calls
getRequest on previous action and then calls setRequest on your current
action with returned value (i.e. copies this value from previous action
and overrides your private request field inside your action).

You can fix this also by removing getRequest method which disables
ChainingInterceptor to copies this.

But you may encounter several same issues when you have both setX and
getX methods on your actions.

[1] So, as I mentioned before, could you please rewrite all of your
FORWARDs with Struts ServletRedirect or PostBack results (also revert
back all removed getter methods)? this shows us if FORWARDs are root
cause of these issues or not. Then we can investigate more on other
possible causes.

Regards.

Re: Struts2 login action class seems to be reused

[Prasanth]

Another update,  the LoginAction in Context2 had the below methods, two methods 
to set the request. May be I have done RequestAware and then realized it should 
be ServletRequestAware and did not
delete the setRequest method. I think having the setRequest is the culprit for 
the invalid session exception. I have went back and forth and when I have this 
method I can reproduce the error and when
I remove this method I don't get the error.

While implementing the SessionAware I removed this additional method also, so 
it worked but I was thinking that SessionAware implementation solved the issue.

Any insights as to why this additional setRequest method causes the problem? 
Would struts2 call this setRequest method even if the class is implementing 
just ServletRequestAware?

    @Override
    public void *setServletRequest*(HttpServletRequest request) {
        this.request = request;
    }

    /**
     * @return the request
     */
    public HttpServletRequest getRequest() {
        return this.request;
    }

    /**
     * @param aRequest the request to set
     */
    public void *setRequest*(HttpServletRequest aRequest) {
        this.request = aRequest;
    }

Thanks,
Prasanth

On 05/16/2018 12:44 PM, Prasanth wrote:
> We use the path as / for the cookie path that allows the session to be shared 
> between context1 and context2. The JSESSIONID also remains the same when the 
> request is forwarded.
>
> Martin asked me if  the action is session aware. It was not implementing 
> SessionAware interface even though session was accessed (using 
> request.getSession()). Artifact of code from struts1, that
> part of the code did not change when we moved the action to struts2. So 
> decided to change it and use the session map provided by struts2. Once I have 
> added SessionAware I am not able to reproduce
> the session invalid exception, did not have a problem reproducing the issue 
> before. Is this expected?
>
> Thanks,
> Prasanth
>
> On 05/16/2018 10:40 AM, Yasser Zamani wrote:
>> On 5/16/2018 7:23 PM, Prasanth wrote:
>>>  Exception: java.lang.IllegalStateException: UT10: Session is invalid 
>>> r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op
>>> at 
>>> io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481
>>> at 
>>> io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122
>>> at com.xx.xx.LoginAction.execute(LoginAction.java:76
>> Could you see if "Best Practices: Cross-Context Dispatching and Session
>> Handling" [1] fixes your issue? However, it's about Servlets not Struts.
>>
>> Regards.
>>
>> [1] http://satworks.blogspot.com/2011/07/best-practices-cross-context.html
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> For additional commands, e-mail: user-h...@struts.apache.org
>>
>

Re: Struts2 login action class seems to be reused

[Prasanth]

We use the path as / for the cookie path that allows the session to be shared 
between context1 and context2. The JSESSIONID also remains the same when the 
request is forwarded.

Martin asked me if we the action is session aware. It was not implementing 
SessionAware interface even though session was accessed (using 
request.getSession()). Artifact of code from struts1, that
part of the code did not change when we move the action to struts2. So decided 
to change it and use the session map provided by struts2. Once I have added 
SessionAware I am not able to reproduce the
session invalid exception, did not have a problem reproducing the issue before. 
Is this expected?

Thanks,
Prasanth

On 05/16/2018 10:40 AM, Yasser Zamani wrote:
>
> On 5/16/2018 7:23 PM, Prasanth wrote:
>>  Exception: java.lang.IllegalStateException: UT10: Session is invalid 
>> r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op
>> at 
>> io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481
>> at 
>> io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122
>> at com.xx.xx.LoginAction.execute(LoginAction.java:76
> Could you see if "Best Practices: Cross-Context Dispatching and Session
> Handling" [1] fixes your issue? However, it's about Servlets not Struts.
>
> Regards.
>
> [1] http://satworks.blogspot.com/2011/07/best-practices-cross-context.html
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 5/16/2018 7:23 PM, Prasanth Pasala wrote:
>  Exception: java.lang.IllegalStateException: UT10: Session is invalid 
> r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op
> at 
> io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481
> at 
> io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122
> at com.xx.xx.LoginAction.execute(LoginAction.java:76

Could you see if "Best Practices: Cross-Context Dispatching and Session
Handling" [1] fixes your issue? However, it's about Servlets not Struts.

Regards.

[1] http://satworks.blogspot.com/2011/07/best-practices-cross-context.html

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Prasanth]

Martin,

We have the cookie config in the application.

     
              20
              
                  /
                true
                true
        
     

Thanks,
Prasanth

On 05/15/2018 04:03 PM, Martin Gainty wrote:
>
> 8443 indicates secure connection so perhaps a misconfig with wildfly 
> standalone.xml (see below)
>
> 
>   
>
>  
> 
>
> https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration
> Admin Guide - WildFly 10 - Project Documentation Editor 
> <https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration>
> docs.jboss.org
> Target audience. This document is a guide to the setup, administration, and 
> configuration of WildFly. Prerequisites. Before continuing, you should know 
> how to download, install and run WildFly.
>
> ?
>
> can you ping wildfly userlist ?
> https://developer.jboss.org/en/wildfly
> Space: WildFly |JBoss Developer <https://developer.jboss.org/en/wildfly>
> developer.jboss.org
> Log in to follow, share, and participate in this community. Not a member? 
> Join Now!
>
>
> jaikiran is a good resource that i met on a different userlist..i would 
> definitely ping him 
> stay in  touch/let me know if setting session-cookie in standalone.xml works
>
> M-
> NB: I once contracted to the company that bought wildfly..we had to figure 
> configuration by ourselves
>
> 
> *From:* Prasanth Pasala <ppas...@pangburngroup.com>
> *Sent:* Tuesday, May 15, 2018 11:42 AM
> *To:* user@struts.apache.org
> *Subject:* Re: Struts2 login action class seems to be reused
>  
> See below the header information when the exception occurred. Strange thing 
> is JMeter is saying it did not send any cookie (which is want I would except 
> in this case as it is just requesting the login
> page)
>
> Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.    
> (xx - is the machine name on which wildfly is running)
> Connection: keep-alive
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
> Host: dev.secure.xxx.com:8443
> Content-Length: 46
> Content-Type: application/x-www-form-urlencoded
>
> 10:09:09,150 ERROR 
> [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default 
> task-20) Exception occurred during processing request: UT10: Session is 
> invalid
> ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: 
> UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ
>
> From JMeter---
> GET https://dev.secure.pangburngroup.com:8443/participant/
>
> GET data:
>
>
> [no cookies]
>
> Request Headers:
> Connection: keep-alive
> Host: dev.secure.xxx.com:8443
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
> --
>
> Thanks,
> Prasanth
>
> On 05/15/2018 07:44 AM, Martin Gainty wrote:
> > Hi Norbert/Prasanth
> >
> > Struts2 login action problem has morphed to "Invalid Session State"with 
> > Wildfly's implementation of TC 5.5
> >
> > https://en.wikipedia.org/wiki/WildFly 
> > <https://en.wikipedia.org/wiki/WildFly>
> >
> > [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly
> <https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly>>
> >
> > WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> > en.wikipedia.org
> > WildFly, formerly known as JBoss AS, or simply JBoss, is an application 
> > server authored by JBoss, now developed by Red Hat.WildFly is written in 
> > Java and implements the Java Platform, Enterprise
> Edition (Java EE) specification.
> >
> >
> > MG>as a debugging exercise I would dump HTTP Header attributes with
> >
> > http://livehttpheaders.mozdev.org/ <http://livehttpheaders.mozdev.org/>
> >
> > mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> > livehttpheaders.mozdev.org
> > Welcome to the livehttpheaders project.. The goal of this project is to 
> > adds information about the HTTP headers in two ways: First by adding a 
> > 'Headers' tab in 'View Page Info' of a web page.
> >
> >
> > MG>then 

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

Below is a complete stack trace.

 Exception: java.lang.IllegalStateException: UT10: Session is invalid 
r4yb7BtBx7fwmGbzMhgeyhvSFb3sAp6FhW6m-5Op
at 
io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:481
at 
io.undertow.servlet.spec.HttpSessionImpl.getAttribute(HttpSessionImpl.java:122
at com.xx.xx.LoginAction.execute(LoginAction.java:76
at sun.reflect.GeneratedMethodAccessor147.invoke(null:-1
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43
at java.lang.reflect.Method.invoke(Method.java:498
at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:897
at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1299
at ognl.ObjectMethodAccessor.callMethod(ObjectMethodAccessor.java:68
at 
com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethodWithDebugInfo(XWorkMethodAccessor.java:117
at 
com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethod(XWorkMethodAccessor.java:108
at ognl.OgnlRuntime.callMethod(OgnlRuntime.java:1375
at ognl.ASTMethod.getValueBody(ASTMethod.java:91
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212
at ognl.SimpleNode.getValue(SimpleNode.java:258
at ognl.Ognl.getValue(Ognl.java:470
at ognl.Ognl.getValue(Ognl.java:434
at com.opensymphony.xwork2.ognl.OgnlUtil$3.execute(OgnlUtil.java:362
at 
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecuteMethod(OgnlUtil.java:414
at com.opensymphony.xwork2.ognl.OgnlUtil.callMethod(OgnlUtil.java:360
at 
com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:430
at 
com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:290
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:251
at 
org.apache.struts2.interceptor.DeprecationInterceptor.intercept(DeprecationInterceptor.java:41
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:256
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:168
at 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:265
at 
org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:76
at 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:138
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229
at 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:229
at 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:191
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:73
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
org.apache.struts2.interceptor.DateTextFieldInterceptor.intercept(DateTextFieldInterceptor.java:125
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 
org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:253
at 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245
at 

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 5/16/2018 6:59 AM, Prasanth Pasala wrote:
> We have two applications (websites) to make it easier for users we have a 
> third site that acts as a common login place. Once the user enters the 
> username and password it determines the right site to use and does a forward 
> to that context (applications hosted in the same host).
> 
> When using struts1 everything was fine. When we moved to struts2 we started 
> getting crossed logins. When a user gets to login page the action would get 
> populated with a username and password used by some other user. This happens 
> only if a request with this information is forwarded from one context to 
> another.
> 
> With some help from struts mailing list it was determined that some how old 
> actions are in the stack and if we remove get methods struts2 would not be 
> able to pull that data and put in the current value stack. So we did it and 
> when we started testing we are getting session invalid exceptions. Again this 
> happens only if there are users logging in context1 and that request is 
> forwarded to context2. If the login activity is done directly in context2 the 
> issue does not arise.

Could you post the complete stacktrace of invalid session exception? I
think knowing where and why tries to access session may help.

Regards.

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

We have two applications (websites) to make it easier for users we have a third 
site that acts as a common login place. Once the user enters the username and 
password it determines the right site to use and does a forward to that context 
(applications hosted in the same host).

When using struts1 everything was fine. When we moved to struts2 we started 
getting crossed logins. When a user gets to login page the action would get 
populated with a username and password used by some other user. This happens 
only if a request with this information is forwarded from one context to 
another.

With some help from struts mailing list it was determined that some how old 
actions are in the stack and if we remove get methods struts2 would not be able 
to pull that data and put in the current value stack. So we did it and when we 
started testing we are getting session invalid exceptions. Again this happens 
only if there are users logging in context1 and that request is forwarded to 
context2. If the login activity is done directly in context2 the issue does not 
arise.

Thanks
Prasanth

On May 15, 2018 8:45:25 PM CDT, Jaikiran Pai <jai.forums2...@gmail.com> wrote:
>I don't have enough context of this discussion, but looking briefly at 
>this, it looks like you are using Apache HTTP client (probably with 
>pooled connections) and it seems like a connection reuse for a 
>subsequent login request is sending a Cookie with the request (when it 
>shouldn't?).
>
>
>If that's the case, then it looks like the Apache HTTP client's auto 
>Cookie management is coming into picture where it "auto attaches" the 
>Cookie, obtained from a previous response on that connection, to the
>new 
>request on that reused connection. Apache HTTP client allows you to 
>configure this behaviour by setting a cookie policy management. I guess
>
>you probably want to use the "ignoreCookies" policy in your case, since
>
>you want to manage setting the Cookie to the requests yourself. The 
>Apache HTTP client documentation[1] has more information. Something
>like:
>
>
>         final HttpClientBuilder httpClientBuilder =
>         final RequestConfig.Builder requestConfigBuilder = 
>RequestConfig.custom();
>         ...
>requestConfigBuilder.setCookieSpec(org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES);
>     ...
>httpClientBuilder.setDefaultRequestConfig(requestConfigBuilder.build());
>
>
>[1] For 3.x version (I couldn't find one for 4.x which you seem to be 
>using) https://hc.apache.org/httpclient-3.x/cookies.html
>
>[2] 
>https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html
>
>
>-Jaikiran
>
>
>On 16/05/18 2:33 AM, Martin Gainty wrote:
>>
>> 8443 indicates secure connection so perhaps a misconfig with 
>> wildfly standalone.xml (see below)
>>
>> 
>>   
>>
>>  
>> 
>>
>>
>https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration
>
>>
>> Admin Guide - WildFly 10 - Project Documentation Editor 
>>
><https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration>
>> docs.jboss.org
>> Target audience. This document is a guide to the setup, 
>> administration, and configuration of WildFly. Prerequisites. Before 
>> continuing, you should know how to download, install and run WildFly.
>>
>> ?
>>
>> can you ping wildfly userlist ?
>> https://developer.jboss.org/en/wildfly
>> Space: WildFly |JBoss Developer
><https://developer.jboss.org/en/wildfly>
>> developer.jboss.org
>> Log in to follow, share, and participate in this community. Not a 
>> member? Join Now!
>>
>>
>> jaikiran is a good resource that i met on a different userlist..i 
>> would definitely ping him
>> stay in  touch/let me know if setting session-cookie in
>standalone.xml 
>> works
>>
>> M-
>> NB: I once contracted to the company that bought wildfly..we had to 
>> figure configuration by ourselves
>>
>>
>
>> *From:* Prasanth Pasala <ppas...@pangburngroup.com>
>> *Sent:* Tuesday, May 15, 2018 11:42 AM
>> *To:* user@struts.apache.org
>> *Subject:* Re: Struts2 login action class seems to be reused
>> See below the header information when the exception occurred. Strange
>
>> thing is JMeter is saying it did not send any cookie (which is want I
>
>> would except in this case as it is just requesting the login
>> page)
>>
>> Cookie: JSESSIONID=ZclUN41sWwTsPGRw

Re: Struts2 login action class seems to be reused

[Jaikiran Pai]

I don't have enough context of this discussion, but looking briefly at 
this, it looks like you are using Apache HTTP client (probably with 
pooled connections) and it seems like a connection reuse for a 
subsequent login request is sending a Cookie with the request (when it 
shouldn't?).



If that's the case, then it looks like the Apache HTTP client's auto 
Cookie management is coming into picture where it "auto attaches" the 
Cookie, obtained from a previous response on that connection, to the new 
request on that reused connection. Apache HTTP client allows you to 
configure this behaviour by setting a cookie policy management. I guess 
you probably want to use the "ignoreCookies" policy in your case, since 
you want to manage setting the Cookie to the requests yourself. The 
Apache HTTP client documentation[1] has more information. Something like:



        final HttpClientBuilder httpClientBuilder =
        final RequestConfig.Builder requestConfigBuilder = 
RequestConfig.custom();

        ...
requestConfigBuilder.setCookieSpec(org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES);
    ...
httpClientBuilder.setDefaultRequestConfig(requestConfigBuilder.build());


[1] For 3.x version (I couldn't find one for 4.x which you seem to be 
using) https://hc.apache.org/httpclient-3.x/cookies.html


[2] 
https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html



-Jaikiran


On 16/05/18 2:33 AM, Martin Gainty wrote:


8443 indicates secure connection so perhaps a misconfig with 
wildfly standalone.xml (see below)



  


 


https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration 

Admin Guide - WildFly 10 - Project Documentation Editor 
<https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration>

docs.jboss.org
Target audience. This document is a guide to the setup, 
administration, and configuration of WildFly. Prerequisites. Before 
continuing, you should know how to download, install and run WildFly.


?

can you ping wildfly userlist ?
https://developer.jboss.org/en/wildfly
Space: WildFly |JBoss Developer <https://developer.jboss.org/en/wildfly>
developer.jboss.org
Log in to follow, share, and participate in this community. Not a 
member? Join Now!



jaikiran is a good resource that i met on a different userlist..i 
would definitely ping him
stay in  touch/let me know if setting session-cookie in standalone.xml 
works


M-
NB: I once contracted to the company that bought wildfly..we had to 
figure configuration by ourselves



*From:* Prasanth Pasala <ppas...@pangburngroup.com>
*Sent:* Tuesday, May 15, 2018 11:42 AM
*To:* user@struts.apache.org
*Subject:* Re: Struts2 login action class seems to be reused
See below the header information when the exception occurred. Strange 
thing is JMeter is saying it did not send any cookie (which is want I 
would except in this case as it is just requesting the login

page)

Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ. 
(xx - is the machine name on which wildfly is running)

Connection: keep-alive
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
Host: dev.secure.xxx.com:8443
Content-Length: 46
Content-Type: application/x-www-form-urlencoded

10:09:09,150 ERROR 
[org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default 
task-20) Exception occurred during processing request: UT10: 
Session is invalid
ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: 
java.lang.IllegalStateException: UT10: Session is invalid 
ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ


From JMeter---
GET https://dev.secure.pangburngroup.com:8443/participant/

GET data:


[no cookies]

Request Headers:
Connection: keep-alive
Host: dev.secure.xxx.com:8443
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
--

Thanks,
Prasanth

On 05/15/2018 07:44 AM, Martin Gainty wrote:
> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session 
State"with Wildfly's implementation of TC 5.5

>
> https://en.wikipedia.org/wiki/WildFly 
<https://en.wikipedia.org/wiki/WildFly>

>
> 
[https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly 
<https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]%3Chttps://en.wikipedia.org/wiki/WildFly>>

>
> WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an 
application server authored by JBoss, now developed by Red Hat.WildFly 
is

Re: Struts2 login action class seems to be reused

[Martin Gainty]

8443 indicates secure connection so perhaps a misconfig with wildfly 
standalone.xml (see below)


  

 



https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration
Admin Guide - WildFly 10 - Project Documentation 
Editor<https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-SessionCookieConfiguration>
docs.jboss.org
Target audience. This document is a guide to the setup, administration, and 
configuration of WildFly. Prerequisites. Before continuing, you should know how 
to download, install and run WildFly.

?

can you ping wildfly userlist ?
https://developer.jboss.org/en/wildfly
Space: WildFly |JBoss Developer<https://developer.jboss.org/en/wildfly>
developer.jboss.org
Log in to follow, share, and participate in this community. Not a member? Join 
Now!


jaikiran is a good resource that i met on a different userlist..i would 
definitely ping him
stay in  touch/let me know if setting session-cookie in standalone.xml works

M-
NB: I once contracted to the company that bought wildfly..we had to figure 
configuration by ourselves


From: Prasanth Pasala <ppas...@pangburngroup.com>
Sent: Tuesday, May 15, 2018 11:42 AM
To: user@struts.apache.org
Subject: Re: Struts2 login action class seems to be reused

See below the header information when the exception occurred. Strange thing is 
JMeter is saying it did not send any cookie (which is want I would except in 
this case as it is just requesting the login
page)

Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.(xx 
- is the machine name on which wildfly is running)
Connection: keep-alive
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
Host: dev.secure.xxx.com:8443
Content-Length: 46
Content-Type: application/x-www-form-urlencoded

10:09:09,150 ERROR 
[org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) 
Exception occurred during processing request: UT10: Session is invalid
ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: 
UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ

From JMeter---
GET https://dev.secure.pangburngroup.com:8443/participant/

GET data:


[no cookies]

Request Headers:
Connection: keep-alive
Host: dev.secure.xxx.com:8443
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
--

Thanks,
Prasanth

On 05/15/2018 07:44 AM, Martin Gainty wrote:
> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session State"with 
> Wildfly's implementation of TC 5.5
>
> https://en.wikipedia.org/wiki/WildFly
>
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly>
>
> WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an application 
> server authored by JBoss, now developed by Red Hat.WildFly is written in Java 
> and implements the Java Platform, Enterprise Edition (Java EE) specification.
>
>
> MG>as a debugging exercise I would dump HTTP Header attributes with
>
> http://livehttpheaders.mozdev.org/
>
> mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> livehttpheaders.mozdev.org
> Welcome to the livehttpheaders project.. The goal of this project is to adds 
> information about the HTTP headers in two ways: First by adding a 'Headers' 
> tab in 'View Page Info' of a web page.
>
>
> MG>then check JSESSIONID
>
> MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> MG>and corrected with his own StandardManager findSession method
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>
> Yes, there is! I found it and implemented this solution: A class
> extending org.apache.catalina.session.StandardManager and overriding
> the method public Session findSession(String id) throws IOException -
> simply removing quotation marks, if any! Seems to work fine.
> Thanks for putting me on the right trail!
>
> MG>assuming your TC has incorrect StandardManager can you update wildfly with 
> a more updated version?
> MG>here are versions
> https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
> developer.jboss.org
> What version of Apache Tomcat ships with JBoss Application Server JBossAS 
> version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
>
>
> MG>personally i wouldnt muck with TC i would suggest upgrading

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

See below the header information when the exception occurred. Strange thing is 
JMeter is saying it did not send any cookie (which is want I would except in 
this case as it is just requesting the login
page)

Cookie: JSESSIONID=ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ.    (xx 
- is the machine name on which wildfly is running)
Connection: keep-alive
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
Host: dev.secure.xxx.com:8443
Content-Length: 46
Content-Type: application/x-www-form-urlencoded

10:09:09,150 ERROR 
[org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] (default task-20) 
Exception occurred during processing request: UT10: Session is invalid
ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ: java.lang.IllegalStateException: 
UT10: Session is invalid ZclUN41sWwTsPGRw7Cf255OHu7jnQtgt4rEZ2QDZ

From JMeter---
GET https://dev.secure.pangburngroup.com:8443/participant/

GET data:


[no cookies]

Request Headers:
Connection: keep-alive
Host: dev.secure.xxx.com:8443
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_151)
--

Thanks,
Prasanth

On 05/15/2018 07:44 AM, Martin Gainty wrote:
> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session State"with 
> Wildfly's implementation of TC 5.5
>
> https://en.wikipedia.org/wiki/WildFly
>
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly>
>
> WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an application 
> server authored by JBoss, now developed by Red Hat.WildFly is written in Java 
> and implements the Java Platform, Enterprise Edition (Java EE) specification.
>
>
> MG>as a debugging exercise I would dump HTTP Header attributes with
>
> http://livehttpheaders.mozdev.org/
>
> mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> livehttpheaders.mozdev.org
> Welcome to the livehttpheaders project.. The goal of this project is to adds 
> information about the HTTP headers in two ways: First by adding a 'Headers' 
> tab in 'View Page Info' of a web page.
>
>
> MG>then check JSESSIONID
>
> MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> MG>and corrected with his own StandardManager findSession method
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>
> Yes, there is! I found it and implemented this solution: A class
> extending org.apache.catalina.session.StandardManager and overriding
> the method public Session findSession(String id) throws IOException -
> simply removing quotation marks, if any! Seems to work fine.
> Thanks for putting me on the right trail!
>
> MG>assuming your TC has incorrect StandardManager can you update wildfly with 
> a more updated version?
> MG>here are versions
> https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
> developer.jboss.org
> What version of Apache Tomcat ships with JBoss Application Server JBossAS 
> version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
>
>
> MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and 
> getting jboss-web container
>
> hth
> martin
> __________________
>
>
>
>
> 
> From: Norbert Hirneisen <no...@s2you.de>
> Sent: Friday, March 2, 2018 6:55 PM
> To: user@struts.apache.org
> Subject: Fwd: Re: Struts2 login action class seems to be reused
>
> Hi Prasanth,
>
> are you sure all your struts1 code is thread safe ? I had some similiar
> problems in a struts1 application. After removing all action class
> properties the problem was solved. Struts2 should be thread safe. But
> your problems looks to me like a problem with thread safety.
>
> Best regards,
>
> Norbert
>
> science + communication & HaNo Systems
>
> Bonn/Ho-Chi-Minh
>
>
> Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
>> I was able to replicate the issue today. Asked few users to keep logging in 
>> and ran jmeter to access login page, with out putting any username or 
>> password. Out of the 100 attempts 2 attempts were
>> successful in getting in with out username/password. I am seeing database 
>> login entries for these two. Which would happen only if a valid session is 
>> not present and user has provided username/

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

Hi Martin,

Thanks for the response. We are using Wildfly 11.0.0 Final.  I will try to get 
the HTTP header dump.

Thanks,
Prasanth


On 05/15/2018 07:44 AM, Martin Gainty wrote:
> Hi Norbert/Prasanth
>
> Struts2 login action problem has morphed to "Invalid Session State"with 
> Wildfly's implementation of TC 5.5
>
> https://en.wikipedia.org/wiki/WildFly
>
> [https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly>
>
> WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
> en.wikipedia.org
> WildFly, formerly known as JBoss AS, or simply JBoss, is an application 
> server authored by JBoss, now developed by Red Hat.WildFly is written in Java 
> and implements the Java Platform, Enterprise Edition (Java EE) specification.
>
>
> MG>as a debugging exercise I would dump HTTP Header attributes with
>
> http://livehttpheaders.mozdev.org/
>
> mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
> livehttpheaders.mozdev.org
> Welcome to the livehttpheaders project.. The goal of this project is to adds 
> information about the HTTP headers in two ways: First by adding a 'Headers' 
> tab in 'View Page Info' of a web page.
>
>
> MG>then check JSESSIONID
>
> MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
> MG>and corrected with his own StandardManager findSession method
> https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/
>
> Yes, there is! I found it and implemented this solution: A class
> extending org.apache.catalina.session.StandardManager and overriding
> the method public Session findSession(String id) throws IOException -
> simply removing quotation marks, if any! Seems to work fine.
> Thanks for putting me on the right trail!
>
> MG>assuming your TC has incorrect StandardManager can you update wildfly with 
> a more updated version?
> MG>here are versions
> https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
> true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
> developer.jboss.org
> What version of Apache Tomcat ships with JBoss Application Server JBossAS 
> version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3
>
>
> MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and 
> getting jboss-web container
>
> hth
> martin
> __________________
>
>
>
>
> 
> From: Norbert Hirneisen <no...@s2you.de>
> Sent: Friday, March 2, 2018 6:55 PM
> To: user@struts.apache.org
> Subject: Fwd: Re: Struts2 login action class seems to be reused
>
> Hi Prasanth,
>
> are you sure all your struts1 code is thread safe ? I had some similiar
> problems in a struts1 application. After removing all action class
> properties the problem was solved. Struts2 should be thread safe. But
> your problems looks to me like a problem with thread safety.
>
> Best regards,
>
> Norbert
>
> science + communication & HaNo Systems
>
> Bonn/Ho-Chi-Minh
>
>
> Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
>> I was able to replicate the issue today. Asked few users to keep logging in 
>> and ran jmeter to access login page, with out putting any username or 
>> password. Out of the 100 attempts 2 attempts were
>> successful in getting in with out username/password. I am seeing database 
>> login entries for these two. Which would happen only if a valid session is 
>> not present and user has provided username/password.
>>
>> Thanks,
>> Prasanth
>>
>> On 03/01/2018 02:27 PM, Prasanth wrote:
>>> Hi,
>>>
>>> I have an application which uses both struts1 & struts2. The login action 
>>> was recently moved to struts2. Immediately after the deployment we were 
>>> notified that one user is seeing a different user
>>> information, so we had to move to older war files. I am not able to 
>>> replicate it. But after investigating the logs it seems like couple users 
>>> were logged in as soon as they requested the login page.
>>> For the database entry to happen it has to verify the username and password 
>>> in the action class, but the fact that there is no POST entry at that time 
>>> from that IP in my access log makes me believe
>>> that the action class some how already had that information from a prior 
>>> user.
>>>
>>> I do have a login filter to check if users are logged in when accessing 
>>> other pages. In this 

Re: Re: Struts2 login action class seems to be reused

[Martin Gainty]

Hi Norbert/Prasanth

Struts2 login action problem has morphed to "Invalid Session State"with 
Wildfly's implementation of TC 5.5

https://en.wikipedia.org/wiki/WildFly

[https://upload.wikimedia.org/wikipedia/commons/thumb/a/a3/Wildfly_logo.png/200px-Wildfly_logo.png]<https://en.wikipedia.org/wiki/WildFly>

WildFly - Wikipedia<https://en.wikipedia.org/wiki/WildFly>
en.wikipedia.org
WildFly, formerly known as JBoss AS, or simply JBoss, is an application server 
authored by JBoss, now developed by Red Hat.WildFly is written in Java and 
implements the Java Platform, Enterprise Edition (Java EE) specification.


MG>as a debugging exercise I would dump HTTP Header attributes with

http://livehttpheaders.mozdev.org/

mozdev.org - livehttpheaders: index<http://livehttpheaders.mozdev.org/>
livehttpheaders.mozdev.org
Welcome to the livehttpheaders project.. The goal of this project is to adds 
information about the HTTP headers in two ways: First by adding a 'Headers' tab 
in 'View Page Info' of a web page.


MG>then check JSESSIONID

MG>a fellow named "Thomas" had a similar problem with incorrect JSESSIONID
MG>and corrected with his own StandardManager findSession method
https://www.thecodingforums.com/threads/session-problem-jsessionid-cookie-comes-back-with-double-quotes.140442/

Yes, there is! I found it and implemented this solution: A class
extending org.apache.catalina.session.StandardManager and overriding
the method public Session findSession(String id) throws IOException -
simply removing quotation marks, if any! Seems to work fine.
Thanks for putting me on the right trail!

MG>assuming your TC has incorrect StandardManager can you update wildfly with a 
more updated version?
MG>here are versions
https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t
true<https://developer.jboss.org/wiki/VersionOfTomcatInJBossAS?_sscc=t>
developer.jboss.org
What version of Apache Tomcat ships with JBoss Application Server JBossAS 
version Ships with Tomcat Servlet Spec JSP Spec 3.2.3 4.1.29 2.3


MG>personally i wouldnt muck with TC i would suggest upgrading wildfly and 
getting jboss-web container

hth
martin
__





From: Norbert Hirneisen <no...@s2you.de>
Sent: Friday, March 2, 2018 6:55 PM
To: user@struts.apache.org
Subject: Fwd: Re: Struts2 login action class seems to be reused

Hi Prasanth,

are you sure all your struts1 code is thread safe ? I had some similiar
problems in a struts1 application. After removing all action class
properties the problem was solved. Struts2 should be thread safe. But
your problems looks to me like a problem with thread safety.

Best regards,

Norbert

science + communication & HaNo Systems

Bonn/Ho-Chi-Minh


Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
> I was able to replicate the issue today. Asked few users to keep logging in 
> and ran jmeter to access login page, with out putting any username or 
> password. Out of the 100 attempts 2 attempts were
> successful in getting in with out username/password. I am seeing database 
> login entries for these two. Which would happen only if a valid session is 
> not present and user has provided username/password.
>
> Thanks,
> Prasanth
>
> On 03/01/2018 02:27 PM, Prasanth wrote:
>> Hi,
>>
>> I have an application which uses both struts1 & struts2. The login action 
>> was recently moved to struts2. Immediately after the deployment we were 
>> notified that one user is seeing a different user
>> information, so we had to move to older war files. I am not able to 
>> replicate it. But after investigating the logs it seems like couple users 
>> were logged in as soon as they requested the login page.
>> For the database entry to happen it has to verify the username and password 
>> in the action class, but the fact that there is no POST entry at that time 
>> from that IP in my access log makes me believe
>> that the action class some how already had that information from a prior 
>> user.
>>
>> I do have a login filter to check if users are logged in when accessing 
>> other pages. In this filter I have the below two lines, we had to do this as 
>> we will have requests forwarded from one
>> application to another and when that happens we are getting class cast 
>> exception for ActionMapping class and valueStack. Not sure if the behavior 
>> is a side effect of having the below lines.
>>
>>  request.setAttribute("struts.actionMapping", new 
>> ActionMapping());
>>  request.setAttribute("struts.valueStack", null);
>>
>> We are using Struts 2.3.34 and Wildfly.
>>
>> Appreciate any insights you might have.
>>
>> Thanks,
>> Prasanth
>>
>>
>


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 5/15/2018 12:45 AM, Prasanth Pasala wrote:
> A different issue is coming up now after the get methods are removed.  
> Getting the below exception some times when you request the login page, at 
> which point the browser doesn't have the session id
> yet, the session id mentioned would be a session id from a previous request 
> (from another thread, in JMeter testing). Wonder if, some how this data 
> (session id) is also moved by struts2 when copying
> data from the other LoginAction that is lingering from old requests.
> 
> Thanks,
> Prasanth
> 
> Exception: java.lang.IllegalStateException: UT10: Session is invalid 
> JVoo5BkMlzTpOavsEe7_NjS0MzTXDlhYtlSviiGR


AFAIK session is completely managed by browser and app server e.g.
tomcat; So I think this isn't a Struts issue.

Regards.

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

A different issue is coming up now after the get methods are removed.  Getting 
the below exception some times when you request the login page, at which point 
the browser doesn't have the session id
yet, the session id mentioned would be a session id from a previous request 
(from another thread, in JMeter testing). Wonder if, some how this data 
(session id) is also moved by struts2 when copying
data from the other LoginAction that is lingering from old requests.

Thanks,
Prasanth

Exception: java.lang.IllegalStateException: UT10: Session is invalid 
JVoo5BkMlzTpOavsEe7_NjS0MzTXDlhYtlSviiGR

On 04/24/2018 09:00 AM, Prasanth Pasala wrote:
> I have removed the get methods from the LoginAction of /Context2 and that 
> seems to solve the problem. So seems like the LoginAction objects created 
> because of FORWARD some how are in the stack while a
> LoginAction is created due to a REQUEST. Wondering if this can be replicated 
> without having two contexts. If there is a FORWARD within the context and the 
> same action can also be initiated by direct
> REQUEST wonder if the same issue will crop up.
>
> Thanks,
> Prasanth
>
> On 04/24/2018 01:52 AM, Yasser Zamani wrote:
>> On 4/23/2018 11:50 PM, Prasanth Pasala wrote:
>>> Get rid of the get methods in LoginAction, is this in /Context2 
>>> (application where the issue is occurring) or /Context1 (which forwards the 
>>> requests to /Context2)?
>>>
>> That contexts who forwards request (Context1 I think) but you may do for
>> all to be sure. However, I still prefer rewriting FORWARD with REDIRECT
>> or POSTBACK to prevent future possible issues.
>>
>>> Yes exactly. The new log shows, your previous contexts actions
>>> (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in
>>> current context because you forward same request which includes previous
>>> context data, then, Struts ChainInterceptor copies data from previous to
>>> current action :S . As currently Struts cannot handle forwarded requests
>>> well, could you please try REDIRECT instead? sendRedirect asks user
>>> browser to continue with a new request.
>>>
>>> Still not sure about the above comment.  So the ChainInterceptor is getting 
>>> data from an action that occurred before and is not part of current request?
>> Struts has a stack. ChainResult push current action to stack for next
>> action. In next action, ChainInterceptor pops it and copies values. Now
>> you have two actions in stack (I don't know how but seems it's because
>> of forward same request which has previous context1 stack) and
>> ChainInterceptor thinks ChainResult has pushed that and then pops and
>> copies them into current action.
>>
>> Regards.
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> For additional commands, e-mail: user-h...@struts.apache.org
>>
>

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

I have removed the get methods from the LoginAction of /Context2 and that seems 
to solve the problem. So seems like the LoginAction objects created because of 
FORWARD some how are in the stack while a
LoginAction is created due to a REQUEST. Wondering if this can be replicated 
without having two contexts. If there is a FORWARD within the context and the 
same action can also be initiated by direct
REQUEST wonder if the same issue will crop up.

Thanks,
Prasanth

On 04/24/2018 01:52 AM, Yasser Zamani wrote:
>
> On 4/23/2018 11:50 PM, Prasanth Pasala wrote:
>> Get rid of the get methods in LoginAction, is this in /Context2 (application 
>> where the issue is occurring) or /Context1 (which forwards the requests to 
>> /Context2)?
>>
> That contexts who forwards request (Context1 I think) but you may do for
> all to be sure. However, I still prefer rewriting FORWARD with REDIRECT
> or POSTBACK to prevent future possible issues.
>
>> Yes exactly. The new log shows, your previous contexts actions
>> (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in
>> current context because you forward same request which includes previous
>> context data, then, Struts ChainInterceptor copies data from previous to
>> current action :S . As currently Struts cannot handle forwarded requests
>> well, could you please try REDIRECT instead? sendRedirect asks user
>> browser to continue with a new request.
>>
>> Still not sure about the above comment.  So the ChainInterceptor is getting 
>> data from an action that occurred before and is not part of current request?
> Struts has a stack. ChainResult push current action to stack for next
> action. In next action, ChainInterceptor pops it and copies values. Now
> you have two actions in stack (I don't know how but seems it's because
> of forward same request which has previous context1 stack) and
> ChainInterceptor thinks ChainResult has pushed that and then pops and
> copies them into current action.
>
> Regards.
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 4/23/2018 11:50 PM, Prasanth Pasala wrote:
> Get rid of the get methods in LoginAction, is this in /Context2 (application 
> where the issue is occurring) or /Context1 (which forwards the requests to 
> /Context2)?
> 

That contexts who forwards request (Context1 I think) but you may do for
all to be sure. However, I still prefer rewriting FORWARD with REDIRECT
or POSTBACK to prevent future possible issues.

> 
> Yes exactly. The new log shows, your previous contexts actions
> (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in
> current context because you forward same request which includes previous
> context data, then, Struts ChainInterceptor copies data from previous to
> current action :S . As currently Struts cannot handle forwarded requests
> well, could you please try REDIRECT instead? sendRedirect asks user
> browser to continue with a new request.
> 
> Still not sure about the above comment.  So the ChainInterceptor is getting 
> data from an action that occurred before and is not part of current request?

Struts has a stack. ChainResult push current action to stack for next
action. In next action, ChainInterceptor pops it and copies values. Now
you have two actions in stack (I don't know how but seems it's because
of forward same request which has previous context1 stack) and
ChainInterceptor thinks ChainResult has pushed that and then pops and
copies them into current action.

Regards.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

Get rid of the get methods in LoginAction, is this in /Context2 (application 
where the issue is occurring) or /Context1 (which forwards the requests to 
/Context2)?


Yes exactly. The new log shows, your previous contexts actions
(LoginAction@7f716c46 and LoginAction@35224c2f) are also present in
current context because you forward same request which includes previous
context data, then, Struts ChainInterceptor copies data from previous to
current action :S . As currently Struts cannot handle forwarded requests
well, could you please try REDIRECT instead? sendRedirect asks user
browser to continue with a new request.

Still not sure about the above comment.  So the ChainInterceptor is getting 
data from an action that occurred before and is not part of current request?

Thanks,
Prasanth

On 04/23/2018 01:27 PM, Yasser Zamani wrote:
>
> On 4/23/2018 10:12 PM, Prasanth Pasala wrote:
>> The user is inputting username and password in /Context1, if I send a 
>> redirect they would have to enter username/password again in /Context2.
>>
> No, you already have them. I think you can use Struts PostbackResult [1]
> in /Context1/LoginAction like below:
>
> /Context2/LoginAction
>
>> May be for LoginAction in /Context2 I can remove instance variables (so that 
>> struts doesn't set any values) I will directly access the request object to 
>> get username and password to validate.
> The simpler solution is deleting getUsername and getPassword methods
> from LoginAction which disables ChainInterceptor to copies them and
> solves this issue! But I'm worry about other issues caused by FORWARD,
> so please try replacing all of them as I mentioned above.
>
> [1] https://struts.apache.org/core-developers/postback-result.html
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 4/23/2018 10:12 PM, Prasanth Pasala wrote:
> The user is inputting username and password in /Context1, if I send a 
> redirect they would have to enter username/password again in /Context2.
> 

No, you already have them. I think you can use Struts PostbackResult [1]
in /Context1/LoginAction like below:

/Context2/LoginAction

> May be for LoginAction in /Context2 I can remove instance variables (so that 
> struts doesn't set any values) I will directly access the request object to 
> get username and password to validate.

The simpler solution is deleting getUsername and getPassword methods
from LoginAction which disables ChainInterceptor to copies them and
solves this issue! But I'm worry about other issues caused by FORWARD,
so please try replacing all of them as I mentioned above.

[1] https://struts.apache.org/core-developers/postback-result.html

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

The two LoginAction classes below are from the same context (/Context2). 
Context1 LoginAction would have a different package name. The issue occurs when 
a user is requesting /Context2 directly rather
than when the request is forwarded, if the request is forwarded from /Context1 
it would have the username and password in the request and those seems to be 
working fine. The issue is when there are
requests forwarded from /Context1 with username and password and later on there 
is a GET request to /Context2 LoginAction (no username/password in request, so 
should display login page). Now some how
struts is using data from the old forwarded requests (sent from Context1) for a 
request made directly to Context2.

The user is inputting username and password in /Context1, if I send a redirect 
they would have to enter username/password again in /Context2.

May be for LoginAction in /Context2 I can remove instance variables (so that 
struts doesn't set any values) I will directly access the request object to get 
username and password to validate.

Thanks,
Prasanth

On 04/23/2018 12:31 PM, Yasser Zamani wrote:
>
> On 4/23/2018 8:04 PM, Prasanth Pasala wrote:
>> Found this one also but for almost all, the root size was 3. Below one was 
>> anomaly.
>> Root Size: 4
>> Result: null
>> Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d
>> Object: com.nqadmin.webaccess.LoginAction@7f716c46
>> Object: com.nqadmin.webaccess.LoginAction@35224c2f
>>
>> Also found that the issue doesn't come up if I am logging in only to the 
>> second website (/context2). The issue only comes up if there are users 
>> logging in via context1, whose login request is
>> forwarded to context2.
> Yes exactly. The new log shows, your previous contexts actions
> (LoginAction@7f716c46 and LoginAction@35224c2f) are also present in
> current context because you forward same request which includes previous
> context data, then, Struts ChainInterceptor copies data from previous to
> current action :S . As currently Struts cannot handle forwarded requests
> well, could you please try REDIRECT instead? sendRedirect asks user
> browser to continue with a new request.
>
> Regards.
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 4/23/2018 8:04 PM, Prasanth Pasala wrote:
> Found this one also but for almost all, the root size was 3. Below one was 
> anomaly.
> Root Size: 4
> Result: null
> Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d
> Object: com.nqadmin.webaccess.LoginAction@7f716c46
> Object: com.nqadmin.webaccess.LoginAction@35224c2f
> 
> Also found that the issue doesn't come up if I am logging in only to the 
> second website (/context2). The issue only comes up if there are users 
> logging in via context1, whose login request is
> forwarded to context2.

Yes exactly. The new log shows, your previous contexts actions
(LoginAction@7f716c46 and LoginAction@35224c2f) are also present in
current context because you forward same request which includes previous
context data, then, Struts ChainInterceptor copies data from previous to
current action :S . As currently Struts cannot handle forwarded requests
well, could you please try REDIRECT instead? sendRedirect asks user
browser to continue with a new request.

Regards.

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

Found this one also but for almost all, the root size was 3. Below one was 
anomaly.
Root Size: 4
Result: null
Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d
Object: com.nqadmin.webaccess.LoginAction@7f716c46
Object: com.nqadmin.webaccess.LoginAction@35224c2f

Also found that the issue doesn't come up if I am logging in only to the second 
website (/context2). The issue only comes up if there are users logging in via 
context1, whose login request is
forwarded to context2.

Since it have been a while including the details of how our setup works.
Context 2 & Context 3 are two websites and depending on user type they have to 
login to one or the other. To make it easy for the user we have Context1 where 
we allow users to login this site checks
the database and determines which site they need to be logging into and 
forwards the login request to Context2 or Context3. We have users who would 
login to the right context and some who utilize
Context1 to login.

Thanks,
Prasanth

On 04/23/2018 09:42 AM, Prasanth Pasala wrote:
> Below is the result of the new logging.
>
> Root Size: 3
> Result: null
> Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d
> Object: com.xx.webaccess.LoginAction@40c80ce8
>
> Thanks,
> Prasanth
>
> On 04/21/2018 05:09 AM, Yasser Zamani wrote:
>> On 4/19/2018 4:39 PM, Prasanth Pasala wrote:
>>> There is a index.jsp which is defined as default page in web.xml it just 
>>> forwards the request to Login.action. There is no chaining of actions in 
>>> struts itself. We do have a LoginFilter which verifies
>>> if a user is logged in.
>>>
>> So maybe there is a bug with chain interceptor! Could you please use
>> following code in your action setUsername method (save it's log in a
>> private string field in your action). Then print it when your action
>> data are not consistent with request params.
>>
>> String log = "";
>> ActionInvocation invocation= ActionContext.getActionInvocation();
>> ValueStack stack = invocation.getStack();
>> CompoundRoot root = stack.getRoot();
>> log += "Root Size: " + root.size();
>> Result result = invocation.getResult();
>> log += "\r\nResult: " + result;
>> List list = new ArrayList(root);
>> list.remove(0);
>> Collections.reverse(list);
>> for (Object object : list) {
>> log += "\r\nObject: " + object;
>> }
>> this.log = log; //saves for possible future use
>>
>> Thanks!
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> For additional commands, e-mail: user-h...@struts.apache.org
>>


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

Below is the result of the new logging.

Root Size: 3
Result: null
Object: com.opensymphony.xwork2.DefaultTextProvider@4d36d73d
Object: com.xx.webaccess.LoginAction@40c80ce8

Thanks,
Prasanth

On 04/21/2018 05:09 AM, Yasser Zamani wrote:
>
> On 4/19/2018 4:39 PM, Prasanth Pasala wrote:
>> There is a index.jsp which is defined as default page in web.xml it just 
>> forwards the request to Login.action. There is no chaining of actions in 
>> struts itself. We do have a LoginFilter which verifies
>> if a user is logged in.
>>
> So maybe there is a bug with chain interceptor! Could you please use
> following code in your action setUsername method (save it's log in a
> private string field in your action). Then print it when your action
> data are not consistent with request params.
>
> String log = "";
> ActionInvocation invocation= ActionContext.getActionInvocation();
> ValueStack stack = invocation.getStack();
> CompoundRoot root = stack.getRoot();
> log += "Root Size: " + root.size();
> Result result = invocation.getResult();
> log += "\r\nResult: " + result;
> List list = new ArrayList(root);
> list.remove(0);
> Collections.reverse(list);
> for (Object object : list) {
> log += "\r\nObject: " + object;
> }
> this.log = log; //saves for possible future use
>
> Thanks!
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 4/19/2018 4:39 PM, Prasanth Pasala wrote:
> There is a index.jsp which is defined as default page in web.xml it just 
> forwards the request to Login.action. There is no chaining of actions in 
> struts itself. We do have a LoginFilter which verifies
> if a user is logged in.
> 

So maybe there is a bug with chain interceptor! Could you please use
following code in your action setUsername method (save it's log in a
private string field in your action). Then print it when your action
data are not consistent with request params.

String log = "";
ActionInvocation invocation= ActionContext.getActionInvocation();
ValueStack stack = invocation.getStack();
CompoundRoot root = stack.getRoot();
log += "Root Size: " + root.size();
Result result = invocation.getResult();
log += "\r\nResult: " + result;
List list = new ArrayList(root);
list.remove(0);
Collections.reverse(list);
for (Object object : list) {
log += "\r\nObject: " + object;
}
this.log = log; //saves for possible future use

Thanks!

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

There is a index.jsp which is defined as default page in web.xml it just 
forwards the request to Login.action. There is no chaining of actions in struts 
itself. We do have a LoginFilter which verifies
if a user is logged in.

Thanks,
Prasanth

On 04/19/2018 03:26 AM, Yasser Zamani wrote:
>
> On 4/19/2018 7:21 AM, Prasanth Pasala wrote:
>>  
>> com.opensymphony.xwork2.interceptor.ChainingInterceptor.copyStack(ChainingInterceptor.java:153)
>>  
>> com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:143)
> Thanks! These lines show Struts doesn't set username from a request
> parameter, but it seems that you have a chain result to login action
> which sets username from it's previous action's getUsername! Could you
> verify these via reviewing your struts.xml finding an action that has a
> chain result to login action?
>
> Thanks in advance!
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 4/19/2018 7:21 AM, Prasanth Pasala wrote:
>  
> com.opensymphony.xwork2.interceptor.ChainingInterceptor.copyStack(ChainingInterceptor.java:153)
>  
> com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:143)

Thanks! These lines show Struts doesn't set username from a request
parameter, but it seems that you have a chain result to login action
which sets username from it's previous action's getUsername! Could you
verify these via reviewing your struts.xml finding an action that has a
chain result to login action?

Thanks in advance!

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

Below is the stack trace for setting of username. So struts2 has set the 
username, but that name doesn't exist in the request object.

Struts Data: Username: jsmith Action: Login
Request Data: Username: null Action: null

java.lang.Thread.getStackTrace(Thread.java:1559)
 com.x.webaccess.LoginAction.setUsername(LoginAction.java:273)
 sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 java.lang.reflect.Method.invoke(Method.java:498)
 ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:897)
 ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1299)
 ognl.OgnlRuntime.setMethodValue(OgnlRuntime.java:1508)
 ognl.ObjectPropertyAccessor.setPossibleProperty(ObjectPropertyAccessor.java:85)
 ognl.ObjectPropertyAccessor.setProperty(ObjectPropertyAccessor.java:162)
 
com.opensymphony.xwork2.ognl.accessor.ObjectAccessor.setProperty(ObjectAccessor.java:27)
 ognl.OgnlRuntime.setProperty(OgnlRuntime.java:2437)
 ognl.ASTProperty.setValueBody(ASTProperty.java:127)
 ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
 ognl.SimpleNode.setValue(SimpleNode.java:301)
 ognl.Ognl.setValue(Ognl.java:713)
 com.opensymphony.xwork2.ognl.OgnlUtil$6.execute(OgnlUtil.java:504)
 com.opensymphony.xwork2.ognl.OgnlUtil$6.execute(OgnlUtil.java:501)
 com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:393)
 com.opensymphony.xwork2.ognl.OgnlUtil.copy(OgnlUtil.java:501)
 
com.opensymphony.xwork2.ognl.OgnlReflectionProvider.copy(OgnlReflectionProvider.java:73)
 
com.opensymphony.xwork2.interceptor.ChainingInterceptor.copyStack(ChainingInterceptor.java:153)
 
com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:143)
 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 
com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171)
 
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 
com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:140)
 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 
org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164)
 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 
com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:193)
 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 
com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:189)
 
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:245)
 org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:54)
 org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:575)
 
org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:81)
 
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:99)
 io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
 com.x.webaccess.LoginFilter.doFilter(LoginFilter.java:52)
 io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
 io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
 
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221)
 
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(RequestDispatcherImpl.java:147)
 
io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:111)
 org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:722)
 org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:695)
 

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 4/16/2018 7:19 PM, Prasanth Pasala wrote:
> So I am wondering where did these values come from into the instance 
> variables?

Great! Please also get the current stack trace inside your action's
setUsername method and save it in a private string field inside your
action. Then when action and request data mismatched, also print this
string which answers where did these values come from.

Thanks in advance!

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

Finally we redeployed the code with an added check to make sure the instance 
variables populated by struts match the request parameters. With in few hours 
of deployments we got emails indicating that
the values populated into the instance variables don't match those in request 
parameters. Below you can see the difference between the instance variable and 
the values in the request object.  The code
is also updated to store the hash code of Login action for each login, so that 
we can see if the object is reused. Surprisingly the hash code doesn't match 
with any of the hash codes stored for
successful logins. When the emails are triggered there is only a GET request 
for the Login action (which should display the login page, on the user enters 
the username & password it is submitted via
POST). So I am wondering where did these values come from into the instance 
variables?

-
Struts data doesn't match that in request object.
Struts Data:
    Username: jsmith
    Action: Login
Request Data:
    Username: null
    Action: null

Object Hash: 1573857416
-

Thanks,
Prasanth

On 03/16/2018 02:30 PM, Prasanth Pasala wrote:
> There is only one reference to Util.authenticate in the project and that is 
> in LoginAction.
>
> On 03/16/2018 02:13 PM, Yasser Zamani wrote:
>> And you confirm that those log record insertions are only possible via 
>> LoginAction.execute method? Right? Or util.authenticate are called elsewhere 
>> also?
>> On Mar 16, 2018, at 9:45PM, Prasanth Pasala 
>> > wrote:
>>
>> We have a pretty standard struts.xml just declaration of action and the 
>> class along with the results (tiles results). Nothing other than that.
>>
>> On 03/16/2018 11:55 AM, Yasser Zamani wrote:
>>
>>  On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
>>  We do have login time, using that and the IP to correlate that with the 
>> access logs. Not all login entries have corresponding POST entries in access 
>> log, so those would be our problems occurrences.
>>  They actual correspond to a GET entry from a user.
>>
>>  IP of the GET request of User1 matches with the login record in the 
>> database (login would be for User2 id and IP from User1 GET). So it looks as 
>> if the same user logged in from two different IPs
>>  around the same time, which shouldn't be the case.
>>  I'm almost sure Struts always asks object factory to create the action
>>  on each request. This is belong to object factory if create a new one
>>  object of that action, or no, reuse a previous one object of an action.
>>  So have you set any specific object factory via struts.xml?
>>
>> 
>>
>>  To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>>  For additional commands, e-mail: user-h...@struts.apache.org
>>
>>
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/16/2018 11:00 PM, Prasanth Pasala wrote:
> There is only one reference to Util.authenticate in the project and that is 
> in LoginAction.
> 

If (those log record insertions are only possible via
LoginAction.execute method && IP field value of them are different and
are consistent with access log of that POST and GET request) then it
seems you're right! i.e. one specific object of LoginAction has executed
both requests, POST from User2 then GET from User1!!

To confirm these, could you please change your code as below:

if(censusID == -1) {
message = "Invalid username/password specified";
result = "failed";
}
else {
new
com.x.x.model.Logger().loggedIn(censusID, remoteHost,
System.identityHashCode(this));

i.e. also log the identity hash code of the LoginAction object to see if
both records are inserted via a same action object.

Thanks in advance for your support!

> On 03/16/2018 02:13 PM, Yasser Zamani wrote:
>> And you confirm that those log record insertions are only possible via 
>> LoginAction.execute method? Right? Or util.authenticate are called elsewhere 
>> also?
>> On Mar 16, 2018, at 9:45PM, Prasanth Pasala 
>> > wrote:
>>
>> We have a pretty standard struts.xml just declaration of action and the 
>> class along with the results (tiles results). Nothing other than that.
>>
>> On 03/16/2018 11:55 AM, Yasser Zamani wrote:
>>
>>  On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
>>  We do have login time, using that and the IP to correlate that with the 
>> access logs. Not all login entries have corresponding POST entries in access 
>> log, so those would be our problems occurrences.
>>  They actual correspond to a GET entry from a user.
>>
>>  IP of the GET request of User1 matches with the login record in the 
>> database (login would be for User2 id and IP from User1 GET). So it looks as 
>> if the same user logged in from two different IPs
>>  around the same time, which shouldn't be the case.
>>  I'm almost sure Struts always asks object factory to create the action
>>  on each request. This is belong to object factory if create a new one
>>  object of that action, or no, reuse a previous one object of an action.
>>  So have you set any specific object factory via struts.xml?
>>
>> 
>>
>>  To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>>  For additional commands, e-mail: user-h...@struts.apache.org
>>
>>
> 
> 

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

There is only one reference to Util.authenticate in the project and that is in 
LoginAction.

On 03/16/2018 02:13 PM, Yasser Zamani wrote:
> And you confirm that those log record insertions are only possible via 
> LoginAction.execute method? Right? Or util.authenticate are called elsewhere 
> also?
> On Mar 16, 2018, at 9:45PM, Prasanth Pasala 
> > wrote:
>
> We have a pretty standard struts.xml just declaration of action and the class 
> along with the results (tiles results). Nothing other than that.
>
> On 03/16/2018 11:55 AM, Yasser Zamani wrote:
>
>  On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
>  We do have login time, using that and the IP to correlate that with the 
> access logs. Not all login entries have corresponding POST entries in access 
> log, so those would be our problems occurrences.
>  They actual correspond to a GET entry from a user.
>
>  IP of the GET request of User1 matches with the login record in the database 
> (login would be for User2 id and IP from User1 GET). So it looks as if the 
> same user logged in from two different IPs
>  around the same time, which shouldn't be the case.
>  I'm almost sure Struts always asks object factory to create the action
>  on each request. This is belong to object factory if create a new one
>  object of that action, or no, reuse a previous one object of an action.
>  So have you set any specific object factory via struts.xml?
>
> 
>
>  To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>  For additional commands, e-mail: user-h...@struts.apache.org
>
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

And you confirm that those log record insertions are only possible via 
LoginAction.execute method? Right? Or util.authenticate are called elsewhere 
also?
On Mar 16, 2018, at 9:45PM, Prasanth Pasala 
> wrote:

We have a pretty standard struts.xml just declaration of action and the class 
along with the results (tiles results). Nothing other than that.

On 03/16/2018 11:55 AM, Yasser Zamani wrote:

 On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
 We do have login time, using that and the IP to correlate that with the access 
logs. Not all login entries have corresponding POST entries in access log, so 
those would be our problems occurrences.
 They actual correspond to a GET entry from a user.

 IP of the GET request of User1 matches with the login record in the database 
(login would be for User2 id and IP from User1 GET). So it looks as if the same 
user logged in from two different IPs
 around the same time, which shouldn't be the case.
 I'm almost sure Struts always asks object factory to create the action
 on each request. This is belong to object factory if create a new one
 object of that action, or no, reuse a previous one object of an action.
 So have you set any specific object factory via struts.xml?



 To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
 For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

We have a pretty standard struts.xml just declaration of action and the class 
along with the results (tiles results). Nothing other than that.

On 03/16/2018 11:55 AM, Yasser Zamani wrote:
>
> On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
>> We do have login time, using that and the IP to correlate that with the 
>> access logs. Not all login entries have corresponding POST entries in access 
>> log, so those would be our problems occurrences.
>> They actual correspond to a GET entry from a user.
>>
>> IP of the GET request of User1 matches with the login record in the database 
>> (login would be for User2 id and IP from User1 GET). So it looks as if the 
>> same user logged in from two different IPs
>> around the same time, which shouldn't be the case.
> I'm almost sure Struts always asks object factory to create the action
> on each request. This is belong to object factory if create a new one
> object of that action, or no, reuse a previous one object of an action.
> So have you set any specific object factory via struts.xml?
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/16/2018 1:49 AM, Prasanth Pasala wrote:
> We do have login time, using that and the IP to correlate that with the 
> access logs. Not all login entries have corresponding POST entries in access 
> log, so those would be our problems occurrences.
> They actual correspond to a GET entry from a user.
> 
> IP of the GET request of User1 matches with the login record in the database 
> (login would be for User2 id and IP from User1 GET). So it looks as if the 
> same user logged in from two different IPs
> around the same time, which shouldn't be the case.

I'm almost sure Struts always asks object factory to create the action
on each request. This is belong to object factory if create a new one
object of that action, or no, reuse a previous one object of an action.
So have you set any specific object factory via struts.xml?

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

We do have login time, using that and the IP to correlate that with the access 
logs. Not all login entries have corresponding POST entries in access log, so 
those would be our problems occurrences.
They actual correspond to a GET entry from a user.

IP of the GET request of User1 matches with the login record in the database 
(login would be for User2 id and IP from User1 GET). So it looks as if the same 
user logged in from two different IPs
around the same time, which shouldn't be the case.

Thanks,
Prasanth

On 03/15/2018 10:28 AM, Yasser Zamani wrote:
>
> On 3/15/2018 5:21 PM, Prasanth Pasala wrote:
>> User2 would have logged in some time before that, some times with in a 
>> minute before that. I haven't seen any requests from User2 exactly at the 
>> time of GET request from User1.
> It's strange :)
>
> Are login log records have same field values for both User1 and User2?
> Do you also have login time in there? If so, are they same and are they
> consistent with access log times? Are their IP same (while they
> shouldn't, right?)? Is the IP of the GET request of User1 (that is
> logged in access log by container) same as the IP field value of your
> login log records?
>
> Thanks!
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/15/2018 5:21 PM, Prasanth Pasala wrote:
> User2 would have logged in some time before that, some times with in a minute 
> before that. I haven't seen any requests from User2 exactly at the time of 
> GET request from User1.

It's strange :)

Are login log records have same field values for both User1 and User2?
Do you also have login time in there? If so, are they same and are they
consistent with access log times? Are their IP same (while they
shouldn't, right?)? Is the IP of the GET request of User1 (that is
logged in access log by container) same as the IP field value of your
login log records?

Thanks!

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

User2 would have logged in some time before that, some times with in a minute 
before that. I haven't seen any requests from User2 exactly at the time of GET 
request from User1.

Thanks,
Prasanth

On 03/15/2018 04:45 AM, Yasser Zamani wrote:
>
> On 3/14/2018 5:43 PM, Prasanth Pasala wrote:
>> We had a user report it soon after the deployment. After that we started 
>> looking into the specific user who reported (User1) and the user (whose 
>> information was seen by the reporting user) say User2.
>> We realized there are login entries from same IP for both of these users.
> As you get IP address from request (rather than Struts action), then it
> seems that request (which contains username/password and that same IP
> address) is being reused.
>
>> In the access log of the server there was a POST request for User1 but at 
>> the time of login entry for User2 there was only a
>> GET request.  In the time line GET request is first, User1 sees User2's 
>> information logs out and then login again with their credentials.
> At that time when there is a GET request for User1 and this issue
> happens, what are logs for User2 at same time?
>
> Thanks in advance!
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/14/2018 5:43 PM, Prasanth Pasala wrote:
> We had a user report it soon after the deployment. After that we started 
> looking into the specific user who reported (User1) and the user (whose 
> information was seen by the reporting user) say User2.
> We realized there are login entries from same IP for both of these users.

As you get IP address from request (rather than Struts action), then it
seems that request (which contains username/password and that same IP
address) is being reused.

> In the access log of the server there was a POST request for User1 but at the 
> time of login entry for User2 there was only a
> GET request.  In the time line GET request is first, User1 sees User2's 
> information logs out and then login again with their credentials.

At that time when there is a GET request for User1 and this issue
happens, what are logs for User2 at same time?

Thanks in advance!

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

We had a user report it soon after the deployment. After that we started 
looking into the specific user who reported (User1) and the user (whose 
information was seen by the reporting user) say User2.
We realized there are login entries from same IP for both of these users. In 
the access log of the server there was a POST request for User1 but at the time 
of login entry for User2 there was only a
GET request.  In the time line GET request is first, User1 sees User2's 
information logs out and then login again with their credentials.

Thanks,
Prasanth

On 03/13/2018 11:41 PM, Yasser Zamani wrote:
>
> On 3/10/2018 1:22 AM, Prasanth Pasala wrote:
>> Ran tests with 1000 users logging in in 60sec while simultaneously 1000 
>> users just requesting login page in 60 sec to see if any of them would get 
>> in with out username/password. No luck. System seems
>> to be working properly. Also tried increasing it to 2000 it still worked as 
>> it should with out the issue coming up.
>>
>> Would hot deployments cause any issue?
> Without reproducing it, it's hard to say why this issue happens rarely
> :( How did you discover it firstly? Was incorrectly loged in user able
> to continue to other pages also as an authenticated user?
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/10/2018 1:22 AM, Prasanth Pasala wrote:
> Ran tests with 1000 users logging in in 60sec while simultaneously 1000 users 
> just requesting login page in 60 sec to see if any of them would get in with 
> out username/password. No luck. System seems
> to be working properly. Also tried increasing it to 2000 it still worked as 
> it should with out the issue coming up.
> 
> Would hot deployments cause any issue?

Without reproducing it, it's hard to say why this issue happens rarely
:( How did you discover it firstly? Was incorrectly loged in user able
to continue to other pages also as an authenticated user?

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

Ran tests with 1000 users logging in in 60sec while simultaneously 1000 users 
just requesting login page in 60 sec to see if any of them would get in with 
out username/password. No luck. System seems
to be working properly. Also tried increasing it to 2000 it still worked as it 
should with out the issue coming up.

Would hot deployments cause any issue?

Thanks,
Prasanth

On 03/08/2018 11:53 AM, Yasser Zamani wrote:
>
> On 3/8/2018 6:42 PM, Prasanth Pasala wrote:
>> Wish I was able to consistently reproduce it. I have two thread groups in 
>> JMeter one thread group requests login page then logs in. Another thread 
>> group just requests login page. I have tried this
>> with 100 users, 250 users in each thread group. I have varied the ramp up 
>> times from 60sec to 300sec.
> I think this is not heavy enough to force race condition on your web
> server. Use only ones user which logs in and logs out in a loop. Then,
> in another side, Increase users (threads) and decrease the ramp up time
> as more as your system does not hang. I remember I was able to ramp up
> 300 users (threads) in 15 seconds at my system.
>
> Regards.
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/8/2018 6:42 PM, Prasanth Pasala wrote:
> Wish I was able to consistently reproduce it. I have two thread groups in 
> JMeter one thread group requests login page then logs in. Another thread 
> group just requests login page. I have tried this
> with 100 users, 250 users in each thread group. I have varied the ramp up 
> times from 60sec to 300sec.

I think this is not heavy enough to force race condition on your web
server. Use only ones user which logs in and logs out in a loop. Then,
in another side, Increase users (threads) and decrease the ramp up time
as more as your system does not hang. I remember I was able to ramp up
300 users (threads) in 15 seconds at my system.

Regards.

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

Wish I was able to consistently reproduce it. I have two thread groups in 
JMeter one thread group requests login page then logs in. Another thread group 
just requests login page. I have tried this
with 100 users, 250 users in each thread group. I have varied the ramp up times 
from 60sec to 300sec. I have been trying this for the last 10 days. I was 
successful in reproducing it only during one
run, which had 100 users and two of the requests for login page (no 
username/password) made login entries and got home page.

I will keep trying. If I can't reproduce it more often, one solution I am 
thinking of is comparing the username/password in the action class with the 
values in the request object itself. If they are
different I can send an email with the information and not login the user.

Thanks,
Prasanth

On 03/08/2018 03:13 AM, Yasser Zamani wrote:
>
> On 3/7/2018 11:23 PM, Prasanth Pasala wrote:
>> If it is a session crossover we would display another user information 
>> without making a login entry. In the cases where we had issue the code 
>> recognized that there is no active session and went to the
>> authentication part, authenticated the user and made a database entry for 
>> successful login. The authentication is based on the form variables 
>> populated by struts into the action class.
> Ahaa... so, currently the only thing I can imagine is maybe this issue
> raises up when you have two simultaneous requests: one with
> username/password parameters, the other without (and both without any
> active session). Could you please verify this with a lot of such pair
> simultaneous requests using JMeter? i.e. create two simultaneous
> requests, one of them contains username/password, the other one does
> not. Add an assertion to the other one which checks if issue occurs.
> Then tell JMeter to run this pair a lot of times, concurrently.
>
> I hope you'll be able to reproduce the issue which is the half of the
> resolution :)
>
> Regards.
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/7/2018 11:23 PM, Prasanth Pasala wrote:
> If it is a session crossover we would display another user information 
> without making a login entry. In the cases where we had issue the code 
> recognized that there is no active session and went to the
> authentication part, authenticated the user and made a database entry for 
> successful login. The authentication is based on the form variables populated 
> by struts into the action class.

Ahaa... so, currently the only thing I can imagine is maybe this issue
raises up when you have two simultaneous requests: one with
username/password parameters, the other without (and both without any
active session). Could you please verify this with a lot of such pair
simultaneous requests using JMeter? i.e. create two simultaneous
requests, one of them contains username/password, the other one does
not. Add an assertion to the other one which checks if issue occurs.
Then tell JMeter to run this pair a lot of times, concurrently.

I hope you'll be able to reproduce the issue which is the half of the
resolution :)

Regards.

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

Thanks for looking into this Yasser.  In the current setup we have, we don't 
have a cluster, it is the only server handling all requests.

If it is a session crossover we would display another user information without 
making a login entry. In the cases where we had issue the code recognized that 
there is no active session and went to the
authentication part, authenticated the user and made a database entry for 
successful login. The authentication is based on the form variables populated 
by struts into the action class.

Thanks,
Prasanth

On 03/07/2018 01:22 PM, Yasser Zamani wrote:
>
> On 3/7/2018 7:34 PM, Prasanth wrote:
>> I can't say that 2 percent of users were able to get in without 
>> username/password. As I have ran the JMeter tests a lot of times (each run 
>> with 100 users). Only during one of those runs of JMeter I
>> had 2 requests get users home page when Login.action was requested (with out 
>> username/password).
>>
>> Below is the Login.action code. Removed the code that fetches the data for 
>> home page.
> Thanks! I see you use session also.
>
> Looks like a bug with Undertow web server [1]. I'm not familiar with it
> so you may open an issue there and copy paste this thread there. They
> may have some idea as it seems they have similar issues with session
> which I linked below.
>
> Good luck.
>
> [1]
> https://issues.jboss.org/browse/JBEAP-6683?focusedCommentId=13340535=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13340535
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/7/2018 7:34 PM, Prasanth wrote:
> I can't say that 2 percent of users were able to get in without 
> username/password. As I have ran the JMeter tests a lot of times (each run 
> with 100 users). Only during one of those runs of JMeter I
> had 2 requests get users home page when Login.action was requested (with out 
> username/password).
> 
> Below is the Login.action code. Removed the code that fetches the data for 
> home page.

Thanks! I see you use session also.

Looks like a bug with Undertow web server [1]. I'm not familiar with it
so you may open an issue there and copy paste this thread there. They
may have some idea as it seems they have similar issues with session
which I linked below.

Good luck.

[1]
https://issues.jboss.org/browse/JBEAP-6683?focusedCommentId=13340535=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13340535

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Prasanth]

/context1 is used just for directing users to the right application (or 
context). Session is really maintained by /context2. Users can login directly 
in /context2 or they can input username and
password in /context1 and they will be forwarded to the right context on of 
which is /context2. So the login information could come to 
/context2/Login.action via a direct POST to this action or via a
forwarded request from /context1.

The testing I have done is completely on /context2. Have some users login at 
/context2/Login.action while JMeter tries to access /context2/Login.action and 
another action /context2/PlanList.action
(requests to any action other than Login.action will get forwarded to 
Login.action if the user is not yet logged in). So a direct request to 
/context/PlanList.action will end up at /context2/Login.action.

I can't say that 2 percent of users were able to get in without 
username/password. As I have ran the JMeter tests a lot of times (each run with 
100 users). Only during one of those runs of JMeter I
had 2 requests get users home page when Login.action was requested (with out 
username/password).

Below is the Login.action code. Removed the code that fetches the data for home 
page.

Thanks,
Prasanth


public class LoginAction implements ServletRequestAware{

    Logger log = Logger.getLogger(this.getClass());
    private HttpServletRequest request;
   
    private String message  = "";
    private String username = "";
    private String password = "";
    private String action   = "";

   
    public String execute() throws Exception {
       
        String result = null;
        boolean displaySuccessPage = false;
       
       
        // SEE IF THE USER SESSION IS ALREADY THERE, IN WHICH CASE NO NEED TO 
DISPLAY LOGIN PAGE
        // MOVE TO SUCCESS PAGE
        Long censusID = null;
        HttpSession session = request.getSession(false);
        if(session != null) {
            if(session.getAttribute("username") != null && 
session.getAttribute("CensusID") != null) {
                // GET THE CENSUS ID AND DISPLAY SUCCESS PAGE
                censusID = (Long) session.getAttribute("CensusID");
                if(censusID != null & censusID > 0) {
                    // JUST MADE SURE THAT WE HAVE A VALID CENSUS ID
                    displaySuccessPage = true;
                }
            }
        }
       
        // IF ACTION IS LOGOUT THEN LOGOUT THE USER
        // OR IF THE USER DECLINES DISCLAIMER       
        if(  ("Logout".equals(action) || "Decline".equals(action)) ||
                (request.getParameter("Submit") != null && 
request.getParameter("Submit").trim().equals("Logout"))){
                       
            // INVALIDATE THE SESSION
            request.getSession().invalidate();
            message = "You have been successfully logged out";
            username = "";
            password = "";
            displaySuccessPage = false;
            result = "secure";
        }   
        // IF THE PARTICIPANT HAS ACCEPTED THE DISCLAIMER UPDATE THE DATABASE
        else if("Accept".equals(action)) {
            censusID = (Long) request.getSession().getAttribute("_CensusID");
            if(censusID != null) {
                Utils.updateDisclaimerCode(censusID);
                // SET THE USERNAME & CENSUSID. REMOVE THE TEMPORARY VARIABLES
                request.getSession().setAttribute("username", 
request.getSession().getAttribute("_username"));
                request.getSession().setAttribute("CensusID", 
request.getSession().getAttribute("_CensusID"));
                request.getSession().removeAttribute("_username");
                request.getSession().removeAttribute("_CensusID");
                request.getSession().setAttribute("dispContactInfo", 
Plans.getDisplayContactInfoCode(censusID));
                displaySuccessPage = true;
            }
        }
        // IF USER IS NOT ALREADY AUTHENTICATED
        else if(!displaySuccessPage){
            // IF USERNAME IS NOT PROVIDED DISPLAY LOGIN PAGE
            if(username.equals("")){
                request.getSession().setAttribute("maintenanceMessage", 
Utils.getMaintenanceMessage()[0]);
                request.getSession().setAttribute("suppressLogin", 
Boolean.parseBoolean(Utils.getMaintenanceMessage()[1]));
                result = "login";
            }
            else{
            // USER NAME SPECIFIED SO TRY TO AUTHENTICATE   
                //GET THE IPADDRESS OF THE CLIENT
                String remoteHost = request.getHeader("X-FORWARDED-FOR");
                if(remoteHost == null || "".equals(remoteHost.trim())) {
                    remoteHost = request.getRemoteAddr();
                }
                //AUTHENTICATE USER
                censusID = Utils.authenticate(username, password, remoteHost);
                if(censusID == -1) {
                    message = "Invalid username/password specified";
                    result = "failed";
                }
       

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/6/2018 9:42 PM, Prasanth Pasala wrote:
> In StrutsPrepareAndExecuteFilter below is the line that gets the action 
> mapping, since the forceLookup is set to true the PrepareOperations class 
> might be creating it again.
> ActionMapping mapping = prepare.findActionMapping(request, response, true);

Thanks a lot! This explains why you don't get an exception. So , please
let forget this sub-thread and following up the resolution on my another
email in main-thread.

Thanks.

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/5/2018 7:48 PM, Prasanth wrote:
> For replicating the issue I was directly accessing /context2/Login.action. So 
> /context1 was not used in testing.

Please let me repeat what I understood; When some users are signed in
into /context1, you browses /context2/Login.action via JMeter empty
requests, but about 2 percent of them, successfully sign in into /context2!

Did I understand the issue correctly? If so, it's very odd ... and I
like strange issues :)

Does this issue also happen even when no one is signed in into
/context1? If so, does this issue also happen when /context1 is stopped
(i.e. /context2 never get any forwarded request from /context1 so far)?
I ask these to know if this issue is dependent to the app on /context1
or not.

I see you use Undertow web server and I reviewed it and saw it's highly
non-blocking async web server. Then ... please add a hidden field to
your login.jsp which it's value will be
request.getParameter("testIfStrutsReusesAction"). In JMeter add
testIfStrutsReusesAction=JMeter to your request parameters. Then re-run
JMeter and see if those two successful requests have a hidden field with
value "JMeter" in their response?? (also see that other requests must
have this hidden field elsewhere there is a problem in your impl of
these). I ask these to know if that successful response is really a
response for your JMeter request!

If none of above were helpful, then could you please share
/context2/Login.action? I need to see how do you authenticate? Only via
request params? Or session or something else makes sense also?

Regards.

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

I am not defining any default action.

I would get the below exception if I set the ActionMapping to null. For some 
reason the object doesn't go away, if I set it to null. After setting it to 
null using
request.setAttribute("struts.actionMapping", null);    I can get it using 
getAttribute. The object remains even if I do removeAttribute.

11:57:27,509 ERROR [stderr] (default task-32) Caused by: 
java.lang.ClassCastException: 
org.apache.struts2.dispatcher.mapper.ActionMapping cannot be cast to
org.apache.struts2.dispatcher.mapper.ActionMapping
11:57:27,509 ERROR [stderr] (default task-32)     at 
org.apache.struts2.dispatcher.ng.PrepareOperations.findActionMapping(PrepareOperations.java:163)
11:57:27,509 ERROR [stderr] (default task-32)     at 
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:92)
11:57:27,509 ERROR [stderr] (default task-32)     at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
11:57:27,509 ERROR [stderr] (default task-32)     at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
11:57:27,509 ERROR [stderr] (default task-32)     at 
com.x.xx.LoginFilter.doFilter(LoginFilter.java:52)
11:57:27,509 ERROR [stderr] (default task-32)     at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
11:57:27,510 ERROR [stderr] (default task-32)     at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
11:57:27,510 ERROR [stderr] (default task-32)     at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
11:57:27,510 ERROR [stderr] (default task-32)     at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
11:57:27,510 ERROR [stderr] (default task-32)     at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
11:57:27,510 ERROR [stderr] (default task-32)     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
11:57:27,510 ERROR [stderr] (default task-32)     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
11:57:27,510 ERROR [stderr] (default task-32)     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
11:57:27,510 ERROR [stderr] (default task-32)     at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
11:57:27,510 ERROR [stderr] (default task-32)     at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
11:57:27,510 ERROR [stderr] (default task-32)     at 
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221)
11:57:27,510 ERROR [stderr] (default task-32)     ... 128 more

Below is what I see by displaying the 
request.getAttribute("struts.actionMapping") after removeAttribute or after 
setting it to null.
ActionMapping{name='Login', namespace='/', method='null', extension='action', 
params={}, result=null}

In StrutsPrepareAndExecuteFilter below is the line that gets the action 
mapping, since the forceLookup is set to true the PrepareOperations class might 
be creating it again.
ActionMapping mapping = prepare.findActionMapping(request, response, true);


---PrepareOperations---
public ActionMapping findActionMapping(HttpServletRequest request, 
HttpServletResponse response, boolean forceLookup) {
    ActionMapping mapping = (ActionMapping) 
request.getAttribute(STRUTS_ACTION_MAPPING_KEY);
    if (mapping == null || forceLookup) {
    try {
    mapping = 
dispatcher.getContainer().getInstance(ActionMapper.class).getMapping(request, 
dispatcher.getConfigurationManager());
    if (mapping != null) {
    request.setAttribute(STRUTS_ACTION_MAPPING_KEY, mapping);
    }
    } catch (Exception ex) {
    if (dispatcher.isHandleException() || dispatcher.isDevMode()) {
    dispatcher.sendError(request, response, 
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, ex);
    }
    }
    }

    return mapping;
    }
--

Thanks,
Prasanth


On 03/05/2018 11:49 AM, Yasser Zamani wrote:
>
> On 3/5/2018 7:48 PM, Prasanth wrote:
>> But the Login filter had the below lines to make sure forwarded requests 
>> from /context1
>> would work.
>>
>> request.setAttribute("struts.actionMapping", new ActionMapping());
> Please let me discuss this line first of all. I'm still surprised how
> context2 app works with this line! I expect you always get
> ConfigurationException or get the result of the default action. Have you
> set this filter pattern to being applied only on /Login.action? If so,
> still you should get 

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

I am not using Spring. Using Struts1, Struts 2 (2.3.34), tiles 2.0.4

On 03/05/2018 11:57 AM, Adam Brin wrote:
> What are the annotations on the class?  Is it possible that you're using
> Spring, and not declaring "prototype" scope. eg:
>
> @Scope("prototype")
>
> On Mon, Mar 5, 2018 at 10:49 AM, Yasser Zamani 
> wrote:
>
>>
>> On 3/5/2018 7:48 PM, Prasanth wrote:
>>> But the Login filter had the below lines to make sure forwarded requests
>> from /context1
>>> would work.
>>>
>>> request.setAttribute("struts.actionMapping", new ActionMapping());
>> Please let me discuss this line first of all. I'm still surprised how
>> context2 app works with this line! I expect you always get
>> ConfigurationException or get the result of the default action. Have you
>> set this filter pattern to being applied only on /Login.action? If so,
>> still you should get ConfigurationException or get the result of the
>> default action (is /Login.action default?). Or maybe you have put these
>> two lines in an if statement like if(request has these attributes){...}?
>> If not, then do this please; an if statement for each line.
>>
>> Could you please try `request.setAttribute("struts.actionMapping",
>> null)`? then post back the exception if any (I don't expect any). You
>> should set to null or remove the attribute. Any other code is wrong.
>>
>> Regards.
>>
>>
>

Re: Struts2 login action class seems to be reused

[Adam Brin]

What are the annotations on the class?  Is it possible that you're using
Spring, and not declaring "prototype" scope. eg:

@Scope("prototype")

On Mon, Mar 5, 2018 at 10:49 AM, Yasser Zamani 
wrote:

>
>
> On 3/5/2018 7:48 PM, Prasanth wrote:
> > But the Login filter had the below lines to make sure forwarded requests
> from /context1
> > would work.
> >
> > request.setAttribute("struts.actionMapping", new ActionMapping());
>
> Please let me discuss this line first of all. I'm still surprised how
> context2 app works with this line! I expect you always get
> ConfigurationException or get the result of the default action. Have you
> set this filter pattern to being applied only on /Login.action? If so,
> still you should get ConfigurationException or get the result of the
> default action (is /Login.action default?). Or maybe you have put these
> two lines in an if statement like if(request has these attributes){...}?
> If not, then do this please; an if statement for each line.
>
> Could you please try `request.setAttribute("struts.actionMapping",
> null)`? then post back the exception if any (I don't expect any). You
> should set to null or remove the attribute. Any other code is wrong.
>
> Regards.
>
>


-- 
_
Adam Brin
Director of Technology, Digital Antiquity
480.965.1278

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/5/2018 7:48 PM, Prasanth wrote:
> But the Login filter had the below lines to make sure forwarded requests from 
> /context1
> would work.
> 
> request.setAttribute("struts.actionMapping", new ActionMapping());

Please let me discuss this line first of all. I'm still surprised how
context2 app works with this line! I expect you always get
ConfigurationException or get the result of the default action. Have you
set this filter pattern to being applied only on /Login.action? If so,
still you should get ConfigurationException or get the result of the
default action (is /Login.action default?). Or maybe you have put these
two lines in an if statement like if(request has these attributes){...}?
If not, then do this please; an if statement for each line.

Could you please try `request.setAttribute("struts.actionMapping",
null)`? then post back the exception if any (I don't expect any). You
should set to null or remove the attribute. Any other code is wrong.

Regards.

Re: Struts2 login action class seems to be reused

[Prasanth]

Yes, login page is accessible always. Direct jsp access is not allowed, it has 
to go through the actions. When a user requests /Login.action login jsp page is 
displayed. When the user submits username
and password (Post to Login.action) the user is authenticated and home page is 
displayed by Login.action. Since the same action handles both displaying login 
page and validating, if the values are
already present (username, password, value of the button clicked) the action 
will authenticate the user and display home page as it does this it will make a 
database entry saying xyz user has logged in.

Actual Setup:
Application 1: /context1   --- User can login here and they will be forwarded 
to context2. This application uses struts 2.5.14
Application 2: /context2   --- User can login directly in /context 2 (in which 
case no forwarding). This application uses struts 2.3.34 for login and other 
actions. There are few actions in struts1 also.

For replicating the issue I was directly accessing /context2/Login.action. So 
/context1 was not used in testing. But the Login filter had the below lines to 
make sure forwarded requests from /context1
would work.

request.setAttribute("struts.actionMapping", new ActionMapping());
request.setAttribute("struts.valueStack", null);

The request object type is io.undertow.servlet.spec.HttpServletRequestImpl

Thanks,
Prasanth


On 03/03/2018 04:14 AM, Yasser Zamani wrote:
> On 3/3/2018 12:37 AM, Prasanth Pasala wrote:
>> I was able to replicate the issue today. Asked few users to keep logging in 
>> and ran jmeter to access login page, with out putting any username or 
>> password. Out of the 100 attempts 2 attempts were
>> successful in getting in with out username/password. I am seeing database 
>> login entries for these two. Which would happen only if a valid session is 
>> not present and user has provided username/password.
> Shouldn't login page being accessible always? How do you try access
> login page, calling directly to jsp? Or action? How do you authenticate
> that access try, via session values? Via request parameters and querying
> database?
>
>> Not sure if the behavior is a side effect of having the below lines.
>>
>> request.setAttribute("struts.actionMapping", new 
>> ActionMapping());   
>> request.setAttribute("struts.valueStack", null);
> Not these lines but I guess you may also remove more things from
> forwarded request (e.g. session). Could you please print
> request.toString before these lines to see what type is it? Could you
> serialize request to a xml to see all values stored in that request?
> Anyway, like you, I also think this issue is because of forwarding the
> request from Struts1 to Struts2.
>
> Regards.
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

Re: Struts2 login action class seems to be reused

[Yasser Zamani]

On 3/3/2018 12:37 AM, Prasanth Pasala wrote:
> I was able to replicate the issue today. Asked few users to keep logging in 
> and ran jmeter to access login page, with out putting any username or 
> password. Out of the 100 attempts 2 attempts were
> successful in getting in with out username/password. I am seeing database 
> login entries for these two. Which would happen only if a valid session is 
> not present and user has provided username/password.

Shouldn't login page being accessible always? How do you try access
login page, calling directly to jsp? Or action? How do you authenticate
that access try, via session values? Via request parameters and querying
database?

> Not sure if the behavior is a side effect of having the below lines.
> 
> request.setAttribute("struts.actionMapping", new 
> ActionMapping());   
> request.setAttribute("struts.valueStack", null);

Not these lines but I guess you may also remove more things from
forwarded request (e.g. session). Could you please print
request.toString before these lines to see what type is it? Could you
serialize request to a xml to see all values stored in that request?
Anyway, like you, I also think this issue is because of forwarding the
request from Struts1 to Struts2.

Regards.

Re: Fwd: Re: Struts2 login action class seems to be reused

[Prasanth]

Hi Norbert,

Struts1 actions are thread safe (no instance variables). The login 
action has been moved to Struts2 with instance variables for username, 
password and the issue is coming up with this new struts2 action. Which 
is used for both displaying login page and also taking username/password 
when the form is submitted.


Thanks,
Prasanth

On 3/2/2018 5:55 PM, Norbert Hirneisen wrote:

Hi Prasanth,

are you sure all your struts1 code is thread safe ? I had some similiar
problems in a struts1 application. After removing all action class
properties the problem was solved. Struts2 should be thread safe. But
your problems looks to me like a problem with thread safety.

Best regards,

Norbert

science + communication & HaNo Systems

Bonn/Ho-Chi-Minh


Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:
I was able to replicate the issue today. Asked few users to keep 
logging in and ran jmeter to access login page, with out putting any 
username or password. Out of the 100 attempts 2 attempts were
successful in getting in with out username/password. I am seeing 
database login entries for these two. Which would happen only if a 
valid session is not present and user has provided username/password.


Thanks,
Prasanth

On 03/01/2018 02:27 PM, Prasanth wrote:

Hi,

I have an application which uses both struts1 & struts2. The login 
action was recently moved to struts2. Immediately after the 
deployment we were notified that one user is seeing a different user
information, so we had to move to older war files. I am not able to 
replicate it. But after investigating the logs it seems like couple 
users were logged in as soon as they requested the login page.
For the database entry to happen it has to verify the username and 
password in the action class, but the fact that there is no POST 
entry at that time from that IP in my access log makes me believe
that the action class some how already had that information from a 
prior user.


I do have a login filter to check if users are logged in when 
accessing other pages. In this filter I have the below two lines, we 
had to do this as we will have requests forwarded from one
application to another and when that happens we are getting class 
cast exception for ActionMapping class and valueStack. Not sure if 
the behavior is a side effect of having the below lines.


 request.setAttribute("struts.actionMapping", new 
ActionMapping());

 request.setAttribute("struts.valueStack", null);

We are using Struts 2.3.34 and Wildfly.

Appreciate any insights you might have.

Thanks,
Prasanth







-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org




-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Fwd: Re: Struts2 login action class seems to be reused

[Norbert Hirneisen]

Hi Prasanth,

are you sure all your struts1 code is thread safe ? I had some similiar
problems in a struts1 application. After removing all action class
properties the problem was solved. Struts2 should be thread safe. But
your problems looks to me like a problem with thread safety.

Best regards,

Norbert

science + communication & HaNo Systems

Bonn/Ho-Chi-Minh


Am 02.03.2018 um 22:07 schrieb Prasanth Pasala:

I was able to replicate the issue today. Asked few users to keep logging in and 
ran jmeter to access login page, with out putting any username or password. Out 
of the 100 attempts 2 attempts were
successful in getting in with out username/password. I am seeing database login 
entries for these two. Which would happen only if a valid session is not 
present and user has provided username/password.

Thanks,
Prasanth

On 03/01/2018 02:27 PM, Prasanth wrote:

Hi,

I have an application which uses both struts1 & struts2. The login action was 
recently moved to struts2. Immediately after the deployment we were notified that 
one user is seeing a different user
information, so we had to move to older war files. I am not able to replicate 
it. But after investigating the logs it seems like couple users were logged in 
as soon as they requested the login page.
For the database entry to happen it has to verify the username and password in 
the action class, but the fact that there is no POST entry at that time from 
that IP in my access log makes me believe
that the action class some how already had that information from a prior user.

I do have a login filter to check if users are logged in when accessing other 
pages. In this filter I have the below two lines, we had to do this as we will 
have requests forwarded from one
application to another and when that happens we are getting class cast 
exception for ActionMapping class and valueStack. Not sure if the behavior is a 
side effect of having the below lines.

             request.setAttribute("struts.actionMapping", new ActionMapping());
             request.setAttribute("struts.valueStack", null);

We are using Struts 2.3.34 and Wildfly.

Appreciate any insights you might have.

Thanks,
Prasanth







-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts2 login action class seems to be reused

[Prasanth Pasala]

I was able to replicate the issue today. Asked few users to keep logging in and 
ran jmeter to access login page, with out putting any username or password. Out 
of the 100 attempts 2 attempts were
successful in getting in with out username/password. I am seeing database login 
entries for these two. Which would happen only if a valid session is not 
present and user has provided username/password.

Thanks,
Prasanth

On 03/01/2018 02:27 PM, Prasanth wrote:
> Hi,
>
> I have an application which uses both struts1 & struts2. The login action was 
> recently moved to struts2. Immediately after the deployment we were notified 
> that one user is seeing a different user
> information, so we had to move to older war files. I am not able to replicate 
> it. But after investigating the logs it seems like couple users were logged 
> in as soon as they requested the login page.
> For the database entry to happen it has to verify the username and password 
> in the action class, but the fact that there is no POST entry at that time 
> from that IP in my access log makes me believe
> that the action class some how already had that information from a prior user.
>
> I do have a login filter to check if users are logged in when accessing other 
> pages. In this filter I have the below two lines, we had to do this as we 
> will have requests forwarded from one
> application to another and when that happens we are getting class cast 
> exception for ActionMapping class and valueStack. Not sure if the behavior is 
> a side effect of having the below lines.
>
>             request.setAttribute("struts.actionMapping", new 
> ActionMapping());       
>             request.setAttribute("struts.valueStack", null);
>
> We are using Struts 2.3.34 and Wildfly.
>
> Appreciate any insights you might have.
>
> Thanks,
> Prasanth
>
>