You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cayenne.apache.org by "Andrus Adamchik (JIRA)" <ji...@apache.org> on 2012/09/15 04:09:07 UTC

[jira] [Closed] (CAY-1739) Cayenne ROP server resets session on every request if BASIC auth is used

     [ https://issues.apache.org/jira/browse/CAY-1739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrus Adamchik closed CAY-1739.
--------------------------------

       Resolution: Fixed
    Fix Version/s: 3.2M1
                   3.1B2

A workaround for Tomcat. Just add context.xml file to the META-INF/ dir of the webapp, with the following contents:

<Context>
	<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" 
			changeSessionIdOnAuthentication="false" />
</Context>

This is alos placed in 3.1 and 3.2 docs, and added to the tutorial code. In the future we may do something more advanced: http://markmail.org/message/56xqsclrx3s7ivrp
                
> Cayenne ROP server resets session on every request if BASIC auth is used
> ------------------------------------------------------------------------
>
>                 Key: CAY-1739
>                 URL: https://issues.apache.org/jira/browse/CAY-1739
>             Project: Cayenne
>          Issue Type: Bug
>    Affects Versions: 3.1B1
>            Reporter: Andrus Adamchik
>            Assignee: Andrus Adamchik
>             Fix For: 3.1B2, 3.2M1
>
>
> Per http://stackoverflow.com/questions/12314857/apache-cayenne-rop-server-no-session-associated-with-request-on-tomcat-7 Tomcat 7 resets HTTP session on every ROP request resulting in a loss of state on the client. 
> I reproduced that on Tomcat 7 and Jetty 8. Jetty 6 works correctly. 
> Debugging on Jetty shows that if BASIC auth is present, container invalidates the existing session and creates a new one during auth credentials checking phase. So it goes like this:
> 1. Connect ... session1 is established
> 2. Bootstrap ... session1 cookie is accepted, but session is immediately invalidated and session2 is created
> 3. Commit ... Client still sends session1 cookie, while the server expects session2, causing an exception:
> org.apache.cayenne.remote.service.MissingSessionException: [v.3.2M1-SNAPSHOT Sep 10 2012 23:14:19] No session associated with request.
> 	at org.apache.cayenne.remote.service.BaseRemoteService.processMessage(BaseRemoteService.java:127)
> I wonder if the new servlet spec is specifying this behavior (?).
> A possible fix is to read the session cookie on the client and reset session ID on every request. 
> A hideous workaround for the users is to remove BASIC auth.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira