You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2018/01/01 20:27:03 UTC

[jira] [Commented] (WICKET-6493) WebSocket SessionIds are wrong (HttpSession one used instead of Websocket one) + NPE if no HttpSession is found during Handshake Request

    [ https://issues.apache.org/jira/browse/WICKET-6493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16307546#comment-16307546 ] 

ASF subversion and git services commented on WICKET-6493:
---------------------------------------------------------

Commit d02bc37b0cc555fc6b02f054f94c721cc38be907 in wicket's branch refs/heads/wicket-7.x from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=d02bc37 ]

WICKET-6483 JavaxUpgradeHttpRequest can cause NullPointerException

WICKET-6493 WebSocket SessionIds are wrong (HttpSession one used instead of Websocket one) + NPE if no HttpSession is found during Handshake Request

Revert the change to use 'request.getSession(false) because this breaks WicketTester/WebSocketTester infrastructure

(cherry picked from commit 4b8ac4c8cc14f2926312e2572fee4299256e7b11)


> WebSocket SessionIds are wrong (HttpSession one used instead of Websocket one) + NPE if no HttpSession is found during Handshake Request
> ----------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WICKET-6493
>                 URL: https://issues.apache.org/jira/browse/WICKET-6493
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-native-websocket
>    Affects Versions: 7.7.0
>         Environment: Linux, JDK 8, Jetty 9
>            Reporter: Torsten Krah
>            Assignee: Martin Grigorov
>             Fix For: 8.0.0, 7.10.0
>
>
> Reading the *HandshakeRequest* javadoc this is written:
> {code}
>     /**
>      * Return a reference to the HttpSession that the web socket handshake that 
>      * started this conversation was part of, if the implementation
>      * is part of a Java EE web container.
>      *
>      * @return the http session or {@code null} if either the websocket
>      * implementation is not part of a Java EE web container, or there is
>      * no HttpSession associated with the opening handshake request.
>      */
>     Object getHttpSession();
> {code}
> So its valid to have *NO* *HttpSession* assigned to a JSR356 request.
> But Wicket seems to "expect" this because in *JavaxUpgradeHttpRequest* the HttpSession is extracted from the *userProperties* which is not there, if it was "null" in the HandshakeRequest.
> In the processing the chain will reach the *AbstractWebSocketProcessor* constructor which calls
> {code}
> this.sessionId = request.getSession(true).getId();
> {code}
> which is going to fail here because there is no HttpSession on the crafted request used here.
> I wonder why the *sessionId* is taken from the HttpSession at all - shouldn't it be the JSR356 session id which you can get with *session.getId()*.
> If you look e.g. at the *IWebSocketConnectionRegistry* javadocs most methods have their *sessionId* argument documented with:
> {code}
> 	 * @param sessionId
> 	 *      the web socket client session id
> {code}
> but actually the HttpSession id is used instead of the WebSocket sessionId - which is a totally different one.
> So i am proposing to use the "real" websocket session id here taken from the constructor call:
> {code}
> public JavaxWebSocketProcessor(JavaxUpgradeHttpRequest request, final Session session, final WebApplication application, EndpointConfig endpointConfig)
> {code}
> where there is the *session* argument where *session.getId()* actually returns the websocket session id which can last longer and is 100% there - the HttpSession must not be there at all as written.
> Unfortunately the javadoc on *IWebSocketConnectionRegistry* for
> {code}
> 	/**
> 	 * @param application
> 	 *            the web application to look in
> 	 * @param sessionId
> 	 * @return collection of web socket connection used by a client with the given session id
> 	 */
> 	Collection<IWebSocketConnection> getConnections(Application application, String sessionId);
> {code}
> does not state which "sessionId" is meant here - i guess its the *HttpSession* - in that case please clarify the JavaDocs here.
> The code maybe need to "track"the HttpSession id to handle that usecase - but in an optional way because it may not be there.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)