You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Andrigo Spall Gomes <an...@wificom.com> on 2004/03/17 17:52:29 UTC
double submit in form-based authentication throws IllegaStateException
Hello!
I'm having a problem when trying to cope with double submits in a
form-based authentication in Tomcat 4.1.30.
I get to the login page when I try to access a protected page (actually
a struts action - ".do").
I then inform the username and password in the form whose target is
j_security_check and, if I just push submit once, everything goes
allright, I am authenticated and taken to the struts action, that does
its job and forwards to its view.
But if I simulate a double submit (impatient users :), I am shown a
IllegalStateException, thrown by
org.apache.catalina.servlets.DefaultServlet.
Well, I downloaded tomcat's source code and traced it to see what was
going on.
I found out that in the first request
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter() will
call servlet.service(), and in this case the servlet is struts'
ActionServlet, whereas in the second (and simultaneous) submit, the
servlet invoked is org.apache.catalina.servlets.DefaultServlet.
I think this behaviour is probably because in the second submit the
resource I !first! requested was j_security_check (the action of the
form), and not the struts action (.do extension), like in the first submit).
DefaultServlet will then try to serve, in the second submit,
j_security_check. It will not find the resource and will try to call
response.sendError(HttpServletResponse.SC_NOT_FOUND,
request.getRequestURI());
The thing is that, at this point, response.isCommitted() == true, and
then it throws IllegalStateException.
If we analyse what is actually going on, the problem is not the
IllegalStateException itself, but the fact that tomcat is trying to
serve j_security_check in the second submit, rather than the struts
action I requested in the first place. The exception I get is just a
consequence of the wrong processing.
Would this be a bug in tomcat? Would there be any workarounds to make
it remind that the second submit still has as target the struts action,
and not j_security_check as it is currently interpreting?
I'd appreciate any thoughts.
Best Regards,
Andrigo Gomes
PS: here is the stack trace I get:
java.lang.IllegalStateException
at
org.apache.coyote.tomcat4.CoyoteResponseFacade.sendError(CoyoteResponseFacade.java:310)
at
org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:936)
at
org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:518)
at
org.apache.catalina.servlets.DefaultServlet.doPost(DefaultServlet.java:554)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
at
companyFilter.doFilter(some row)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at
org.jboss.web.catalina.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:227)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2422)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:163)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:577)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:199)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:700)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Unknown Source)
Apache Tomcat/4.1.30
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org