double submit in form-based authentication throws IllegaStateException

[Andrigo Spall Gomes <an...@wificom.com>]

	Hello!

	I'm having a problem when trying to cope with double submits in a 
form-based authentication in Tomcat 4.1.30.

	I get to the login page when I try to access a protected page (actually 
a struts action - ".do").

	I then inform the username and password in the form whose target is 
j_security_check and, if I just push submit once, everything goes 
allright, I am authenticated and taken to the struts action, that does 
its job and forwards to its view.

	But if I simulate a double submit (impatient users :), I am shown a 
IllegalStateException, thrown by 
org.apache.catalina.servlets.DefaultServlet.

	Well, I downloaded tomcat's source code and traced it to see what was 
going on.

	I found out that in the first request 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter() will 
call servlet.service(), and in this case the servlet is struts' 
ActionServlet, whereas in the second (and simultaneous) submit, the 
servlet invoked is org.apache.catalina.servlets.DefaultServlet.

	I think this behaviour is probably because in the second submit the 
resource I !first! requested was j_security_check (the action of the 
form), and not the struts action (.do extension), like in the first submit).

	DefaultServlet will then try to serve, in the second submit, 
j_security_check. It will not find the resource and will try to call 
response.sendError(HttpServletResponse.SC_NOT_FOUND,
                                    request.getRequestURI());

	The thing is that, at this point, response.isCommitted() == true, and 
then it throws IllegalStateException.

	If we analyse what is actually going on, the problem is not the 
IllegalStateException itself, but the fact that tomcat is trying to 
serve j_security_check in the second submit, rather than the struts 
action I requested in the first place. The exception I get is just a 
consequence of the wrong processing.

	Would this be a bug in tomcat? Would there be any workarounds to make 
it remind that the second submit still has as target the struts action, 
and not j_security_check as it is currently interpreting?

	I'd appreciate any thoughts.

	Best Regards,
	Andrigo Gomes

	PS: here is the stack trace I get:


java.lang.IllegalStateException
	at
org.apache.coyote.tomcat4.CoyoteResponseFacade.sendError(CoyoteResponseFacade.java:310)
	at
org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:936)
	at
org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:518)
	at
org.apache.catalina.servlets.DefaultServlet.doPost(DefaultServlet.java:554)
	at
javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
	at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
	at
companyFilter.doFilter(some row)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
	at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
	at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
	at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
	at
org.jboss.web.catalina.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:227)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
	at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
	at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
	at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
	at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2422)
	at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
	at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
	at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:163)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
	at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:577)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
	at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
	at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
	at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
	at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:199)
	at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
	at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:700)
	at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584)
	at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
	at java.lang.Thread.run(Unknown Source)

Apache Tomcat/4.1.30




	


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org