You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by klyver <k....@gmail.com> on 2011/11/16 15:11:48 UTC
pagemap problem ??
Hi,
we have a critical problem. Some of our users get access to other users
data.
We don't understand why it happens. Occasionally, when we render a panel it
shows data that belongs to another user.
Here is a boiled down example of a panel in our application.
public class TestPanel extends Panel {
private static final Logger logger =
LoggerFactory.getLogger(TestPanel.class);
private String cachedEmployeeName;
public TestPanel() {
super("testPanel");
String employeeName = ((TestSession) getSession()).getEmployeeName();
cachedEmployeeName = employeeName;
add(new Label("heading", "Heading for " + employeeName));
}
// onBeforeRender is only used for debugging purposes
@Override
protected void onBeforeRender() {
super.onBeforeRender();
String employeeName = ((TestSession) getSession()).getEmployeeName();
if (!cachedEmployeeName.equals(employeeName)) {
logger.error(String.format("ERROR!! cached[%s] <> session[%s]",
cachedEmployeeName, employeeName));
}
}
}
Occasionally, when a user hits the browser back button, he sees a wrong
'employeeName'. When the wrong name is shown, the error log tells us that
the CachedEmployeeName is wrong.
We have found out that ((TestSession) getSession()).getEmployeeName() always
returns the correct value. (We know this from other log statements including
the sessionId - they are not shown in this example)
We thought we could be sure that a panel instance belongs to the session,
which is also true at least 99% of the time in our application. Have we
misunderstood something here?
For info:
- We have not been able to reproduce the problem in development, but we see
it from time to time in production
- We use wicket 1.4.18
- We use CryptedUrlWebRequestCodingStrategy
- It turns out that the wrong CachedEmployeeName is always the name of a
user who have had logged in earlier that day (and also from the same IP
address, but not the same machine).
Any ideas why we are experiencing this.
Thanks
/Klyver
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/pagemap-problem-tp4076410p4076410.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: pagemap problem ??
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
On Wed, Nov 16, 2011 at 4:11 PM, klyver <k....@gmail.com> wrote:
> Hi,
>
> we have a critical problem. Some of our users get access to other users
> data.
>
> We don't understand why it happens. Occasionally, when we render a panel it
> shows data that belongs to another user.
> Here is a boiled down example of a panel in our application.
>
> public class TestPanel extends Panel {
> private static final Logger logger =
> LoggerFactory.getLogger(TestPanel.class);
>
> private String cachedEmployeeName;
>
> public TestPanel() {
> super("testPanel");
> String employeeName = ((TestSession) getSession()).getEmployeeName();
> cachedEmployeeName = employeeName;
> add(new Label("heading", "Heading for " + employeeName));
> }
>
> // onBeforeRender is only used for debugging purposes
> @Override
> protected void onBeforeRender() {
> super.onBeforeRender();
> String employeeName = ((TestSession) getSession()).getEmployeeName();
>
> if (!cachedEmployeeName.equals(employeeName)) {
> logger.error(String.format("ERROR!! cached[%s] <> session[%s]",
> cachedEmployeeName, employeeName));
> }
> }
> }
>
> Occasionally, when a user hits the browser back button, he sees a wrong
> 'employeeName'. When the wrong name is shown, the error log tells us that
> the CachedEmployeeName is wrong.
>
> We have found out that ((TestSession) getSession()).getEmployeeName() always
> returns the correct value. (We know this from other log statements including
> the sessionId - they are not shown in this example)
>
> We thought we could be sure that a panel instance belongs to the session,
> which is also true at least 99% of the time in our application. Have we
> misunderstood something here?
100% correct. Each Session has access to its pages, i.e. the components inside.
No idea what goes wrong.
Wicket had similar problem in its early 1.4.x versions but no one
complained with something similar since then.
>
>
> For info:
> - We have not been able to reproduce the problem in development, but we see
> it from time to time in production
> - We use wicket 1.4.18
> - We use CryptedUrlWebRequestCodingStrategy
> - It turns out that the wrong CachedEmployeeName is always the name of a
> user who have had logged in earlier that day (and also from the same IP
> address, but not the same machine).
>
> Any ideas why we are experiencing this.
>
> Thanks
> /Klyver
>
>
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/pagemap-problem-tp4076410p4076410.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org