You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Eric Shu (Jira)" <ji...@apache.org> on 2020/06/03 00:03:00 UTC

[jira] [Created] (GEODE-8217) Geode session replication could leak internal serialized bytes during HttpSessionAttributeListener invocation even when preferDeserializedForm is set to true

Eric Shu created GEODE-8217:
-------------------------------

             Summary: Geode session replication could leak internal serialized bytes during HttpSessionAttributeListener invocation even when preferDeserializedForm is set to true
                 Key: GEODE-8217
                 URL: https://issues.apache.org/jira/browse/GEODE-8217
             Project: Geode
          Issue Type: Bug
          Components: http session
            Reporter: Eric Shu


When preferDeserializedForm is set to true (default value), session object should not contain serialized byte in the cache. However, the following exception shows that product leaks the serialized bytes.
{noformat}
Jun 02, 2020 3:31:58 PM org.apache.catalina.session.StandardSession setAttribute
SEVERE: Session attribute event listener threw exception
java.lang.ClassCastException: [B cannot be cast to java.lang.String
        at org.apache.geode.modules.session.AccessAttributeValueListener.attributeReplaced(AccessAttributeValueListener.java:34)
        at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1482)
        at org.apache.geode.modules.session.catalina.DeltaSession.setAttribute(DeltaSession.java:262)
        at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1385)
        at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:137)
        at org.apache.geode.modules.session.catalina.DeltaSessionFacade.setAttribute(DeltaSessionFacade.java:49)
        at org.apache.geode.modules.session.CommandServlet.doGet(CommandServlet.java:64)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.geode.modules.session.catalina.CommitSessionValve.invoke(CommitSessionValve.java:47)
        at org.apache.geode.modules.session.catalina.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:45)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
{noformat}

Please note if preferDeserializedForm is set to false, this issue could still exist, unless HttpSessionBindingEvent.getValue() is not being accessed by the application. Otherwise, user should set preferDeserializedForm to true to avoid this issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)