You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "David Rain (Jira)" <ji...@apache.org> on 2023/06/08 07:11:00 UTC
[jira] [Commented] (WICKET-7056) HttpSessionStore#getAttribute called on invalidated session
[ https://issues.apache.org/jira/browse/WICKET-7056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17730414#comment-17730414 ]
David Rain commented on WICKET-7056:
------------------------------------
[~mgrigorov] I was not able to reproduce this in the demo app. So I've digged deeper and found out the session (invalid) was stored in a thread local variable.
I've also learned, that [getSession(false)|http://example.com/] not only does not create a new session when none exists but also returns a valid session only. If the session has already been invalidated it returns null. So the Wicket code is OK.
> HttpSessionStore#getAttribute called on invalidated session
> -----------------------------------------------------------
>
> Key: WICKET-7056
> URL: https://issues.apache.org/jira/browse/WICKET-7056
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 8.13.0
> Environment: Ubuntu Linux v. 18
> WebSphere AS 9.0.5.14
> Wicket 8.13.0
> Reporter: David Rain
> Priority: Major
> Labels: Wicket, invalidation, session
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> The org.apache.wicket.session.HttpSessionStore#getHttpSession does not take an invalidated session state into account.
> Thus the e.g. getAttribute method the calls the httpSession#getAttribute which results to the exception being thrown by server (WebSphere and Jetty in our case). See [https://www.ibm.com/support/pages/javalangillegalstateexception-thrown-session-manager]
> In my opinion the HttpSessionStore should check the valid state of the session before trying to access it.
> {code:java}
> Exception occurred during onEndRequest
> java.lang.IllegalStateException: The following session is not valid! FAMtHV-7DvEsvj07hsLKExc
> at com.ibm.ws.session.http.HttpSessionImpl.getAttribute(HttpSessionImpl.java:191)
> at com.ibm.ws.session.SessionData.getSessionValue(SessionData.java:307)
> at com.ibm.ws.session.SessionData.getAttribute(SessionData.java:163)
> at com.ibm.ws.session.HttpSessionFacade.getAttribute(HttpSessionFacade.java:139)
> at org.apache.wicket.session.HttpSessionStore.getAttribute(HttpSessionStore.java:256)
> at org.apache.wicket.session.HttpSessionStore.getWicketSession(HttpSessionStore.java:188)
> at org.apache.wicket.session.HttpSessionStore.lookup(HttpSessionStore.java:175)
> at org.apache.wicket.Session.bind(Session.java:268)
> at org.apache.wicket.page.DefaultPageManagerContext.bind(DefaultPageManagerContext.java:43)
> at org.apache.wicket.page.RequestAdapter.bind(RequestAdapter.java:88)
> at org.apache.wicket.page.RequestAdapter.endRequest(RequestAdapter.java:187)
> at org.apache.wicket.page.AbstractPageManager.endRequest(AbstractPageManager.java:75)
> at org.apache.wicket.page.PageManagerDecorator.endRequest(PageManagerDecorator.java:78)
> at org.apache.wicket.Application$2.onEndRequest(Application.java:1604)
> at org.apache.wicket.request.cycle.RequestCycleListenerCollection$2.notify(RequestCycleListenerCollection.java:85)
> at org.apache.wicket.request.cycle.RequestCycleListenerCollection$2.notify(RequestCycleListenerCollection.java:81)
> at org.apache.wicket.util.listener.ListenerCollection.reversedNotify(ListenerCollection.java:144)
> at org.apache.wicket.request.cycle.RequestCycleListenerCollection.onEndRequest(RequestCycleListenerCollection.java:80)
> at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:266)
> at org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:276)
> at org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:66)
> at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:207)
> at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:306)
> at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
> at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
> at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
> at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
> at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
> at cz.kb.common.context.servlet.CorrelationContextFilter.doFilter(CorrelationContextFilter.java:50)
> at cz.kb.dcs.module_init.api.DcsCorrelationContextFilter.doFilter(DcsCorrelationContextFilter.java:92)
> at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
> at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
> at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:979)
> at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1119)
> at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4238)
> at com.ibm.ws.webcontainer.webapp.WebAppImpl.handleRequest(WebAppImpl.java:2210)
> at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
> at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1033)
> at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
> at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
> at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
> at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
> at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
> at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:289)
> at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
> at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
> at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:558)
> at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:608)
> at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:985)
> at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1074)
> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909) {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)