Uploaded image for project: 'Geode'
  1. Geode
  2. GEODE-8217

Geode session replication could leak internal serialized bytes during HttpSessionAttributeListener invocation even when preferDeserializedForm is set to true

    XMLWordPrintableJSON

Details

    Description

      When preferDeserializedForm is set to true (default value), session object should not contain serialized byte in the cache. However, the following exception shows that product leaks the serialized bytes.

      Jun 02, 2020 3:31:58 PM org.apache.catalina.session.StandardSession setAttribute
      SEVERE: Session attribute event listener threw exception
      java.lang.ClassCastException: [B cannot be cast to java.lang.String
              at org.apache.geode.modules.session.AccessAttributeValueListener.attributeReplaced(AccessAttributeValueListener.java:34)
              at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1482)
              at org.apache.geode.modules.session.catalina.DeltaSession.setAttribute(DeltaSession.java:262)
              at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1385)
              at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:137)
              at org.apache.geode.modules.session.catalina.DeltaSessionFacade.setAttribute(DeltaSessionFacade.java:49)
              at org.apache.geode.modules.session.CommandServlet.doGet(CommandServlet.java:64)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
              at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
              at org.apache.geode.modules.session.catalina.CommitSessionValve.invoke(CommitSessionValve.java:47)
              at org.apache.geode.modules.session.catalina.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:45)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
              at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
              at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609)
              at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
              at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810)
              at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623)
              at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:748)
      

      Please note if preferDeserializedForm is set to false, this issue could still exist, unless HttpSessionBindingEvent.getValue() is not being accessed by the application. Otherwise, user should set preferDeserializedForm to true to avoid this issue.

      Attachments

        Activity

          People

            eshu Eric Shu
            eshu Eric Shu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: