Jetspeed 2
  1. Jetspeed 2
  2. JS2-1119

Impossible to log in using Jetspeed 2 and Tomcat 6.0.24

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.3, 2.2.1
    • Fix Version/s: 2.1.4, 2.2.1
    • Component/s: Components Core
    • Labels:
      None
    • Environment:
      Linux Ubuntu Lucid Lynx - Tomcat 6.0.24-2 - Java 1.5 and 1.6

      Description

      Jetspeed Will not let you log in when deployed in Tomcat 6.0.24-2.

      After inserting user and password portal will reload as usual but will not update it's contents to reflect login success.

      No errors are shown in logs and no clue about what's going wrong as password are accept and normal login seems to perform normally. I traced the module to DefaultLoginModule.login() and it works well and return success when correct user and login are used. But portal doesn't seem to reflect the login. The problem must be other place but was not able to track it down.

      Steps to reproduce:

      1.- Install Tomcat 6.0.22
      2.- Deploy jetspeed 2 2.2.1 with libs in place.
      3.- Log in as usual.

      It will not work.

        Activity

        Hide
        Ate Douma added a comment - - edited

        I found the cause of the problem: a new setting in Tomcat 6.0.21+ (and 5.5.29+) called "changeSessionIdOnAuthentication" which is default enabled...
        This new setting effectively breaks our active authentication mechanism

        Some references:

        https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
        http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
        http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

        After I disabled the default setting for this in the jetspeed.xml Tomcat context descriptor like the following, active authentication worked again:

        <Valve className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="UTF-8" changeSessionIdOnAuthentication="false"/>

        However, as this new "feature" looks like an important security measurement, further investigation is needed to if and how we can fix the Jetspeed active authentication again which this new feature remaining enabled.

        For the time being, anyone wanting/needing to use Tomcat 6.0.21+/5.5.29+ together with Jetspeed active authentication temporarily needs to the above configuration adjustment.

        Show
        Ate Douma added a comment - - edited I found the cause of the problem: a new setting in Tomcat 6.0.21+ (and 5.5.29+) called "changeSessionIdOnAuthentication" which is default enabled... This new setting effectively breaks our active authentication mechanism Some references: https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 http://tomcat.apache.org/tomcat-6.0-doc/changelog.html http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html After I disabled the default setting for this in the jetspeed.xml Tomcat context descriptor like the following, active authentication worked again: <Valve className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="UTF-8" changeSessionIdOnAuthentication="false"/> However, as this new "feature" looks like an important security measurement, further investigation is needed to if and how we can fix the Jetspeed active authentication again which this new feature remaining enabled. For the time being, anyone wanting/needing to use Tomcat 6.0.21+/5.5.29+ together with Jetspeed active authentication temporarily needs to the above configuration adjustment.
        Hide
        Ate Douma added a comment -

        After extensive debugging I found the real cause why login didn't work any more: the change of sessionId by this new Tomcat feature also initiates a new "sessionCreated" event...
        As result, our PortalsSessionManager adds a new PortalSessionMonitor in the session on the same key, which causes the old PortalSessionMonitor to be removed, which then (as result of the removal) invalidates the session itself...

        Some nice kind of cascading side-effect ...
        I wonder which other applications will break because of this nice "added" feature, especially the additional sessionCreated event on an already existing session might throw some havoc ...

        Anyway, I've come up with a slight modification to the PortalsSessionManager handling of this which caters for this now.
        It does require adding an additional method to the PortletApplicationSessionMonitor (API) as now we'll have to synchronise the new sessionId across.

        Furthermore, I'll have to back port this to 2.1.4 as well (NB: including Jetspeed API change...)

        Show
        Ate Douma added a comment - After extensive debugging I found the real cause why login didn't work any more: the change of sessionId by this new Tomcat feature also initiates a new "sessionCreated" event... As result, our PortalsSessionManager adds a new PortalSessionMonitor in the session on the same key , which causes the old PortalSessionMonitor to be removed, which then (as result of the removal) invalidates the session itself... Some nice kind of cascading side-effect ... I wonder which other applications will break because of this nice "added" feature, especially the additional sessionCreated event on an already existing session might throw some havoc ... Anyway, I've come up with a slight modification to the PortalsSessionManager handling of this which caters for this now. It does require adding an additional method to the PortletApplicationSessionMonitor (API) as now we'll have to synchronise the new sessionId across. Furthermore, I'll have to back port this to 2.1.4 as well (NB: including Jetspeed API change...)
        Hide
        Ate Douma added a comment -

        Fix comitted both for 2.2.1 trunk and 2.1.4 branch

        Gonzalo, please check if the latest trunk now works for you on Tomcat 6.0.24 again too. Note: you'll have to do a full update and build of jetspeed-2.2.1-SNAPSHOT as this required changes in jetspeed-api, jetspeed-commons and jetspeed-portal.

        Show
        Ate Douma added a comment - Fix comitted both for 2.2.1 trunk and 2.1.4 branch Gonzalo, please check if the latest trunk now works for you on Tomcat 6.0.24 again too. Note: you'll have to do a full update and build of jetspeed-2.2.1-SNAPSHOT as this required changes in jetspeed-api, jetspeed-commons and jetspeed-portal.
        Hide
        Gonzalo Aguilar added a comment -

        I tested the patch with the new fix against the reported version of tomcat 6 ant it worked!

        I want to know if this is the final patch or an intermediary patch until new, better approach, is found.

        Thank you!!

        Show
        Gonzalo Aguilar added a comment - I tested the patch with the new fix against the reported version of tomcat 6 ant it worked! I want to know if this is the final patch or an intermediary patch until new, better approach, is found. Thank you!!
        Hide
        Ate Douma added a comment -

        he fix I committed is final, not something intermediary, as it deals with the "issue" appropriately.
        No need for a better approach imo unless someone encounters a problem with the fix itself.

        Show
        Ate Douma added a comment - he fix I committed is final, not something intermediary, as it deals with the "issue" appropriately. No need for a better approach imo unless someone encounters a problem with the fix itself.
        Hide
        Gonzalo Aguilar added a comment -

        Then you can close the bug because it works perfectly now.

        Thank you both!

        Show
        Gonzalo Aguilar added a comment - Then you can close the bug because it works perfectly now. Thank you both!

          People

          • Assignee:
            Ate Douma
            Reporter:
            Gonzalo Aguilar
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development