[WW-3865] TokenSesion double submit sends a blank page to ie and stacktrace on server - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.3.4.1
Fix Version/s: 2.3.7
Component/s: None
Labels:
- newbie
Environment:

Tomcat 7.0.29
IE 9 or Firefox 13

Description

when using the tokenSession interceptor a double submit will end up showing a blank page to the browser.
The server logs show the following stacktrace :

java.lang.NullPointerException
	at org.apache.catalina.connector.Request.setAttribute(Request.java:1530)
	at org.apache.catalina.connector.RequestFacade.setAttribute(RequestFacade.java:543)
	at javax.servlet.ServletRequestWrapper.setAttribute(ServletRequestWrapper.java:239)
	at org.apache.tiles.servlet.context.ServletRequestScopeMap.put(ServletRequestScopeMap.java:165)
	at org.apache.tiles.servlet.context.ServletRequestScopeMap.put(ServletRequestScopeMap.java:43)
	at org.apache.tiles.impl.BasicTilesContainer.getContextStack(BasicTilesContainer.java:470)
	at org.apache.tiles.impl.BasicTilesContainer.getContext(BasicTilesContainer.java:510)
	at org.apache.tiles.impl.BasicTilesContainer.getAttributeContext(BasicTilesContainer.java:525)
	at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:626)
	at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:322)
	at org.apache.struts2.views.tiles.TilesResult.doExecute(TilesResult.java:105)
	at org.apache.struts2.dispatcher.StrutsResultSupport.execute(StrutsResultSupport.java:186)
	at com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:374)

I founs that this behaviour did not happen in version 2.2.1.1
I checke the Java code and saw a change resposible for the PB :

in version 2.2.1.1 TokenSession.java line 130 to 146 :

    protected String doIntercept(ActionInvocation invocation) throws Exception {
        if (log.isDebugEnabled()) {
            log.debug("Intercepting invocation to check for valid transaction token.");
        }

        //see WW-2902: we need to use the real HttpSession here, as opposed to the map
        //that wraps the session, because a new wrap is created on every request
        HttpSession session = ServletActionContext.getRequest().getSession(true);

        synchronized (session) {
            if (!TokenHelper.validToken()) {
                return handleInvalidToken(invocation);
            }

            return handleValidToken(invocation);
        }
    }

in version 2.3.3 line 140 of TokenSession.java the return handleValidToken(invocation); is no longer protected by the synchronized. That's what causes the problem :

    protected String doIntercept(ActionInvocation invocation) throws Exception {
        if (log.isDebugEnabled()) {
            log.debug("Intercepting invocation to check for valid transaction token.");
        }

        //see WW-2902: we need to use the real HttpSession here, as opposed to the map
        //that wraps the session, because a new wrap is created on every request
        HttpSession session = ServletActionContext.getRequest().getSession(true);

        synchronized (session) {
            if (!TokenHelper.validToken()) {
                return handleInvalidToken(invocation);
            }
        }
        return handleValidToken(invocation);
    }

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

token-session.rar
13/Sep/12 08:39
2.81 MB
Gauthier Peel

Issue Links

is related to

WW-3895 Synchronization on HttpSession object

Closed

relates to

WW-3582 Token Interceptor is holding HttpSession lock which can trigger deadlocks

Closed

WW-4409 Modify the TokenInterceptor not to lock the session object while handling and invalid token

Open

Activity

People

Assignee:: Lukasz Lenart

Reporter:: Gauthier Peel

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 14/Aug/12 08:05

Updated:: 15/Jul/15 20:46

Resolved:: 05/Oct/12 09:40