Reputation: 21
Session invalidation in weblogic with Jaspic/JSR196 module
We developed a jsf web application with a Jaspic/JSR196 module registered programmatically by the webapp.
We followed the instructions in the following blog to achieve this : http://arjan-tijms.blogspot.pt/
The solution works ok for authenticating the user: we have a bean that receives an username and password and invokes the request.authenticate method. The request is validated in the Server Authentication Module (SAM) and the user becames authenticated.
The problem is that while navigating in the webapp the session seems to be often invalidated, which makes the user to be redirected to the login page. The SAM module implementation redirects the user to the login page when request.getUserPrincipal returns null while accessing a protected resource. We didn´t found a pattern for this behaviour.
While analyzing the logs we found some exceptions that are thrown: (Sometimes these exceptions are displayed in the webpage.)
HttpSession is invalid
<Feb 26, 2013 5:13:30 PM GMT> <Error> <HTTP> <BEA-101020> <[ServletContext@1361767580[app:web-richfaces module:web-richfaces path:null spec-version:3.0]] Servlet failed with an Exception
java.lang.IllegalStateException: HttpSession is invalid
at weblogic.servlet.internal.session.SessionData.isNew(SessionData.java:891)
at weblogic.servlet.security.internal.SecurityModule.login(SecurityModule.java:252)
at weblogic.security.jaspic.servlet.JaspicSecurityModule.checkUserPerm(JaspicSecurityModule.java:85)
at weblogic.servlet.security.internal.SecurityModule.checkAccess(SecurityModule.java:95)
at weblogic.servlet.security.internal.SecurityModule.isAuthorized(SecurityModule.java:543)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:499)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:463)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2119)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1513)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Session invalidation is in progress with different thread
<Feb 26, 2013 5:16:12 PM GMT> <Error> <HTTP> <BEA-101020> <[ServletContext@1361767580[app:web-richfaces module:web-richfaces path:null spec-version:3.0]] Servlet failed with an Exception
java.lang.IllegalStateException: Session invalidation is in progress with different thread
at weblogic.servlet.internal.session.SessionData.invalidate(SessionData.java:880)
at weblogic.servlet.internal.ServletRequestImpl$SessionHelper.updateSessionId(ServletRequestImpl.java:3215)
at weblogic.servlet.internal.ServletObjectsFacadeImpl.updateSessionId(ServletObjectsFacadeImpl.java:54)
at weblogic.servlet.security.internal.SecurityModule.generateNewSession(SecurityModule.java:265)
at weblogic.servlet.security.internal.SecurityModule.login(SecurityModule.java:253)
at weblogic.security.jaspic.servlet.JaspicSecurityModule.checkUserPerm(JaspicSecurityModule.java:85)
at weblogic.servlet.security.internal.SecurityModule.checkAccess(SecurityModule.java:95)
at weblogic.servlet.security.internal.SecurityModule.isAuthorized(SecurityModule.java:543)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:499)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:463)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2119)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1513)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Response already committed
<Feb 26, 2013 5:06:16 PM GMT> <Error> <HTTP> <BEA-101020> <[ServletContext@1361767580[app:web-richfaces module:web-richfaces path:null spec-version:3.0]] Servlet failed with an Exception
java.lang.IllegalStateException: Response already committed
at weblogic.servlet.internal.ServletResponseImpl.objectIfCommitted(ServletResponseImpl.java:1651)
at weblogic.servlet.internal.ServletResponseImpl.sendError(ServletResponseImpl.java:658)
at weblogic.security.jaspic.servlet.JaspicSecurityModule.checkUserPerm(JaspicSecurityModule.java:87)
at weblogic.servlet.security.internal.SecurityModule.checkAccess(SecurityModule.java:95)
at weblogic.servlet.security.internal.SecurityModule.isAuthorized(SecurityModule.java:543)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:499)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:463)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2119)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1513)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
The following log entries shows that a valid session is not found so the user is redirected to the login page:
<HttpRequest@207744527 - /prototype-web-richfaces/pages/customer/customer.jsf: SessionID: MmGLRsrCKrVs2ms2ZYcJbxB1LLngk7pZcjPP4Fd071b1JJLPyLTg!1600091307 found in cookie header>
<HttpRequest@207744527 - /prototype-web-richfaces/pages/customer/customer.jsf: SessionID= MmGLRsrCKrVs2ms2ZYcJbxB1LLngk7pZcjPP4Fd071b1JJLPyLTg found for WASC=ServletContext@1361767580[app:web-richfaces module:web-richfaces path:/prototype-web-richfaces spec-version:3.0]>
<HttpRequest@207744527 - /prototype-web-richfaces/pages/customer/customer.jsf: Trying to find session: MmGLRsrCKrVs2ms2ZYcJbxB1LLngk7pZcjPP4Fd071b1JJLPyLTg!1600091307>
<HttpRequest@207744527 - /prototype-web-richfaces/pages/customer/customer.jsf: Trying other contexts to find valid session for id: MmGLRsrCKrVs2ms2ZYcJbxB1LLngk7pZcjPP4Fd071b1JJLPyLTg!1600091307>
<HttpRequest@207744527 - /prototype-web-richfaces/pages/customer/customer.jsf: Couldn't find valid session for id: MmGLRsrCKrVs2ms2ZYcJbxB1LLngk7pZcjPP4Fd071b1JJLPyLTg!1600091307>
[[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO authentication.jaspic.TestServerAuthModule - Request URI: /prototype-web-richfaces/pages/customer/customer.jsf
[[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG authentication.jaspic.TestServerAuthModule - Principal is null. Redirecting to login page.
It seems that the container is invalidating the Http Sessions. But we can't understand why. Any help?
Upvotes: 1
Views: 5305
Answers (1)
Reputation: 38163
Adding to the question of Lan; what version of WebLogic are you using? And do you also have these session issues if you're not authenticating?
Also, do you have just one application running on WebLogic or many? Note that the blog mentions the "null" workaround when registering; if you followed that approach exactly you'll register the module for all apps running on that WebLogic instance. Alternatively you could try the pattern server [space] [context path], e.g. "server /prototype-web-richfaces" (see table in Step 10 of the blog post). Note that the JASPIC MR for Java EE 7 fixes this.
If you're calling request.authenticate realize that your SAM will be called in the middle of a request (if you're just requesting a protected resource it will be called in the beginning of a request). Be careful that you haven't written anything to the response yet if you're trying to create a new session and are using request.authenticate. A JSF action method typically works, but be wary of any Servlet Filters that you have installed that might write something before that.
In case of the "Response already committed", it looks like WebLogic is trying to send an error page, but that page can't be send because something has already been written to the response. You might want to check what that root error is.
For the OmniFaces project (the OmniSecurity sub-project actually) we have created a SAM, which could maybe give you another example. Unfortunately, that particular SAM is a bit complex so it's perhaps not the best example to learn from, but if you want to see it being used in an actual application; there's an example of that as well (I've tested this on WebLogic 12c among others).
Upvotes: 2
Related Questions
- Weblogic Apache plugin and session stickiness
- Debugging session creation on WebLogic
- weblogic jsessionid
- Why weblogic create new session each time when I refresh page?
- How session works with Weblogic 12 c - Closing browser seems to invalidate the session or the cookie
- JSESSIONID HttpOnly in Weblogic 10.3
- Weblogic 10.3 Session Not timeout
- Session timeout in Java EE
- Problem with sessions on weblogic
- invalidating session across all application in weblogic 11g