[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - SessionTimeout bug in tomcat 5.5.20
sreeraaman
do-not-reply at jboss.com
Fri Nov 3 09:16:27 EST 2006
Hi,
I am working on container managed authentication using a form based login. I have configured web security as follows in web.xml:
| <error-page>
| <error-code>400</error-code>
| <error-code>403</error-code>
| <error-code>404</error-code>
| <error-code>500</error-code>
| <location>/index.jsp</location>
| </error-page>
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>Whole site</web-resource-name>
| <url-pattern>/secure/*</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>*</role-name>
| </auth-constraint>
| <user-data-constraint>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>SecDomain</realm-name>
| <form-login-config>
| <form-login-page>/Login.seam</form-login-page>
| <form-error-page>/authorization-error.seam</form-error-page>
| </form-login-config>
| </login-config>
|
I have a JSF page in the secured realm (/secure/) from where I am calling a EJB3 stateless session bean using JBoss Seam.
It is working fine if the session has not timed out. However, if the session has got timed out and after which if I try to call a method on a SLSB, I get the following error:
| HTTP Status 403 - The request body was too large to be cached during the authentication process
| ________________________________________
| type Status report
| message The request body was too large to be cached during the authentication process
| description Access to the specified resource (The request body was too large to be cached during the authentication process) has been forbidden.
| ________________________________________
| Apache Tomcat/5.5.20
|
Going through the server logs, I find the following output:
| 2006-11-03 19:26:33,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Save request in session '277A5C3578B0DDDF9DA12DEEA47985AB'
| 2006-11-03 19:26:33,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Request body too big to save during authentication
| 2006-11-03 19:26:33,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
|
Going through the source for the FormAuthenticator Class, I found that the above message was displayed in the authenticate method, the snapshot of which is as follows:
| // No -- Save this request and redirect to the form login page
| if (!loginAction) {
| session = request.getSessionInternal(true);
| if (log.isDebugEnabled())
| log.debug("Save request in session '" + session.getIdInternal() + "'");
| try {
| saveRequest(request, session);
| } catch (IOException ioe) {
| log.debug("Request body too big to save during authentication");
| response.sendError(HttpServletResponse.SC_FORBIDDEN,
| sm.getString("authenticator.requestBodyTooBig"));
| return (false);
| }
| forwardToLoginPage(request, response, config);
| return (false);
| }
|
Also, I noticed that the saveRequest method does not throw any exception in the previous versions.
Inside the saveRequest method, the highlighted line in the following code snippet is the place where the exception is thrown:
| if ("POST".equalsIgnoreCase(request.getMethod())) {
| ByteChunk body = new ByteChunk();
| body.setLimit(request.getConnector().getMaxSavePostSize());
|
| byte[] buffer = new byte[4096];
| int bytesRead;
| InputStream is = request.getInputStream();
|
| while ( (bytesRead = is.read(buffer) ) >= 0) {
| body.append(buffer, 0, bytesRead);
| }
| saved.setBody(body);
| }
|
I understand that by default the getMaxSavePostSize() returns 2MB .
I would have expected Tomcat to have redirected me to the login page since, the session has expired.
Note:
I am using JBoss 4.0.5 GA, Seam 1.0.1 GA and Tomcat 5.5.20.
regards
sriraman.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3982977#3982977
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3982977
More information about the jboss-user
mailing list