Uploaded image for project: 'Application Server 3 4 5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-3160

Not serializable JBossGenericPrincipal in session

    XMLWordPrintable

Details

    Description

      There is a problem when parallel requests share the same session. When the security manager is activated, it can happen that org.apache.catalina.connector.Request.setUserPrincipal() was feeded by an Authenticator with a JBossGenericPrincipal and a Subject containing this Principal is created (prerequisites: session exists, security manager is activated and subject not in session).

      Subsequent calls to request.setUserPrincipal() in CutomPrincipalValve cannot fix that.

      -> The session contains a not serializable JBossGenericPrincipal.

      The Tomcat implementation (StandardSession) ignores serializing the used attribute javax.security.auth.subject but JBoss implementations org.jboss.web.tomcat.tc5.session.AttributeBasedClusteredSession and org.jboss.web.tomcat.tc5.session.ClusteredSession do.

      I see two solutions:
      1. JBoss ignores just like tomcat the attribute javax.security.auth.subject in the session.
      2. Assuring that there are only serializable principals are in the session.

      Stack trace showing the resulting problem:

      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - java.io.NotSerializableException: org.jboss.web.tomcat.security.JBossGenericPrincipal
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1054)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeObjp.getClass()ect(ObjectOutputStream.java:278)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.util.LinkedList.writeObject(LinkedList.java:685)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at sun.reflect.GeneratedMethodAccessor212.invoke(Unknown Source)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.lang.reflect.Method.invoke(Method.java:324)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:809)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1296)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1247)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1052)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.access$100(ObjectOutputStream.java:122)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream$PutFieldImpl.writeFields(ObjectOutputStream.java:1475)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeFields(ObjectOutputStream.java:405)
      20060424:174659.640 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at javax.security.auth.Subject$SecureSet.writeObject(Subject.java:1288)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at sun.reflect.GeneratedMethodAccessor211.invoke(Unknown Source)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.lang.reflect.Method.invoke(Method.java:324)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:809)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1296)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1247)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1052)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1332)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:367)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at javax.security.auth.Subject.writeObject(Subject.java:910)
      20060424:174659.641 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at sun.reflect.GeneratedMethodAccessor210.invoke(Unknown Source)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.lang.reflect.Method.invoke(Method.java:324)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:809)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1296)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1247)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1052)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:278)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.util.HashMap.writeObject(HashMap.java:980)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.lang.reflect.Method.invoke(Method.java:324)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:809)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1296)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1247)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1052)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:278)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.jboss.web.tomcat.tc5.session.SessionBasedClusteredSession.writeExternal(SessionBasedClusteredSession.java:288)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.jboss.web.tomcat.tc5.session.JBossCacheService.externalizeSession(JBossCacheService.java:771)
      20060424:174659.642 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.jboss.web.tomcat.tc5.session.JBossCacheService.putSession(JBossCacheService.java:229)
      20060424:174659.643 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.jboss.web.tomcat.tc5.session.SessionBasedClusteredSession.processSessionRepl(SessionBasedClusteredSession.java:165)
      20060424:174659.643 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.jboss.web.tomcat.tc5.session.JBossCacheManager.processSessionRepl(JBossCacheManager.java:606)
      20060424:174659.643 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.jboss.web.tomcat.tc5.session.JBossCacheManager.storeSession(JBossCacheManager.java:375)
      20060424:174659.643 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.jboss.web.tomcat.tc5.session.InstantSnapshotManager.snapshot(InstantSnapshotManager.java:38)
      20060424:174659.643 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.jboss.web.tomcat.tc5.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:91)
      20060424:174659.643 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
      20060424:174659.643 1200052 DBEB9A6264EC35A290FF11A0D3A911DA http-12070-Processor70 INFO [STDOUT] - org.apache.catalina.session.StandardSessionFacade@c3015e javax.security.auth.subject: (Principals) [GenericPrincipal[1200052()]] class:class org.jboss.web.tomcat.security.JBossGenericPrincipal name:1200052
      20060424:174659.643 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
      20060424:174659.644 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
      20060424:174659.644 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
      20060424:174659.645 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at com.winterthur.jackpot.tomcat.valves.SubjectDelegationCheckValve.invoke(SubjectDelegationCheckValve.java:122)
      20060424:174659.645 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at com.winterthur.jackpot.tomcat.valves.ResetServernameValve.invoke(ResetServernameValve.java:88)
      20060424:174659.645 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
      20060424:174659.645 1200052 DBEB9A6264EC35A290FF86D0D3A911DA http-12070-Processor27 INFO [STDOUT] - org.apache.catalina.session.StandardSessionFacade@c3015e javax.security.auth.subject: (Principals) [1200052] class:class org.jboss.security.SimplePrincipal name:1200052
      20060424:174659.647 1200052 DBEB9A6264EC35A290FFD4F1D3A911DA http-12070-Processor64 INFO [STDOUT] - org.apache.catalina.session.StandardSessionFacade@c3015e javax.security.auth.subject: (Principals) [GenericPrincipal[1200052()]] class:class org.jboss.web.tomcat.security.JBossGenericPrincipal name:1200052
      20060424:174659.645 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
      20060424:174659.649 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
      20060424:174659.649 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
      20060424:174659.649 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
      20060424:174659.649 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
      20060424:174659.649 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
      20060424:174659.650 noroid no urid (no client request thread?) http-12070-Processor63 INFO [STDOUT] - at java.lang.Thread.run(Thread.java:534)

      Attachments

        Activity

          People

            bstansbe@redhat.com Brian Stansberry
            wv-javacoder Roland Räz (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: