Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-18851

IllegalStateException: UT000196: Session with id already exists' error seen after upgrading from Wildfly-19 to Wildfly-24

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 20.0.0.Final, 21.0.0.Final, 22.0.0.Final, 24.0.0.Final, 26.1.3.Final
    • Security, Web (Undertow)
    • None
    • ---
    • ---

    Description

      This issue doesn't exist in Wildfly 19.0.0.Final. It started to happen in Wildfly 20 and I try on Wildfly 21, 22, 24, and 26.1.3.

      We use Elytron security module, with SSO.

      In our architecture, we have a big EAR application with WAR module and some EJB module. In addition the EAR application there are some independent Spring Boot based WAR modules and one Angular based WAR module. All modules are in the same Security Domain. In Wildfly 19 if I configured correctly the SSO and logged in success into EAR module, I can navigate to Angular WAR module without any authentication and Angular WAR module can initiate any request to any Spring Boot WAR module. If I invalidate Session in other module (EAR, or any Spring WAR) the session invalidated correctly  in all modules, and after that if I want to send any request to any module, the server navigate to Login page. This script works correctly in Wildfly 19.

       

      We try to upgrade Wildfly 24.0.1, SSO configuration is not changed based on Elytron documentation, so I expect that SSO is working fine.

      • When I deploy the EAR module and Angular WAR module with Spring Boot War module, login successfully in to the EAR module.
      • When I try navigate to Angular War module I get this error:
      09:22:36,556 ERROR [io.undertow.request] (default task-7) UT005023: Exception handling request to /assistant/account: java.lang.IllegalStateException: UT000196: Session with id ZdeG7UZ5DhB2VuOxMjMxD8x7OaVR3qh6akCZTysQ already exists
[Server:server]     at io.undertow.core@2.2.8.Final//io.undertow.server.session.InMemorySessionManager.createSession(InMemorySessionManager.java:192)
[Server:server]     at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.spec.ServletContextImpl.getSession(ServletContextImpl.java:959)
[Server:server]     at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.spec.HttpServletRequestImpl.getSession(HttpServletRequestImpl.java:423)
[Server:server]     at org.wildfly.security.elytron-web.undertow-server-servlet@1.9.1.Final//org.wildfly.elytron.web.undertow.server.servlet.ElytronHttpServletExchange$3.create(ElytronHttpServletExchange.java:274)
[Server:server]     at org.wildfly.security.elytron-base@1.16.1.Final//org.wildfly.security.http.util.sso.DefaultSingleSignOnSession.put(DefaultSingleSignOnSession.java:98)
[Server:server]     at org.wildfly.security.elytron-base@1.16.1.Final//org.wildfly.security.auth.callback.CachedIdentityAuthorizeCallback.setAuthorized(CachedIdentityAuthorizeCallback.java:158)
[Server:server]     at org.wildfly.security.elytron-base@1.16.1.Final//org.wildfly.security.http.util.sso.SingleSignOnServerMechanismFactory$3.setAuthorized(SingleSignOnServerMechanismFactory.java:287)
[Server:server]     at org.wildfly.security.elytron-base@1.16.1.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1130)
[Server:server]     at org.wildfly.security.elytron-base@1.16.1.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:868)
[Server:server]     at org.wildfly.security.elytron-base@1.16.1.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:126)

      The final state is that, I can not log out from the application. The session is rebuilt after each request, and this error is formed again and again on a browser refresh.

      I try in the undertow module to disable the session-id-reuse feature (https://docs.wildfly.org/24/wildscribe/subsystem/undertow/servlet-container/index.html), and this resolve this error, but the logout is still not working. 

      My final solution is that in the ElytronHttpServletExchange (https://github.com/wildfly-security/elytron-web/tree/1.9.1.Final) I turned off the 
      changeID() method in the sessionScope() factory method
       (this method is not exists in WF19), returned true if session already exists any else return false. And in the InMemorySessionManager (https://github.com/undertow-io/undertow/blob/2.2.8.Final) I reused the existing session instead of throw 'sessionWithIdAlreadyExists' exception in the createSession() method.

       
      With this final solution, the SSO and logout is working fine, same as in WF19.
       
      I see that there is a similar bug ticket: https://access.redhat.com/solutions/6161562
       
      My questions:

      • This bug is real and solved in a newest release (or I'm configuring something wrong)?
      • Is there any workaround other than I make a custom build from these modules?

       

      Thank you very much in advance,

      Gábor, Armuth

      Attachments

        Activity

          People

            Unassigned Unassigned
            armuthg Gábor Armuth (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: