Uploaded image for project: 'Weld'
  1. Weld
  2. WELD-1802

Undertow - Weld integration issue causing threads to have invalid state

    XMLWordPrintable

Details

    Description

      When testing our system with multiple users, we sometimes get into a situation where one user gets the log in context of another user. This typically happens when running parts of our system with many bugs/stacktraces, combined with a session timeout.

      I am able to reproduce the error in a local test environment, and what I observe is that a thread that is involved in a certain error situation gets invalid state. Requests that are processed by this thread gets session scoped beans that are related to the user that was logged in during the error situation. Typically, I can refresh my browser and in the response I see that the logged in user and access rights in menus change whenever I hit a bad thread.

      The following information from the log file seems to be important:

      2014-11-24 18:25:23,372 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /secure/counting/startCounting.xhtml: java.lang.IllegalStateException: UT000010: Session not found k8HV3WF4xJ6c8lx7HX8Dz3rM
	at io.undertow.server.session.InMemorySessionManager$SessionImpl.removeAttribute(InMemorySessionManager.java:389) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.spec.HttpSessionImpl.removeAttribute(HttpSessionImpl.java:182) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.spec.HttpSessionImpl.setAttribute(HttpSessionImpl.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at no.evote.presentation.exceptions.ErrorPageRenderer.render(ErrorPageRenderer.java:84) [classes:]
	at no.evote.presentation.exceptions.ErrorPageRenderer.render500Error(ErrorPageRenderer.java:72) [classes:]
	at no.evote.presentation.exceptions.CustomExceptionHandler.handle(CustomExceptionHandler.java:85) [classes:]
	at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:119) [jsf-impl-2.2.8-jbossorg-1.jar:]
	at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:219) [jsf-impl-2.2.8-jbossorg-1.jar:]
	at javax.faces.webapp.FacesServlet.service(FacesServlet.java:647) [jboss-jsf-api_2.2_spec-2.2.8.jar:2.2.8]
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at org.primefaces.webapp.filter.FileUploadFilter.doFilter(FileUploadFilter.java:72) [primefaces-5.0.8.jar:5.0.8]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at no.evote.service.security.DisableCachingFilter.doFilter(DisableCachingFilter.java:28) [classes:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at no.evote.service.security.SelectRoleFilter.doFilter(SelectRoleFilter.java:68) [classes:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at no.evote.service.security.CSRFFilter.doFilter(CSRFFilter.java:48) [classes:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at no.valg.eva.admin.frontend.security.SamlAssertionFilter.doFilter(SamlAssertionFilter.java:92) [classes:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at no.evote.presentation.util.filters.IEModeFilter.doFilter(IEModeFilter.java:38) [classes:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at no.evote.presentation.util.filters.ForceLocaleFilter.doFilter(ForceLocaleFilter.java:55) [classes:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]

2014-11-24 18:25:23,379 WARN  [org.jboss.weld.Context] (default task-5) WELD-000224: Unable to clear the bean store org.jboss.weld.context.beanstore.http.LazySessionBeanStore@133b87c6.
2014-11-24 18:25:23,379 WARN  [org.jboss.weld.Servlet] (default task-5) WELD-000712: Unable to dissociate context org.jboss.weld.context.http.LazyHttpConversationContextImpl@79d94ec0 when destroying request io.undertow.servlet.spec.HttpServletRequestImpl@29c15dbf
2014-11-24 18:25:23,381 ERROR [io.undertow.servlet.request] (default task-5) UT015005: Error invoking method requestDestroyed on listener class org.jboss.weld.servlet.WeldInitialListener: java.lang.IllegalStateException: UT000010: Session not found k8HV3WF4xJ6c8lx7HX8Dz3rM
	at io.undertow.server.session.InMemorySessionManager$SessionImpl.setAttribute(InMemorySessionManager.java:373) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.spec.HttpSessionImpl.setAttribute(HttpSessionImpl.java:168) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at org.jboss.weld.context.beanstore.http.AbstractSessionBeanStore.setAttribute(AbstractSessionBeanStore.java:67) [weld-core-impl-2.2.6.Final.jar:2014-10-03 10:05]
	at org.jboss.weld.context.beanstore.AttributeBeanStore.attach(AttributeBeanStore.java:88) [weld-core-impl-2.2.6.Final.jar:2014-10-03 10:05]
	at org.jboss.weld.context.AbstractConversationContext.deactivate(AbstractConversationContext.java:297) [weld-core-impl-2.2.6.Final.jar:2014-10-03 10:05]
	at org.jboss.weld.context.http.LazyHttpConversationContextImpl.deactivate(LazyHttpConversationContextImpl.java:75) [weld-core-impl-2.2.6.Final.jar:2014-10-03 10:05]
	at org.jboss.weld.servlet.ConversationContextActivator.deactivateConversationContext(ConversationContextActivator.java:154) [weld-core-impl-2.2.6.Final.jar:2014-10-03 10:05]
	at org.jboss.weld.servlet.HttpContextLifecycle.requestDestroyed(HttpContextLifecycle.java:274) [weld-core-impl-2.2.6.Final.jar:2014-10-03 10:05]
	at org.jboss.weld.servlet.WeldInitialListener.requestDestroyed(WeldInitialListener.java:143) [weld-core-impl-2.2.6.Final.jar:2014-10-03 10:05]
	at io.undertow.servlet.core.ApplicationListeners.requestDestroyed(ApplicationListeners.java:225) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:304) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]

      After this happens, the thread task-5 is in an invalid state, and users served by this thread get context information from the previous user.

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. WELD-1704 Session Scope can leak to other HTTP Sessions

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              mkouba@redhat.com Martin Kouba
              runeks2 Rune Steinseth (Inactive)
              Tomas Remes
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: