[jira] [Commented] (GEODE-8217) Geode session replication could leak internal serialized bytes during HttpSessionAttributeListener invocation even when preferDeserializedForm is set to true

Thu, 25 Jun 2020 13:59:14 -0700 


    [ 
https://issues.apache.org/jira/browse/GEODE-8217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17145831#comment-17145831
 ] 

ASF subversion and git services commented on GEODE-8217:
--------------------------------------------------------

Commit 9cc61bf2c0cb91f1a6b551fef6984214e23730e2 in geode's branch 
refs/heads/develop from Jacob Barrett
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=9cc61bf ]

GEODE-8217: Deserialize attribute before update and remove. (#5256)

When preferDeserializedForm is true we deserialize the previous attributes 
before update or remove.

Deprecates preferDeserializedForm since when false it's unclear when you will 
get serialized or unserialized forms of attributes.


> Geode session replication could leak internal serialized bytes during 
> HttpSessionAttributeListener invocation even when preferDeserializedForm is 
> set to true
> -------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: GEODE-8217
>                 URL: https://issues.apache.org/jira/browse/GEODE-8217
>             Project: Geode
>          Issue Type: Bug
>          Components: http session
>            Reporter: Eric Shu
>            Assignee: Eric Shu
>            Priority: Major
>              Labels: caching-applications
>             Fix For: 1.14.0
>
>
> When preferDeserializedForm is set to true (default value), session object 
> should not contain serialized byte in the cache. However, the following 
> exception shows that product leaks the serialized bytes.
> {noformat}
> Jun 02, 2020 3:31:58 PM org.apache.catalina.session.StandardSession 
> setAttribute
> SEVERE: Session attribute event listener threw exception
> java.lang.ClassCastException: [B cannot be cast to java.lang.String
>         at 
> org.apache.geode.modules.session.AccessAttributeValueListener.attributeReplaced(AccessAttributeValueListener.java:34)
>         at 
> org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1482)
>         at 
> org.apache.geode.modules.session.catalina.DeltaSession.setAttribute(DeltaSession.java:262)
>         at 
> org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1385)
>         at 
> org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:137)
>         at 
> org.apache.geode.modules.session.catalina.DeltaSessionFacade.setAttribute(DeltaSessionFacade.java:49)
>         at 
> org.apache.geode.modules.session.CommandServlet.doGet(CommandServlet.java:64)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>         at 
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>         at 
> org.apache.geode.modules.session.catalina.CommitSessionValve.invoke(CommitSessionValve.java:47)
>         at 
> org.apache.geode.modules.session.catalina.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:45)
>         at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
>         at 
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
>         at 
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609)
>         at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
>         at 
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810)
>         at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623)
>         at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:748)
> {noformat}
> Please note if preferDeserializedForm is set to false, this issue could still 
> exist, unless HttpSessionBindingEvent.getValue() is not being accessed by the 
> application. Otherwise, user should set preferDeserializedForm to true to 
> avoid this issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to