[jira] [Commented] (GEODE-8217) Geode session replication could leak internal serialized bytes during HttpSessionAttributeListener invocation even when preferDeserializedForm is set to true

Fri, 09 Apr 2021 16:30:05 -0700 


    [ 
https://issues.apache.org/jira/browse/GEODE-8217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17318382#comment-17318382
 ] 

ASF subversion and git services commented on GEODE-8217:
--------------------------------------------------------

Commit 92821404a57301d7497464a3ded90b9b2123721e in geode's branch 
refs/heads/support/1.12 from Jacob Barrett
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=9282140 ]

GEODE-8217: Deserialize attribute before update and remove. (#5256)

When preferDeserializedForm is true we deserialize the previous attributes 
before update or remove.

Deprecates preferDeserializedForm since when false it's unclear when you will 
get serialized or unserialized forms of attributes.

(cherry picked from commit 9cc61bf2c0cb91f1a6b551fef6984214e23730e2)


> Geode session replication could leak internal serialized bytes during 
> HttpSessionAttributeListener invocation even when preferDeserializedForm is 
> set to true
> -------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: GEODE-8217
>                 URL: https://issues.apache.org/jira/browse/GEODE-8217
>             Project: Geode
>          Issue Type: Bug
>          Components: http session
>            Reporter: Eric Shu
>            Assignee: Eric Shu
>            Priority: Major
>              Labels: caching-applications
>             Fix For: 1.14.0
>
>
> When preferDeserializedForm is set to true (default value), session object 
> should not contain serialized byte in the cache. However, the following 
> exception shows that product leaks the serialized bytes.
> {noformat}
> Jun 02, 2020 3:31:58 PM org.apache.catalina.session.StandardSession 
> setAttribute
> SEVERE: Session attribute event listener threw exception
> java.lang.ClassCastException: [B cannot be cast to java.lang.String
>         at 
> org.apache.geode.modules.session.AccessAttributeValueListener.attributeReplaced(AccessAttributeValueListener.java:34)
>         at 
> org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1482)
>         at 
> org.apache.geode.modules.session.catalina.DeltaSession.setAttribute(DeltaSession.java:262)
>         at 
> org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1385)
>         at 
> org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:137)
>         at 
> org.apache.geode.modules.session.catalina.DeltaSessionFacade.setAttribute(DeltaSessionFacade.java:49)
>         at 
> org.apache.geode.modules.session.CommandServlet.doGet(CommandServlet.java:64)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>         at 
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>         at 
> org.apache.geode.modules.session.catalina.CommitSessionValve.invoke(CommitSessionValve.java:47)
>         at 
> org.apache.geode.modules.session.catalina.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:45)
>         at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
>         at 
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
>         at 
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609)
>         at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
>         at 
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810)
>         at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623)
>         at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:748)
> {noformat}
> Please note if preferDeserializedForm is set to false, this issue could still 
> exist, unless HttpSessionBindingEvent.getValue() is not being accessed by the 
> application. Otherwise, user should set preferDeserializedForm to true to 
> avoid this issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to