[jira] [Updated] (GEODE-8217) Geode session replication could leak internal serialized bytes during HttpSessionAttributeListener invocation even when preferDeserializedForm is set to true

Jacob Barrett (Jira) Fri, 04 Mar 2022 13:00:05 -0800


     [ 
https://issues.apache.org/jira/browse/GEODE-8217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jacob Barrett updated GEODE-8217:
---------------------------------
    Affects Version/s: 1.14.0
                       1.13.0
                       1.12.0

> Geode session replication could leak internal serialized bytes during 
> HttpSessionAttributeListener invocation even when preferDeserializedForm is 
> set to true
> -------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: GEODE-8217
>                 URL: https://issues.apache.org/jira/browse/GEODE-8217
>             Project: Geode
>          Issue Type: Bug
>          Components: http session
>    Affects Versions: 1.12.0, 1.13.0, 1.14.0
>            Reporter: Eric Shu
>            Assignee: Eric Shu
>            Priority: Major
>              Labels: caching-applications
>             Fix For: 1.12.2, 1.13.3, 1.14.0
>
>
> When preferDeserializedForm is set to true (default value), session object 
> should not contain serialized byte in the cache. However, the following 
> exception shows that product leaks the serialized bytes.
> {noformat}
> Jun 02, 2020 3:31:58 PM org.apache.catalina.session.StandardSession 
> setAttribute
> SEVERE: Session attribute event listener threw exception
> java.lang.ClassCastException: [B cannot be cast to java.lang.String
>         at 
> org.apache.geode.modules.session.AccessAttributeValueListener.attributeReplaced(AccessAttributeValueListener.java:34)
>         at 
> org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1482)
>         at 
> org.apache.geode.modules.session.catalina.DeltaSession.setAttribute(DeltaSession.java:262)
>         at 
> org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1385)
>         at 
> org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:137)
>         at 
> org.apache.geode.modules.session.catalina.DeltaSessionFacade.setAttribute(DeltaSessionFacade.java:49)
>         at 
> org.apache.geode.modules.session.CommandServlet.doGet(CommandServlet.java:64)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>         at 
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>         at 
> org.apache.geode.modules.session.catalina.CommitSessionValve.invoke(CommitSessionValve.java:47)
>         at 
> org.apache.geode.modules.session.catalina.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:45)
>         at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
>         at 
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
>         at 
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609)
>         at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
>         at 
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810)
>         at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623)
>         at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:748)
> {noformat}
> Please note if preferDeserializedForm is set to false, this issue could still 
> exist, unless HttpSessionBindingEvent.getValue() is not being accessed by the 
> application. Otherwise, user should set preferDeserializedForm to true to 
> avoid this issue.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (GEODE-8217) Geode session replication could leak internal serialized bytes during HttpSessionAttributeListener invocation even when preferDeserializedForm is set to true

Reply via email to