3 Replies Latest reply on Jan 28, 2016 9:17 PM by pferraro

Wildfly 10 CR4: NPE on session.invalidate()

jamat Dec 4, 2015 4:18 PM

Steps to reproduce:

- 2 webapps deployed with FORM auth-method

- singlesignon is configured

- log in to first webapp -> OK

- navigate to a second webapp in another tab -> I do not have to provide credentials

- go back to the first webapp and invoke a method that will call session.invalidate() -> NPE:

15:00:17,605 ERROR [io.undertow.request] (default task-22) UT005023: Exception handling request to /jaja/InvalidateServlet: java.lang.NullPointerException

at io.undertow.server.session.InMemorySessionManager.getSession(InMemorySessionManager.java:190)

at org.wildfly.clustering.web.undertow.sso.DistributableSingleSignOn$InvalidatableSession.invalidate(DistributableSingleSignOn.java:127)

at io.undertow.security.impl.SingleSignOnAuthenticationMechanism$SessionInvalidationListener.sessionDestroyed(SingleSignOnAuthenticationMechanism.java:169)

at io.undertow.server.session.SessionListeners.sessionDestroyed(SessionListeners.java:61)

at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:526)

at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:505)

at io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:199)

Looking at the code I see that in sessionDestroyed we call: sessionToRemove.invalidate(null);

which will lead to this NPE.

I am doing something wrong or is this a bug?

1. Re: Wildfly 10 CR4: NPE on session.invalidate()

jamat Dec 4, 2015 4:39 PM (in response to jamat)

The last change in core/src/main/java/io/undertow/server/session/InMemorySessionManager.java getSession() is probably the problem.
Before we had:

String sessionId = config.findSessionId(serverExchange);
return getSession(sessionId);

Now this was added:
SessionImpl newSession = serverExchange.getAttachment(NEW_SESSION);
if(newSession != null) {
return newSession;
}
and obviously if serverExchange is null, as this is the case here, we have this NPE.

refer to: UNDERTOW-528 Sessions.getOrCreateSession() returns a new Session for … · undertow-io/undertow@edb739e · GitHub
Actions
2. Re: Wildfly 10 CR4: NPE on session.invalidate()

jamat Jan 22, 2016 3:12 PM (in response to jamat)

I have tried again with wildfly 10.0.0.CR5 and the problem is still there.
Note that the problem happens if the webapp uses the InMemorySessionManager, that is, if the web.xml does not contain the <distribuable/> tag.

Marking all the webapps 'distributable' to avoid the problem will most likely have a performance impact.
Actions
3. Re: Wildfly 10 CR4: NPE on session.invalidate()

pferraro Jan 28, 2016 9:17 PM (in response to jamat)

This is fixed by: UNDERTOW-603 NPE during invalidation of session associated with SSO · undertow-io/undertow@c2775d6 · GitHub
and will be fixed in WF 10.0.0.Final.
Actions

Go to original post