Wildfly, undertow, session management, concurrent requests, invalidation
Hi!
I would like to clarify my doubts if I am struggling with some wildfly/undertow bug or if it is just my misunderstanding. My team tries migrate our application from jboss6 to Wildfly.
Let assume (in context of my application):
- All http sessions (HttpSession objects) are stored in a map.
- There is possiblity to select proper HttpSession object by user from this map.
Problematic logic is defined as below:
| Main Thread | Thread#2 |
|---|---|
Already logged in user (whose requests are linked with a http session) execute new request using http POST method to the wildfly server which is dispatched to Struts Action. | |
Action has direct access to the HttpServletRequest object. | |
| At this moment there is executed some concurrent block of code (main thread waits until new thread ends). | |
Executed new request to the Wildfly server using http GET method to proper servlet with proper attributes, especially with logged in user name. | |
In doGet method those attributes are used to get HttpSession object from the sessions map. | |
Executed javax.servlet.http.HttpSession#invalidate method on obtained session object. | |
Executed javax.servlet.http.HttpServletRequest#getSession() method to get new and fresh session but... |
Last step return original HttpSession object which is attached to the exchange for this specific request so for example execution on session object removeAttribute(String) method throws IllegalStateException with message io.undertow.UndertowMessages#sessionNotFound or in newer version of Undertow io.undertow.UndertowMessages#sessionIsInvalid.
There are two places in Undertow implementation which seem to be problematic:
1. For each request Undertow creates copy of servlet context (so for example each request thread operated on differents http session objects)
2. Fragment of io.undertow.servlet.spec.ServletContextImpl#getSession(io.undertow.servlet.spec.ServletContextImpl, HttpServerExchange, boolean)
if (httpSession != null && httpSession.isInvalid()) {
exchange.removeAttachment(sessionAttachmentKey);
httpSession = null;
}
So, if we have got two request which are linked with one semantically identical session and if invalidate that session using one request the second one doesn not know that and there is no way in that second request to get new and fresh session using getSession(true) method.
I will be very thankful if someone could correct my point of view or if it will be confirmed as a bug. Thanks in advance.