6 Replies Latest reply on May 7, 2018 12:41 PM by jewellgm

Wildfly 8.2.1 issue with JSESSIONID

n_nagraj321 May 3, 2018 3:17 AM

Hi All,

I could see that jessionid in wildfly is getting generated with special characters. But in our case we need it with only alpha and numeric.

I have already added the org.apache.catalina.session.ManagerBase.SESSION_ID_ALPHABET parameter with alpha and numeric in the standalone.bat but its still giving the special characters for the jsessionid.

set "SERVER_OPTS=%SERVER_OPTS% -Dorg.apache.catalina.session.ManagerBase.SESSION_ID_ALPHABET=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

Thanks in Advance.

Nagaraju

1. Re: Wildfly 8.2.1 issue with JSESSIONID

jewellgm May 3, 2018 12:14 PM (in response to n_nagraj321)

Wildfly doesn't use tomcat underneath the covers, so setting that property wouldn't have an effect. The web server is now the Undertow product. Looking at github, it appears that the SessionId is generated with a class called SecureRandomSessionIdGenerator.

Earlier versions of this class hard-coded the alphabet that is pulled from to generate the sessionId. I don't know what version of Undertow is embedded within Wildfly 8.2.1, but if it's Undertow 1.4 or later, you can set the system property "io.undertow.server.session.SecureRandomSessionIdGenerator.ALPHABET" to use the character set you desire.

https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/session/SecureRandomSessionIdGenerator.java
Actions
2. Re: Wildfly 8.2.1 issue with JSESSIONID

jewellgm May 3, 2018 4:53 PM (in response to jewellgm)

I didn't notice this before, but the class documentation states that the alphabet length has to be exactly 64 characters. The set of alphanumeric characters only provides 62, so you'd need to repeat 2 of them.

Having said that, according to this page, Wildfly 8.2.1 contains Undertow 1.1.8, so setting that system variable won't be of help to you.

Release Notes - JBoss Issue Tracker
Actions
3. Re: Wildfly 8.2.1 issue with JSESSIONID

n_nagraj321 May 4, 2018 2:29 AM (in response to jewellgm)

Thanks Greg.

I have tried repeating the 2 characters but still getting the special characters in the JsessionID. Looks like this solution is not working
set "SERVER_OPTS=%SERVER_OPTS% -Dorg.apache.catalina.session.ManagerBase.SESSION_ID_ALPHABET=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345678901"

Thanks
Nagarjau
Actions
4. Re: Wildfly 8.2.1 issue with JSESSIONID

pferraro May 6, 2018 4:38 PM (in response to n_nagraj321)

n_nagraj321 Please reread jewellgm 's initial reply again. The system property you are using is not used in WildFly.
Actions
5. Re: Wildfly 8.2.1 issue with JSESSIONID

n_nagraj321 May 7, 2018 6:11 AM (in response to pferraro)

Hi @pferraro,

@jewellgm mentioned we need to use the "io.undertow.server.session.SecureRandomSessionIdGenerator.ALPHABET" only if the undertow version is >= 1.4 but the wildfly 8.2.1 is using 1.2 only. So we can't use it.

Thanks
Nagaraju
Actions
6. Re: Wildfly 8.2.1 issue with JSESSIONID

jewellgm May 7, 2018 12:41 PM (in response to n_nagraj321)

If you are allowed to get the undertow source code from git, you can make the change to that class, compile, and regenerate a new undertow-core jar. You could then replace that jar in your wildfly deployment without problem. Of course, you would need to grab the same version of undertow that is being used by wildfly 8.2.1.
Actions

Go to original post