0 Replies Latest reply on Nov 3, 2006 9:16 AM by Sriraman Gopalan

    SessionTimeout bug in tomcat 5.5.20

    Sriraman Gopalan Newbie

      Hi,

      I am working on container managed authentication using a form based login. I have configured web security as follows in web.xml:

      <error-page>
      <error-code>400</error-code>
      <error-code>403</error-code>
      <error-code>404</error-code>
      <error-code>500</error-code>
      <location>/index.jsp</location>
      </error-page>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Whole site</web-resource-name>
      <url-pattern>/secure/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>*</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>SecDomain</realm-name>
      <form-login-config>
      <form-login-page>/Login.seam</form-login-page>
      <form-error-page>/authorization-error.seam</form-error-page>
      </form-login-config>
      </login-config>
      


      I have a JSF page in the secured realm (/secure/) from where I am calling a EJB3 stateless session bean using JBoss Seam.

      It is working fine if the session has not timed out. However, if the session has got timed out and after which if I try to call a method on a SLSB, I get the following error:

      HTTP Status 403 - The request body was too large to be cached during the authentication process
      ________________________________________
      type Status report
      message The request body was too large to be cached during the authentication process
      description Access to the specified resource (The request body was too large to be cached during the authentication process) has been forbidden.
      ________________________________________
      Apache Tomcat/5.5.20
      


      Going through the server logs, I find the following output:

      2006-11-03 19:26:33,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Save request in session '277A5C3578B0DDDF9DA12DEEA47985AB'
      2006-11-03 19:26:33,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Request body too big to save during authentication
      2006-11-03 19:26:33,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
      


      Going through the source for the FormAuthenticator Class, I found that the above message was displayed in the authenticate method, the snapshot of which is as follows:

      // No -- Save this request and redirect to the form login page
      if (!loginAction) {
      session = request.getSessionInternal(true);
      if (log.isDebugEnabled())
      log.debug("Save request in session '" + session.getIdInternal() + "'");
      try {
      saveRequest(request, session);
      } catch (IOException ioe) {
      log.debug("Request body too big to save during authentication");
      response.sendError(HttpServletResponse.SC_FORBIDDEN,
      sm.getString("authenticator.requestBodyTooBig"));
      return (false);
      }
      forwardToLoginPage(request, response, config);
      return (false);
      }
      



      Also, I noticed that the saveRequest method does not throw any exception in the previous versions.

      Inside the saveRequest method, the highlighted line in the following code snippet is the place where the exception is thrown:

      if ("POST".equalsIgnoreCase(request.getMethod())) {
       ByteChunk body = new ByteChunk();
       body.setLimit(request.getConnector().getMaxSavePostSize());
      
       byte[] buffer = new byte[4096];
       int bytesRead;
       InputStream is = request.getInputStream();
      
       while ( (bytesRead = is.read(buffer) ) >= 0) {
       body.append(buffer, 0, bytesRead);
       }
       saved.setBody(body);
      }
      



      I understand that by default the getMaxSavePostSize() returns 2MB .

      I would have expected Tomcat to have redirected me to the login page since, the session has expired.

      Note:

      I am using JBoss 4.0.5 GA, Seam 1.0.1 GA and Tomcat 5.5.20.

      regards
      sriraman.