9 Replies Latest reply on Mar 31, 2009 7:31 PM by K J

    IllegalStateException(s) on logout

    K J Newbie

      Hi All,

      I am using JBoss 5 GA on solaris 10/x86 machine.
      Everytime someone logs out from a web app that is deployed in this container, we see the following exception in the shell where JBoss was started:

      ERROR [CoyoteAdapter] An exception or error occurred in the container during the request processing
      java.lang.IllegalStateException: Security Context is null
      at org.jboss.web.tomcat.security.SecurityAssociationActions$PopRunAsRoleAction.run(SecurityAssociationActions.java:156)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.jboss.web.tomcat.security.SecurityAssociationActions.popRunAsIdentity(SecurityAssociationActions.java:302)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:193) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Thread.java:619)

      This is when the application is being accessed without any issues.

      There is another scenario that occurs sometimes where-in, once a person logs in and out successfully, the next person who logs-in is not able to access any page - all pages display an access denied message. The exception thrown in this case is as follows:

      ERROR [JBossWebRealm] Error during authenticate
      java.lang.IllegalStateException: Security Context has not been set
      at org.jboss.web.tomcat.security.SecurityAssociationActions$SetPrincipalInfoA
      at java.security.AccessController.doPrivileged(Native Method)
      at org.jboss.web.tomcat.security.SecurityAssociationActions.setPrincipalInfo(
      at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.jav
      at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthe
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBa
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.jav
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(Se
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(Sec
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:1
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:1
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnec
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.ja
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)

      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Ht
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Thread.java:595)

      Can anybody throw some light on either / both of these cases.


        • 1. Re: IllegalStateException(s) on logout
          Wolfgang Knauf Master


          how do you perform login and logout? The logout should be a simple "session.invalidate();"

          Best regards


          • 2. Re: IllegalStateException(s) on logout
            K J Newbie

            Hi Wolfgang,

            We are using JBoss's WebAuthentication feature. Our application has simple servlets and ejbs doing standard security api calls to verify users and their roles etc. We are using our own login module.


            • 3. Re: IllegalStateException(s) on logout
              Wolfgang Knauf Master

              How do you logout?

              Could you post the relevant bits of your login/logout code, and also the basics of your login module?
              Up to now, I don't have any idea what might be the problem.


              • 4. Re: IllegalStateException(s) on logout
                K J Newbie

                Hello Wolfgang -

                Been trying to debug this issue for a week now without success. So, here is some more info. for you on the logout.

                Setup: Testing the Java EE JBoss agent with opensso server and a sample app that ships with the agent bits.
                using JBOSS 5.0.0.GA (jdk6 build)

                On a high level, the logout involves the following steps:
                -> Detects the need for logout by intercepting the request
                -> Calls the container specific logout handler
                -> Even if the logout handler fails, destroy the local session
                -> Reset the cookies

                PS: The same process works fine for Tomcat container (no exception thrown)
                But, everytime we try to logout (when app deployed in JBoss), we get this java.lang.IllegalStateException: Security context is null (thrown from CoyoteAdapter.service() method. Complete stack trace available in previous post)

                I am going to try the same thing with JBoss5 (not the kdk 6 build) and see if that makes any difference.

                Any help/lead will be greatly appreciated.


                • 5. Re: IllegalStateException(s) on logout
                  K J Newbie

                  I tried with the JBoss 5.0.0 (jdk 5) and it still throws exception.


                  • 6. Re: IllegalStateException(s) on logout
                    Wolfgang Knauf Master


                    it seems that JBoss plugs in it's own Valve "org.jboss.web.tomcat.security.SecurityAssociationValve", which requires the Security Context. It seems this Valve is called after your own logout.

                    So maybe it helps to move your logout code after this valve (e.g. in a custom Valve)?

                    Hope this is no total nonsense, but this is far beyond my own security experiences, so I just can do some guessing ;-)

                    Maybe you should ask this question in the Security forum http://www.jboss.com/index.html?module=bb&op=viewforum&f=49


                    • 7. Re: IllegalStateException(s) on logout
                      K J Newbie

                      Thanks for your response.
                      I have also posted this issue in the Security forum.
                      But, could you please elaborate a little on "move your logout code after this valve (e.g. in a custom Valve)? ". Do I have to write one?
                      I am new to JBoss so, is there any reference I could look up to understand this better.


                      • 8. Re: IllegalStateException(s) on logout
                        Wolfgang Knauf Master


                        I cannot help you much further, I didn't play with Valves up to now ;-). I just noticed that a JBoss specific valve seems to require the credentials, so I concluded that you cannot remove them before this valve is processed.
                        I don't have any experience with Valves, so it is up to you to dig into this ;-).

                        But maybe it would help to get a better answer than mine, if you could post your logout code snippet and the location. And please tell us why the standard JBoss logout ("session.invalidate()") does not work for you.
                        Best do this in the your security forum thread.

                        Best regards


                        • 9. Re: IllegalStateException(s) on logout
                          K J Newbie


                          Thanks for your responses.
                          I think we kind of fixed it. Got the clue from the security FAQ # 3 (http://www.jboss.org/community/docs/DOC-12198)

                          Our code creates its own login-config.xml and that one was missing the following from the ClientLoginModule
                          <!-- Any existing security context will be restored on logout -->
                          <module-option name="restore-login-identity">true</module-option>

                          After adding this to the file, the exception is not thrown anymore.

                          Would you be able to explain what exactly this option does or where can I find more info on it.
                          I will also be reading a little more on JBoss 5.0.0 security.

                          Something that's interesting is that the custom login-config.xml file created by our tool, works fine wirh JBoss 4.2.3 (without adding the above lines). Only throws exception with JBoss 5.0.0.