Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-891

grouper session from static threadlocal can be an invalid session

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.1.3
    • Fix Version/s: 2.1.4
    • Component/s: API
    • Labels:
      None

      Description

      Yes, the patch I proposed is for the latest code.

      The first “try” (the one you included) returns an error to the UI. I added a second one so that we can validate the user’s group membership if an expired session was returned by GrouperSession.staticGrouperSession.

      If staticGrouperSession returned null instead of an expired (subject==null) session there wouldn’t be a problem here.

      De : Chris Hyzer
      Envoyé : 29 mars 2013 02:34
      À : Gagné Sébastien; grouper-dev@internet2.edu
      Objet : RE: UI error

      This is the code as of 5-nov-12, is this the code you have?

      String groupToRequire = TagUtils.mediaResourceString(mediaKeyOfGroup);
      if (LOG.isDebugEnabled())

      { LOG.debug("mediaKeyOfGroup: " + mediaKeyOfGroup + ", groupToRequire: " + groupToRequire + ", subject: " + GrouperUtil.subjectToString(subjectLoggedIn)); }

      if (!StringUtils.isBlank(groupToRequire)) {

      GrouperSession grouperSession = null;

      //get a session, close it if you started it
      boolean startedSession = false;
      try {
      grouperSession = GrouperSession.staticGrouperSession(false);
      if (grouperSession == null)

      { grouperSession = GrouperSession.startRootSession(); startedSession = true; }

      if (!PrivilegeHelper.isWheelOrRoot(grouperSession.getSubject()))

      { grouperSession = grouperSession.internal_getRootSession(); }

      Group group = GroupFinder.findByName(grouperSession, groupToRequire, true);

      From: grouper-dev-request@internet2.edu grouper-dev-request@internet2.edu On Behalf Of Gagné Sébastien
      Sent: Tuesday, March 26, 2013 4:05 PM
      To: Gagné Sébastien; grouper-dev@internet2.edu
      Subject: RE: [grouper-dev] UI error

      I did more digging, and I think I might have a solution, does it make any sense or should it be done another way ? I’ll be testing it in the next few days since the problem seems intermittent.

      GrouperUiFilter.java
      Method : requireUiGroup (around line 380)

      FROM :
      if (!PrivilegeHelper.isWheelOrRoot(grouperSession.getSubject()))

      { grouperSession = grouperSession.internal_getRootSession(); }

      TO :
      try {
      if (!PrivilegeHelper.isWheelOrRoot(grouperSession.getSubject())) { grouperSession = grouperSession.internal_getRootSession(); }

      } catch (IllegalStateException ise)

      { // session is invalid, probably stopped, use a new one grouperSession = GrouperSession.startRootSession(); startedSession = true; }

      De : grouper-dev-request@internet2.edu grouper-dev-request@internet2.edu De la part de Gagné Sébastien
      Envoyé : 26 mars 2013 15:36
      Objet : [grouper-dev] UI error

      Hi,
      I’m getting a very unpleasant error in the UI. I configured the “require.group.for.logins“ and I believe it’s causing the problem. I’m running the 2.1.3 UI.

      Often, when a user logs in, he will get the following error message(see screenshot). If he clicks on any link a few time it usually comes back. This screenshot was made using my sysadmin user, but it will do the same thing using a standard user. I tried looking in the source code using the stacktrace (see below), but didn’t get anywhere.

      Is it fixable ?

      Thanks

      PS. Chris had a fix for me when I first tried a required group (it’s running now), I don’t know if it’s related or not : https://bugs.internet2.edu/jira/browse/GRP-840

      Screen shot :

      Looking in the logs, I see the following :

      2013-03-26 14:31:40,634: [http-8080-5] ERROR GrouperUiFilter.doFilter(856) - - UI error
      java.lang.RuntimeException: Problem with user: Subject id: gagns, sourceId: ldap, etc:GroupeAccesUI
      at edu.internet2.middleware.grouper.ui.GrouperUiFilter.requireUiGroup(GrouperUiFilter.java:386)
      at edu.internet2.middleware.grouper.ui.GrouperUiFilter.ensureUserAllowedInSection(GrouperUiFilter.java:314)
      at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:846)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
      at java.lang.Thread.run(Thread.java:662)
      Caused by: java.lang.IllegalStateException: Grouper session subject is null, probably since it is stopped. Dont use it anymore, start another
      at edu.internet2.middleware.grouper.GrouperSession.internal_ThrowIllegalStateIfStopped(GrouperSession.java:120)
      at edu.internet2.middleware.grouper.GrouperSession.getSubject(GrouperSession.java:584)
      at edu.internet2.middleware.grouper.ui.GrouperUiFilter.requireUiGroup(GrouperUiFilter.java:375)
      ... 15 more

      Sébastien Gagné, | Analyste en informatique

        Smart Checklist

          Attachments

            Activity

              People

              Assignee:
              chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
              Reporter:
              chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: