CDV ❯ UnsupportedOperationException using built-in tomcat authentication

• Type: Bug
• Status: Closed
• Priority: 2 Major
• Resolution: Fixed
• Component/s: Sessions
• Labels:

• Assignee: hhuynh
• Reporter: teck
• Created: July 30, 2010
• Votes: 0
• Watchers: 0
• Updated:

  July 27, 2012
• Resolved:

  November 30, 2010

Description

I haven’t tested it, but setting “changeSessionIdOnAuthentication” to false on the authenticator looks like it could work around this problem

java.lang.UnsupportedOperationException at org.terracotta.modules.tomcat.tomcat_5_5.SessionInternal.setId(SessionInternal.java:152) at org.apache.catalina.session.ManagerBase.changeSessionId(ManagerBase.java:940) at org.apache.catalina.authenticator.AuthenticatorBase.register(AuthenticatorBase.java:756) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:198) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528) at org.terracotta.modules.tomcat.tomcat_5_5.SessionValve55.tcInvoke(SessionValve55.java:92) at org.terracotta.modules.tomcat.tomcat_5_5.SessionValve55.invoke(SessionValve55.java:79) at org.terracotta.session.ModernTomcatSessionValve.invoke(ModernTomcatSessionValve.java:65) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:619)

Comments

Kunal Bhasin 2010-11-17

Tim’s comment below:

Looked a little more into this. I think maybe their web.xml has a section where the is set to FORM. Nothing wrong with that per se, but that is what would activate the form authenticator.

I actually can’t see any easy to configure that “changeSessionIdOnAuthentication” property though unfortunately. I think I see how one could make tomcat support another form of but it feels a little hacky.

Even with that I think we might just hit a non-portable object exception later down the road when tomcat tries to store the auth stuff into session.

I’m afraid we’d need to some feature work to support this stuff.

Hung Huynh 2010-11-30

Follow this Tomcat doc of how to set the authenticator valve to not change the session Id.

http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

Just pick an authenticator valve that matches customer’s use case and set “changeSessionIdOnAuthentication” to “false”

An example is this:

Hung Huynh 2010-12-01

note that this feature only works for tomcat 5.5 and above (not 5.0)