| Summary: | NonSerializableException thrown when running JAAS and Session Clustering with DB together | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [RT] Jetty | Reporter: | Mike Jiang <mikej1688> | ||||
| Component: | server | Assignee: | Jan Bartel <janb> | ||||
| Status: | CLOSED FIXED | QA Contact: | |||||
| Severity: | major | ||||||
| Priority: | P3 | CC: | gregw, jesse.mcconnell, jetty-inbox | ||||
| Version: | unspecified | ||||||
| Target Milestone: | 7.1.x | ||||||
| Hardware: | All | ||||||
| OS: | Windows Vista | ||||||
| See Also: | https://bugs.eclipse.org/bugs/show_bug.cgi?id=328306 | ||||||
| Whiteboard: | |||||||
| Bug Depends on: | 328306 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Created attachment 181319 [details]
an error msg when running the jaas and session clustering with DB
*** Bug 328274 has been marked as a duplicate of this bug. *** [doubloon]harvest/harvest-execution-thrift> svn commit -m "add test case for i indexed queries" Sending harvest-execution-thrift/src/main/java/com/digitalreasoning/harvest/execution/thrift/GetIndexedSlicesExecution.java Transmitting file data . Committed revision 16952. Nevermind, its not going to be that simple..its apparently slurping in a whole lot more then is obvious at first glance...going to take a bit deeper look at this Jan, I dug into this a bit by writing a simple serialize unit test and all manner of stuff shows up. Down into the http.security.Password class being part of this. Looking through the JAASUserPrincipal class which I believe would be more in line as the principal being written to the session persistence I think we need to probably mark things like the LoginContext as transient or perhaps the jaas stuff is not meant to be persisted like it is in this scenario... I have been too out of touch on these things lately to just dive in and make those changes without a bit of discussion first. jesse Jesse, You are quite right that there are other non-serializable classes involved for JAAS. Most of them can be made serializable, however certainly the LoginContext cannot as that is an api class. We are saving the LoginContext in the JAASUserPrincipal, so that when it comes time to call logout(), we can call logout() on the correct LoginContext that knows about the Subject associated with that user (all very complex!). I think this problem may only occur with a combination of Form authentication + session persistence + JAAS, as it is the FormAuthenticator that is stuffing a UserIdentity into the Session, and the UserIdentity has the JAAS info buried in it. Anyway, I believe Greg is working on a general solution as bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=328306 reports that Form auth + session persistence has a problem. I'll update this issue when he's done with that. cheers Jan I hope I have fixed this in https://bugs.eclipse.org/bugs/show_bug.cgi?id=328306 I've pushed a snapshot to http://oss.sonatype.org/content/repositories/jetty-snapshots/org/eclipse/jetty/jetty-distribution/7.2.1-SNAPSHOT, so it would be good if you could test. Mike, We think this is fixed back in jetty-7.2.0. Can you confirm that it works for you now? thanks, Jan Please reopen this if it remains a problem after greg fixed it |
Build Identifier: jetty-server-7.1.3.v20100526 I have used the jetty server 7.1.3 as the app server for a while. First the JAAS (Java Authentication and Authorization service) is used and it worked with no error. Secondly, we tried to use the Session Clustering with Database, a feature offered by the jetty server also. It's for the case in which there are multiple server instances running in a load balancing environment. The DB is used as a persistent storage for the session's attributes so the attributes can be shared by the server instances. However, when the JAAS and Session Clustering with DB are in effect at the same time, a NonSerializableException was thrown as follows, 2010-10-06 15:51:08.549:WARN::Problem persisting changed session data id=fredsft3xjud8yc59jaiszql57lo java.io.NotSerializableException: org.eclipse.jetty.server.session.JDBCSessionManager at java.io.ObjectOutputStream.writeObject0(Unknown Source) at java.io.ObjectOutputStream.defaultWriteFields(Unknown Source) at java.io.ObjectOutputStream.writeSerialData(Unknown Source) at java.io.ObjectOutputStream.writeOrdinaryObject(Unknown Source) at java.io.ObjectOutputStream.writeObject0(Unknown Source) at java.io.ObjectOutputStream.defaultWriteFields(Unknown Source) at java.io.ObjectOutputStream.writeSerialData(Unknown Source) at java.io.ObjectOutputStream.writeOrdinaryObject(Unknown Source) at java.io.ObjectOutputStream.writeObject0(Unknown Source) at java.io.ObjectOutputStream.writeObject(Unknown Source) at java.util.concurrent.ConcurrentHashMap.writeObject(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at java.io.ObjectStreamClass.invokeWriteObject(Unknown Source) at java.io.ObjectOutputStream.writeSerialData(Unknown Source) at java.io.ObjectOutputStream.writeOrdinaryObject(Unknown Source) at java.io.ObjectOutputStream.writeObject0(Unknown Source) at java.io.ObjectOutputStream.writeObject(Unknown Source) at org.eclipse.jetty.server.session.JDBCSessionManager.updateSession(JDBCSessionManager.java:949) at org.eclipse.jetty.server.session.JDBCSessionManager$Session.complete(JDBCSessionManager.java:341) at org.eclipse.jetty.server.session.AbstractSessionManager.complete(AbstractSessionManager.java:144) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:199) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:860) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117) at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:47) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113) at org.eclipse.jetty.server.Server.handle(Server.java:335) at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:588) at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1029) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211) at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:418) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:489) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436) at java.lang.Thread.run(Unknown Source) Debugging into the code, it was found that the problem was caused in the following steps: 1). In the process of the JAAS, the code sets a class: SessionAuthentication as a session attribute. SessionAuthentication is implemented as a serializable object but its member, DefaultUserIdentity is not. So the SessionAuthentication is not a serializable object at all; 2). In Session Clustering with DB process, the JDBCSessionManager tried to save all the sessions' attributes-all of them must be serializable-to the database. However, one of the attribute, SessionAuthentication, is not a serialiable object, so the above exception is thrown and the process is interrupted. Reproducible: Always Steps to Reproduce: 1. Turn both the JAAS and Session Clustering with DB on; 2. Create a login scenario based on the JAAS; 3. After a login, an NonSerialiazableException will be thrown.