We are using Tomcat 6.29 behind IIS7.5, with spring, hibernate and struts2 framework. We are now beginning to notice that the server sessions are getting mixed up especially in Ajax request.
More details about the problem
- User 1 requests page1, user 2 request page2. But user1 gets served page2 and user2 gets server page1.
- The session ids are also changing, but on refreshing the page, the correct page is served up.
- The problem seems to be happening more often when the number of users are high.
Any pointers to the origin of the problem would help, the code runs fine with lesser number of users and no such instance is reported.
EDIT
web.xml
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>bm</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/*Context.xml</param-value>
</context-param>
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.apache.struts2.tiles.StrutsTilesListener</listener-class>
</listener>
struts.xml
<result-types>
<result-type name="jasper" class="org.apache.struts2.views.jasperreports.JasperReportsResult"/>
<result-type name="tiles" class="org.apache.struts2.views.tiles.TilesResult" />
</result-types>
<interceptors>
<interceptor name="sessionLoggin" class="com.inrev.bm.interceptor.IRLoggingInterceptor" />
<interceptor name="appAccess" class="appAccessInterceptor" />
<interceptor-stack name="newStack">
<interceptor-ref name="exception"/>
<interceptor-ref name="alias"/>
<interceptor-ref name="servletConfig"/>
<interceptor-ref name="i18n"/>
<interceptor-ref name="prepare"/>
<interceptor-ref name="chain"/>
<interceptor-ref name="debugging"/>
<interceptor-ref name="scopedModelDriven"/>
<interceptor-ref name="modelDriven"/>
<interceptor-ref name="fileUpload"/>
<interceptor-ref name="checkbox"/>
<interceptor-ref name="multiselect"/>
<interceptor-ref name="staticParams"/>
<interceptor-ref name="params">
<param name="excludeParams"> dojo\..*,^struts\..*</param>
</interceptor-ref>
<interceptor-ref name="actionMappingParams"/>
<interceptor-ref name="sessionLoggin"/>
<interceptor-ref name="appAccess"/>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="newStack"/>
Other Information
1) Users are login in by submitting a form, on login we perform the following,
public class xxxAction extends ActionSupport implements SessionAware
{
public String execute()
{
session.clear();
if (session instanceof org.apache.struts2.dispatcher.SessionMap)
{
try
{
((org.apache.struts2.dispatcher.SessionMap) session).invalidate();
}
catch (IllegalStateException e) {
log.error("Session Invalidate Failed ", e);
}
//Authorization code happens here
session.put("orgs", orgs);
session.put("currentOrg", org);
session.put("permission", adminDAO.getRolePermission(orgs.get(0).getRoleId()));
session.put("simplyApp", simplyApp);
session.put("user", user);
return "login"
}
}
2) Os being used is windows 2008 RC2
EDIT2 INCEPTOR CODE
INTERCEPTOR 1
public String intercept(ActionInvocation invocation) throws Exception
{
String result = null;
String className = invocation.getAction().getClass().getName();
Map session = invocation.getInvocationContext().getSession();
IRUser user = (IRUser) session.get("user");
IROrgname org = (IROrgname)session.get("currentOrg");
IRAppDetails simplyApp = (IRAppDetails)session.get("simplyApp");
String sessionId = (String)session.get("sessionId");
boolean switchUser =session.get("switchUser")!=null ? (Boolean)session.get("switchUser") : false;
if(className.indexOf("IRLoginAction")!=-1 || className.indexOf("IRContactUsAction")!=-1
|| className.indexOf("IRIPNAction")!=-1 || className.indexOf("IRPaymentAction")!=-1
|| className.indexOf("IRServiceAction")!=-1 || className.indexOf("IRAppBossAction") !=-1)
{
result= invocation.invoke();
session.put("PREV_CLASS_NAME", className);
}
else if(!(className.indexOf("IRLoginAction")!=-1) && (user !=null && org!=null))
{
if(!IRSessionManager.getInstance().compareSession(user.getUserId(), sessionId) && !switchUser)
{
session.clear();
if (session instanceof org.apache.struts2.dispatcher.SessionMap)
{
try
{
((org.apache.struts2.dispatcher.SessionMap) session).invalidate();
}
catch (IllegalStateException e)
{
log.error("Session Invalidate Failed ", e);
}
}
result = "sessionDuplicated";
}
else
{
result= invocation.invoke();
session.put("PREV_CLASS_NAME", className);
}
}
else if(className.indexOf("widgets") !=-1)
{
result= invocation.invoke();
}
else if(className.indexOf("ActionSupport") !=-1)
{
result= invocation.invoke();
}
else if (!(className.indexOf("IRLoginAction")!=-1) && (user ==null || org==null || simplyApp==null))
{
result = "sessionExpired";
}
return result;
}
INTERCEPTOR 2
public String intercept(ActionInvocation invocation) throws Exception
{
String result = null;
HttpServletRequest request = ServletActionContext.getRequest();
String className = invocation.getAction().getClass().getName();
try
{
Map session = invocation.getInvocationContext().getSession();
IRUser user = (IRUser) session.get("user");
IROrgname org = (IROrgname)session.get("currentOrg");
IRAppDetails application = (IRAppDetails)session.get("simplyApp");
if(( user!= null && user.getAppType()!=0) && !(className.indexOf("IRLoginAction")!=-1))
{
if(hasAccess(user.getAppType(), className))
{
result= invocation.invoke();
}
else
{
result = "checkURL";
}
}
else
{
result= invocation.invoke();
}
}
catch (Exception e)
{
e.printStackTrace();
}
return result;
}
I've debugged something similar two days ago on a legacy project (not mine).
It turned out it was custom Interceptors's fault.
Check the custom Interceptors i can see in your stack,
and ensure that their code is Thread Safe (avoid fields on interceptors instead of synchronize all your stuff, use only local variables).
For example, consider the code:
This way, when User1 enters the method, it sets the shared
session
object with its session; if User2 enters the method while User1 has not yet finished, User2 will immediately override thesession
object with its session, and User1 will refer to User2 session instead of its own.To make it thread safe it should be like follows:
EDIT:
Your interceptors present some problems:
1) Request must not be accessed this way (as described here):
the right way to access the request from within an Struts2 Interceptor is:
2) If you don't want to return the
invocation.invoke();
immediately, please note that assigning that to theresult
String will fire the "flow", and the lines after theinvoke()
will be executed AFTER the Action execution, as described here: