Announcement Announcement Module
Collapse
No announcement yet.
Continuous java.lang.IllegalStateException: getAttribute: Session already invalidated Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Continuous java.lang.IllegalStateException: getAttribute: Session already invalidated

    Hi all,

    I use Spring 3.0.0 with Spring Security 3.0.1 and freemarker.

    I'm running into a weird little problem here. I have a order entry flow of several steps where the user can start the order flow and run through the first 2 steps without logging in. The third step, the user runs into a page that is protected by Spring Security and has to login. (On success, the controller will read the session variable where the content of page 1 and 2 are stored.)

    When he does so, I get an error message (see below) generated by a Freemarker template that tries to access a session variable. So, the Controller can access session variables just fine. Just at the point a session variable is referenced in Freemarker I get the exception below.

    Not only that, I then get that error on each and every page, on each and every request, making the website completely inaccessible for that user. BTW, the session object that it tries to access, is a Hibernate Entity.

    If I'm already logged in when I hit the protected page, no problems occur.

    I can see that the session is still valid up until the moment the variable is accessed from Freemarker and I didn't find any places going through the stack where the session is invalidated.

    Any ideas about this one? I didn't seem to have this issue one Spring 2.5. I'm sort of scratching my head on this one, for a few hours now.

    PHP Code:
    java.lang.IllegalStateExceptiongetAttributeSession already invalidated 
        at org
    .apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1032
    [...
    freemarker stuff...] 
        
    at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:535
        
    at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:472
        
    at com.opensymphony.module.sitemesh.filter.PageFilter.writeDecorator(PageFilter.java:173
        
    at com.opensymphony.module.sitemesh.filter.PageFilter.applyDecorator(PageFilter.java:158
        
    at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:62
        
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235
        
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206
        
    at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:164
        
    at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141
        
    at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90
        
    at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417
        
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235
        
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206
        
    at org.displaytag.filter.ResponseOverrideFilter.doFilter(ResponseOverrideFilter.java:125
        
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235
        
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206
        
    at net.sf.ehcache.constructs.web.filter.GzipFilter.doFilter(GzipFilter.java:79
        
    at net.sf.ehcache.constructs.web.filter.Filter.doFilter(Filter.java:93
        
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235
        
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206
        
    at com.opensymphony.clickstream.ClickstreamFilter.doFilter(ClickstreamFilter.java:56
        
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235
        
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206
        
    at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198
        
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76
        
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235
        
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:344
        
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:110
        
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356
        
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:98
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356
        
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:95
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356
        
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:79
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356
        
    at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:120
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356
        
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:55
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356
        
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:36
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356
        
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356
        
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:106
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356
        
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80
        
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356
        
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150
        
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237
        
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167
    Security.xml
    PHP Code:
     <http
            <
    intercept-url pattern="/imageuploader/*" filters="none" /> 
            <
    intercept-url pattern="/images/*" filters="none" /> 
            <
    intercept-url pattern="/css/*" filters="none" /> 
            <
    intercept-url pattern="/js/*" filters="none" /> 
            [...] 
            <
    form-login always-use-default-target="false" 
                
    default-target-url="/index.html" authentication-failure-url="/login.html" 
                
    login-page="/login.html" login-processing-url="/login_security_check" /> 
         
            <
    logout logout-url="/logout.html" logout-success-url="/index.html" 
                
    invalidate-session="true" /> 
            <
    anonymous granted-authority="ROLE_ANONYMOUS" /> 
            <
    remember-me services-ref="rememberMeServices" key="${msa.security.key}"/> 
        </
    http

        <
    authentication-manager alias="authenticationManager"
            <
    authentication-provider user-service-ref="usorManager"
            </
    authentication-provider
        </
    authentication-manager

        <
    beans:bean id="rememberMeServices" 
            
    class="nl.msw.compraventa.service.impl.RememberMeManagerImpl"
            <
    beans:property name="userDetailsService" ref="usorManager" /> 
            <
    beans:property name="key" 
                
    value="${msa.security.key}/> 
            <
    beans:property name="parameter" value="rememberMe" /> 
            <
    beans:property name="userDao" ref="usorDao" /> 
            <
    beans:property name="alwaysRemember" value="true" /> 
            <
    beans:property name="tokenValiditySeconds" value="15000000"/> 
        </
    beans:bean
    Kind regards,

    Marc
    Last edited by mschipperheyn; Jan 22nd, 2010, 05:28 AM.

  • #2
    Add a session listener to your application and print out the stacktrace when a session is destroyed (or created). That will allow you to locate where it happens.

    Comment


    • #3
      Caused by improvements in Spring Security against &quot;older&quot; Freemarker

      It turns out that the issue is caused by Freemarker caching session and Spring Security now having protection against session fixation attacks by creating a new session after login and copying session properties. The cached session is invalidated leading to continuous error messages when trying to access session variables: See also http://sourceforge.net/projects/free.../topic/3475868. It is fixed in Freemarker 2.3.16

      Cheers,

      Marc

      Comment

      Working...
      X