Losing session editing Targets

[obrienben]

Some users are occasionally editing Targets and seeing empty data when switching tabs within the Target. Can occur within a few minutes of editing the Target.

Appears to be an issue with the TargetEditorContext and losing its session. See error:

java.lang.IllegalStateException: TargetEditorContext not yet bound to the session
        at org.webcurator.ui.util.OverrideGetter.getOverrideable(OverrideGetter.java:59)
        at org.webcurator.ui.target.controller.AbstractOverrideTabHandler.preProcessNextTab(AbstractOverrideTabHandler.java:140)
        at org.webcurator.ui.target.controller.TargetProfileHandler.preProcessNextTab(TargetProfileHandler.java:78)
        at org.webcurator.ui.util.TabbedController.processFormSubmission(TabbedController.java:282)
        at org.webcurator.ui.util.TabbedController.handleRequestInternal(TabbedController.java:400)
        at org.webcurator.ui.target.controller.TabbedTargetController.handleRequestInternal(TabbedTargetController.java:241)
        at org.webcurator.ui.target.controller.TargetController.handleRequestInternal(TargetController.java:22)
        at sun.reflect.GeneratedMethodAccessor455.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:892)
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:797)
        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1039)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:942)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1005)
        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:908)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:882)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

[obrienben]

@leefrank9527 can you please write a description of the problem/solution here, now that it has been resolved.

[leefrank9527]

The root cause of the problem:

1. For of all, the problem happened under a special network structure. The requst requence diagram looks like this: Client (A browser: Chrome, Firefox etc.) Reverse Proxy (Port: 80) WebApp (Port: 8080) |------------------------------------------------->|----------------------------->| |-------------------------------------------------------------------------------->| If the Client requet the pages with the URL link: http://domainname:8080/, the requests will be sent to WebApp directyly. If the Client requet the pages with the URL link: http://domainname/, the requests will be sent to the Reverse Proxy, and the Reverse Proxy will forward the request to Webapp.
2. The session is kept with the sessionID, and the sessionID is included in the cookie of the brower.
3. There are some extensions of the Browsers will request some special files: /robots.txt, /favicon.ico. But for some reasons, the Port number is missed when the extensions combining a request URL for the special files. There is no sessionID included in the cookie of the request. The request is sent to the Reverse Proxy, and the Reverse Proxy forward this request to the WebApp. For these kind of request, the login.jsp on WebApp is triggered. Because there is no sessinID included in the request, the WebApp will take it as a new session, create a new sessionID, and response the "Set Cookie" to the Client. The Client will reset the the sessionID. This step is executed silently by the extensions.
4. When the users switch the tabs or click the links on the WebApp pages, the request will be redirected to the login page.

Two workarounds:

1. Option 1: Add a rule at the reverse proxy to deny the special requests directly. Such as:

   
   <Location /robots.txt>
   Order Deny,Allow
   Deny from all
   </Location>

<Location /favicon.ico> Order Deny,Allow Deny from all

2. Option 2: To use a browser and disable the related extensions on the browser. Currently, the extensions maybe: 

a) Wappalyzer - Technology profiler Identify web technologies b) Snow Web Application Metering

[obrienben]

@leefrank9527 was this issue also caused by the Wappalyzer browser plugin?

[leefrank9527]

@obrienben Yes. It's the same issue which caused the session lost. Which is caused by the Wappalyzer browser plugin.

[obrienben]

Same as issue #46