tranjith / javamelody

Automatically exported from code.google.com/p/javamelody
0 stars 0 forks source link

Basic Authentication and Sessions #473

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
From Juergen, https://groups.google.com/forum/#!topic/javamelody/J9Fvj3F1PE0 :

I've a quite strange problem with javamelody 1.55.0 (no other version tested). 
When adding basic authentication to my web.xml for javamelody I'm not able to 
display detailed session-information nor invalidate sessions. When clicking on 
a session I get "Session DB7F6BFA3D818A5F81CBC9BB556058E9 invalidated", but the 
session isn't invalidated. When clicking on "invalidate for a session" the 
session isn't invalidated. When clicking on "invalidate http sessions", no 
session is deleted. Here is my web.xml:

<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
  version="3.1"
  metadata-complete="false">

    <description>JK Examples</description>
    <display-name>JK Examples</display-name>

    <servlet>
        <servlet-name>jktest</servlet-name>
        <servlet-class>jktest</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>jktest</servlet-name>
        <url-pattern>/jktest</url-pattern>
    </servlet-mapping>

    <filter>
        <filter-name>javamelody</filter-name>
        <filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>allowed-addr-pattern</param-name>
            <param-value>192\.168\.[0-9]{1,3}\.[0-9]{1,3}</param-value>
            <param-name>storage-directory</param-name>
            <param-value>${catalina.base}/javamelody-data</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>javamelody</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
        <listener-class>net.bull.javamelody.SessionListener</listener-class>
    </listener>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>javamelody</web-resource-name>
            <url-pattern>/monitoring</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>manager</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>javamelody</realm-name>
    </login-config>
    <security-role>
        <role-name>manager</role-name>
    </security-role>

</web-app>

Without basic authentication (i.e. just commenting out starting from 
<security-constraint>) everything works fine.

I'm using Tomcat 8.0.20 with Oracle Server-JRE 8.0.40.

Original issue reported on code.google.com by evernat@free.fr on 11 Apr 2015 at 1:54

GoogleCodeExporter commented 9 years ago
I have reproduced the issue and it is a javamelody bug indeed.

What happens is that when using BASIC auth, a session is created with an id, 
and later Tomcat changes the session id, for security against session fixation. 
In this case, Tomcat does not notify of the changed id with a sessionCreated 
event for the second id.
It happens in particular for your own session, when using BASIC auth.

It is now fixed in trunk (revision 4060) and for the next release (1.56).

By the way, your web.xml is misconfigured. You would better write:
        <init-param>
            <param-name>allowed-addr-pattern</param-name>
            <param-value>192\.168\.[0-9]{1,3}\.[0-9]{1,3}</param-value>
        </init-param>
        <init-param>
            <param-name>storage-directory</param-name>
            <param-value>${catalina.base}/javamelody-data</param-value>
        </init-param>

Thanks Juergen.

Original comment by evernat@free.fr on 11 Apr 2015 at 4:58