Kuali Rice Development
  1. Kuali Rice Development
  2. KULRICE-5341

UserSession gets bound to a thread, and eDocLite documents are not establishing user session properly

    Details

    • Type: Bug Fix Bug Fix
    • Status: Open Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: Backlog
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
    • Similar issues:
      KULRICE-1744Implement proper Super User support in EDocLite
      KULRICE-9690Rework legacy processing so that legacy context is established properly when in KNS and not KNS
      KULRICE-1823KualiHttpSessionListener sessionDestroyed method does not have valid UserSession in GlobalVariables
      KULRICE-9379Add support for rendering views in KRAD without requiring a session to be established
      KULRICE-899EDocLite does not gracefully handle session timeout.
      KULRICE-822Backdoor message missing on EDocLite screens
      KULRICE-3539consider establishing user sessions and trapping errors in a filter
      KULRICE-10183Questions about thread safety of KRAD UserSessionUtils
      KULRICE-14069Questions about thread safety of KRAD UserSessionUtils
      KULRICE-10546Establish unit tests for implementing multi-threading
    • Rice Module:
      KEW
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required

      Description

      I noticed that I was getting null pointer exceptions on occasion from eDocLite applications because GlobalVariables.getUserSession was returning null. As it turns out, with the user session refactoring that happened for 2.0, edl does not have any code in front of it which triggers establishment of a user session. In pre 2.0, this use to be handled by the KEW UserSession object on the UserLoginFilter, but this has changed in 2.0 with the elimination of the kew version of UserSession.

      An interesting fact there though is that after that NPE happens on EDL, it appears to fix that particular jetty worker thread so that future edl requests succeed. This is because when it gets this error it forwards off to the exception incident report (which goes through the KualiRequestProcessor and therefore successfully establishes user session). However, it appears that the user session is never "cleared up" after the request processor terminates. This leaves the thread in a situation where the original user session is "bound" to it by the thread local in global variables until the next request comes through and replaces it as needed. This seems like the kind of issue that could cause potential security holes if we aren't careful. Basically, all thread locals should be cleared out at the successful termination of the request-response cycle.

        Activity

        Hide
        Eric Westfall added a comment -

        Just committed a fix for the edl session issue. It was establishing a session properly, it just wasn't populating GlobalVariables usersession correctly.

        Note that the potential security issue still exists with the user session global variables. Basically everywhere that we set the session, we need to be sure to unset it afterward. However we should probably implement a stack model similar to RouteContext because I believe it's possible to have valid nested calls to GlobalVariables.setUserSession

        Show
        Eric Westfall added a comment - Just committed a fix for the edl session issue. It was establishing a session properly, it just wasn't populating GlobalVariables usersession correctly. Note that the potential security issue still exists with the user session global variables. Basically everywhere that we set the session, we need to be sure to unset it afterward. However we should probably implement a stack model similar to RouteContext because I believe it's possible to have valid nested calls to GlobalVariables.setUserSession
        Hide
        Rice-CI User (Inactive) added a comment -

        Integrated in rice-trunk-nightly #111 (See http://ci.rice.kuali.org/job/rice-trunk-nightly/111/)
        KULRICE-5341 - fixed edl session issues

        Show
        Rice-CI User (Inactive) added a comment - Integrated in rice-trunk-nightly #111 (See http://ci.rice.kuali.org/job/rice-trunk-nightly/111/ ) KULRICE-5341 - fixed edl session issues

          People

          • Assignee:
            Unassigned
            Reporter:
            Eric Westfall
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Structure Helper Panel