|Summary:||Empty response instead of error page for IllegalStateException|
|Product:||Tomcat 5||Reporter:||Holger Sunke <holger.sunke>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
Proposed patch for Tomcat 6 v1
Proposed patch for Tomcat 5 v1
Proposed patch for Tomcat 6 v2
Proposed patch for Tomcat 5 v2
Description Holger Sunke 2011-07-25 13:22:52 UTC
IllegalStateException for "Too many active Sessions" error on createSession(..) sometines results in empty response with HTTP 200 OK status instead of an error message. I saw this happening when tomcat trys to create session #(n+1) for a protected area with FORM based authentication and SessionManager with maxActiveSessions=n, not depending on whether StandardManager or PersistentManager is beeing used. Reproduction: 1) Add webbapps/examples/META-INF/context.xml with following content: <Context> <Manager className="org.apache.catalina.session.StandardManager" maxActiveSessions="1"> </Manager> </Context> 2) Restart Tomcat 3) Visit http://localhost:8080/examples/jsp/security/protected/ 4) Clear cookies in your browser 5) repeat step 3). Result: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET Transfer-Encoding: chunked Date: Mon, 25 Jul 2011 13:20:56 GMT Expected Result: HTTP/1.1 500 OK Server: Apache-Coyote/1.1 [...]
Comment 1 Mark Thomas 2011-07-25 19:45:29 UTC
Thanks for the report and the steps to reproduce the error. I have fixed this in 7.0.x and it will be included in 7.0.20 onwards.
Comment 2 Holger Sunke 2011-07-26 06:02:33 UTC
Thank you. What I forgot to mention is, that this issue also hits Tomcat 6. Maybe you'd check older versions too.
Comment 3 Mark Thomas 2011-07-26 07:17:59 UTC
Re-open to fix older versions
Comment 4 Mark Thomas 2011-07-26 08:00:14 UTC
Created attachment 27316 [details] Proposed patch for Tomcat 6 v1
Comment 5 Mark Thomas 2011-07-26 08:00:31 UTC
Created attachment 27317 [details] Proposed patch for Tomcat 5 v1
Comment 6 Mark Thomas 2011-07-26 08:02:17 UTC
Created attachment 27318 [details] Proposed patch for Tomcat 6 v2 Removes additional fixes from patch
Comment 7 Mark Thomas 2011-08-22 12:53:42 UTC
Created attachment 27421 [details] Proposed patch for Tomcat 5 v2 Updates patch for 5.5.x after review comments
Comment 8 Mark Thomas 2011-08-25 17:11:46 UTC
Created attachment 27434 [details] Updated patch Addresses review comments (needed to catch Throwable in JkCoyoteHandler)
Comment 9 Holger Sunke 2011-09-01 12:46:51 UTC
Tomcat 7.0.20 now correctly responds "HTTP/1.1 500", but I still don't get my error page configured in web.xml like this: <error-page> <error-code>500</error-code> <location>/static/error/internal.html</location> </error-page>
Comment 10 Mark Thomas 2011-09-02 11:33:46 UTC
I've added some code to 7.0.x that will use custom error pages in this scenario. I don't intend to back-port this part of the fix to 6.0.x or 5.5.x.
Comment 11 Konstantin Kolinko 2011-09-16 18:48:09 UTC
The proposed patch has been applied to 5.5 and will be in 5.5.34. The example of maxActiveSessions="1" in the Description now results in a reply with HTTP status 500, whereas with 5.5.33 the status was 200. The content of the response is still empty. The patch has not been applied to 6.0 yet, so I am leaving this issue open.
Comment 12 Mark Thomas 2011-09-21 11:33:14 UTC
The patch has been applied to 6.0.x and will be included in 6.0.34 onwards.