Bug 51550

Summary: Empty response instead of error page for IllegalStateException
Product: Tomcat 5 Reporter: Holger Sunke <holger.sunke>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: Nightly Build   
Target Milestone: ---   
Hardware: PC   
OS: All   
Attachments: Proposed patch for Tomcat 6 v1
Proposed patch for Tomcat 5 v1
Proposed patch for Tomcat 6 v2
Proposed patch for Tomcat 5 v2
Updated patch

Description Holger Sunke 2011-07-25 13:22:52 UTC
IllegalStateException for "Too many active Sessions" error on createSession(..) sometines results in empty response with HTTP 200 OK status instead of an error message.

I saw this happening when tomcat trys to create session #(n+1) for a protected area with FORM based authentication and SessionManager with maxActiveSessions=n, not depending on whether StandardManager or PersistentManager is beeing used.


1) Add webbapps/examples/META-INF/context.xml with following content:
        <Manager className="org.apache.catalina.session.StandardManager"

2) Restart Tomcat
3) Visit http://localhost:8080/examples/jsp/security/protected/
4) Clear cookies in your browser
5) repeat step 3).

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 01:00:00 CET
Transfer-Encoding: chunked
Date: Mon, 25 Jul 2011 13:20:56 GMT

Expected Result:
HTTP/1.1 500 OK
Server: Apache-Coyote/1.1
Comment 1 Mark Thomas 2011-07-25 19:45:29 UTC
Thanks for the report and the steps to reproduce the error.

I have fixed this in 7.0.x and it will be included in 7.0.20 onwards.
Comment 2 Holger Sunke 2011-07-26 06:02:33 UTC
Thank you.

What I forgot to mention is, that this issue also hits Tomcat 6. Maybe you'd check older versions too.
Comment 3 Mark Thomas 2011-07-26 07:17:59 UTC
Re-open to fix older versions
Comment 4 Mark Thomas 2011-07-26 08:00:14 UTC
Created attachment 27316 [details]
Proposed patch for Tomcat 6 v1
Comment 5 Mark Thomas 2011-07-26 08:00:31 UTC
Created attachment 27317 [details]
Proposed patch for Tomcat 5 v1
Comment 6 Mark Thomas 2011-07-26 08:02:17 UTC
Created attachment 27318 [details]
Proposed patch for Tomcat 6 v2

Removes additional fixes from patch
Comment 7 Mark Thomas 2011-08-22 12:53:42 UTC
Created attachment 27421 [details]
Proposed patch for Tomcat 5 v2

Updates patch for 5.5.x after review comments
Comment 8 Mark Thomas 2011-08-25 17:11:46 UTC
Created attachment 27434 [details]
Updated patch

Addresses review comments (needed to catch Throwable in JkCoyoteHandler)
Comment 9 Holger Sunke 2011-09-01 12:46:51 UTC
Tomcat 7.0.20 now correctly responds "HTTP/1.1 500", but I still don't get my error page configured in web.xml like this:

Comment 10 Mark Thomas 2011-09-02 11:33:46 UTC
I've added some code to 7.0.x that will use custom error pages in this scenario. I don't intend to back-port this part of the fix to 6.0.x or 5.5.x.
Comment 11 Konstantin Kolinko 2011-09-16 18:48:09 UTC
The proposed patch has been applied to 5.5 and will be in 5.5.34.

The example of maxActiveSessions="1" in the Description now results in a reply with HTTP status 500, whereas with 5.5.33 the status was 200.
The content of the response is still empty.

The patch has not been applied to 6.0 yet, so I am leaving this issue open.
Comment 12 Mark Thomas 2011-09-21 11:33:14 UTC
The patch has been applied to 6.0.x and will be included in 6.0.34 onwards.