If a JSP page that prevents using the http session has an <x:out> tag, there's an IllegalStateException thrown. The problem is in XPathUtil.getVariableQNames() where a call to pageContext.getAttributeNamesInScope(PageContext.SESSION_SCOPE) is done without first checking that the session is available...
Created attachment 20965 [details] JSP to test this issue Sylvain, I tried reproducing this issue by setting the session page directive to false (see attached JSP file) but I couldn't get it to fail -- it works fine for me. What method are you using to deny access to the HTTP session in the page? In order to help me investigate this, can you provide the following: - Your JSP version - Your servlet API version - Your app server and version - If at all possible, a copy of the JSP that is failing for you FYI, I attempted my reproduction on Tomcat 5.5.20 with JSP 2.0 and web-app 2.4 (and taglibs 1.1.2). Thanks, Bjorn
Looking at the code, there's a comment referring to this issue being dealt with in http://issues.apache.org/bugzilla/show_bug.cgi?id=35216.
Henri's right -- I've reverted to a version prior to the fix for 35216 being committed, and I am able to reproduce the issue using the JSP I attached previously. So it looks like this is a dupe of 35216 and is fixed in trunk.
Resolving as a duplicate. *** This bug has been marked as a duplicate of 35216 ***