Bug 47774 - Illegal context class loader is used when HttpSessionListener is executed.
Illegal context class loader is used when HttpSessionListener is executed.
Status: RESOLVED FIXED
Product: Tomcat 6
Classification: Unclassified
Component: Catalina
6.0.20
All All
: P2 normal (vote)
: default
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2009-09-01 01:58 UTC by Keiichi Fujino
Modified: 2010-04-09 07:50 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Keiichi Fujino 2009-09-01 01:58:42 UTC
When HttpSessionListener is executed, illegal class loader is set to the context classLoader.

I think that the problem is in CoyoteAdapter#parseSessionCookiesId method. 
JSESSION COOKIE is parsed in this method, and sessionId is set to the request. 

To check sessionId, Request#isRequestedSessionIdValid method is called in this method. 
And, Session#isValid() might be called in Request#isRequestedSessionIdValid method. 
However, the context class loader of a current thread is StandardClassLoader. 
It is not WebappClassLoader. 

For instance,
When the session has already passed session-timeout, 
Session#expire is executed.
At this time, the context class loader of the thread that executes HttpSessionListenner#sessionDestroyed is StanderdClassLoader. 
This is not good. 
The context class loader of the thread that executes HttpSessionListenner should be WebAppClassLoader. 


Best regards.
Comment 1 Mark Thomas 2009-12-14 15:03:43 UTC
This has been fixed in trunk and proposed for 6.0.x.

Thanks for the report.
Comment 2 Mark Thomas 2010-01-14 02:04:05 UTC
The patch has been applied to 6.0.x and will be included in 6.0.23 onwards.
Comment 3 Keiichi Fujino 2010-04-02 06:14:10 UTC
I reopned this bug.
This is not fixed against 5.5.x.
therefore, proposed for 5.5.x.
Comment 4 Keiichi Fujino 2010-04-09 07:50:26 UTC
This fix applied to 5.5, will be in 5.5.30 onwards.