-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session persistence broken from 9.4.13+ #3597
Comments
* Hard to get a test case that works in a unit test because `ClassLoadingObjectInputStream` falls back to `ObjectInputStream` when a class cannot be resolved, and as the tests are always running from a classloader that includes the test resources, you discover the test resources always as an artifact of running as a unit test. * With this change the regression detected in writing a Jetty plugin for Apache OpenWebBeans is resolved.
* Hard to get a test case that works in a unit test because `ClassLoadingObjectInputStream` falls back to `ObjectInputStream` when a class cannot be resolved, and as the tests are always running from a classloader that includes the test resources, you discover the test resources always as an artifact of running as a unit test. * With this change the regression detected in writing a Jetty plugin for Apache OpenWebBeans is resolved. Signed-off-by: Stephen Connolly <stephen.alan.connolly@gmail.com>
PR #3598 opened |
Do you have a demo webapp that produces this issue? |
I have some unit tests in Apache OpenWebBeans! If you change the It took @struberg and I a while to diagnose but the root cause is this:
|
…with system classes. Signed-off-by: Jan Bartel <janb@webtide.com>
Signed-off-by: Jan Bartel <janb@webtide.com>
Signed-off-by: Jan Bartel <janb@webtide.com>
Fixed in 9.4.18 and beyond. |
Background
#2964 introduced switchable classloaders for session data.
I understand the intent of such switchable classloaders, but the simple switching mechanism is flawed and potentially breaks lots of web applications (and certainly breaks a lot of frameworks when running jetty in embedded mode or when installing the framework as a module)
Bug
The basic flaw in the current implementation is in https://github.com/eclipse/jetty.project/blob/29b960551f59d3c455fabdd657b207fc5898fb4c/jetty-server/src/main/java/org/eclipse/jetty/server/session/SessionData.java#L74-L95
Basically, the switch of the classloader happens based on the classloader of the session value.
Where this can break web applications is for example, if I store an
ArrayList<MyClass>
in the session. Because only the top reference's classloader is checked, this will be serialized withisServerLoader == true
becausejava.util.ArrayList
always comes from the server classloader. Then when deserializing, the server classloader will be used, and as that doesn't have theMyClass
definition (it's only in the webapp classloader) the session will fail to deserialize and be marked as invalid... or worse, in embedded mode theMyClass
definition will be loaded from the server classloader and then the web application will get aClassCastException
when they try to access the session state.Workaround
Use Jetty
9.4.12.v20180830
Impact
This would seem to be a rather severe regression as it has the capacity to break user's web application session serialization.
The text was updated successfully, but these errors were encountered: