Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-5026

NPE in JvmRouteValve.handleJvmRoute



    • Estimated Difficulty:


      Client is a rich app (swing) that does soap calls to an app. Some of those WebServices are secured by a "BASIC" security constraint.

      When client calls the first password protected service, JBoss tries to set SSO and Session cookies. Then client make some more non-restricted calls that work just fine. After that, the first secured call fails with a NPE at JvmRouteValve, detailed bellow:

      2007-11-30 18:16:36,144 ERROR [org.apache.catalina.connector.CoyoteAdapter] An exception or error occurred in the container during the request processing
      at org.jboss.web.tomcat.service.session.JvmRouteValve.handleJvmRoute(JvmRouteValve.java:125)
      at org.jboss.web.tomcat.service.session.JvmRouteValve.checkJvmRoute(JvmRouteValve.java:112)
      at org.jboss.web.tomcat.service.session.JvmRouteValve.invoke(JvmRouteValve.java:81)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
      at org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:637)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
      at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:437)
      at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:381)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Thread.java:595)

      Checking the code, the only way I see that this could happen is when checkJvmRoute passes a null to handleJvmRoute on its first parameter (oldsessionId). In turn, this implies that getRequestedSessionId() returned null AND getSession(false) didn't.

      What I can see from packet dumps in the APJ connection is that the client is not passing a JSESSIONID header along the call, but, somehow (SSL session or some side-effect from SSO?), ithe session manager still "remembers" that it has a session. Therefore, in this scenario, oldessionId == null (since the client didn't send any session cookie) and session !=null, causing this NPE.

      A simple fix would be test oldsessionId for null at line 91, returning if it is.

        Gliffy Diagrams


            Issue Links



                • Assignee:
                  brian.stansberry Brian Stansberry
                  psevestre Philippe Sevestre
                • Votes:
                  0 Vote for this issue
                  1 Start watching this issue


                  • Created: