Francesco,
On 6/21/24 06:02, Francesco Chicchiriccò wrote:
On 2024/06/20 15:52:16 Christopher Schultz wrote:
Francesco,
On 6/20/24 09:03, Francesco Chicchiriccò wrote:
On 2024/06/20 12:18:15 Konstantin Kolinko wrote:
чт, 20 июн. 2024 г. в 13:25, Francesco Chicchiriccò <ilgro...@apache.org>:
Hi there,
at Syncope we usually use the latest Tomcat versions to run a large chunk of
our integration tests.
In our master branch we relay on Tomcat 10.1.x, and upgrading to 10.1.25 from
10.1.24 went smooth as usual.
In our 3_0_X branch we relay on Tomcat 9.0.x; with 9.0.89 everything goes as
expected, but with 9.0.90 we are getting the exception [1].
Any idea of what could be changed in 9.0.90 within this regard? Thank you.
[1] https://gist.github.com/ilgrosso/be1fb1f2ea205eef60fb221973f87b34
The "java.lang.IllegalStateException: The request object has been
recycled and is no longer associated with this facade" message means
that a Request object has been (illegally) stored and is accessed
outside of its lifecycle - when the underlying structures and buffers
have already been recycled and may have been reused to process
subsequent requests.
Mark wrote:
You could try explicitly setting discardFacades to false.
In general, not recommended.
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
Calling getScheme() might be safe (as IIRC the info will come from a
connector configuration), but anything beyond that may lead to either
false results or to security issues. It would be better to identify
and fix the underlying cause.
Are you suggesting there is something to fix on Syncope's or CXF's code? Or
rather on Tomcat?
This is a protection that Tomcat is providing to the application. There
is no known bug in Tomcat's code.
It's not clear to me whether Syncope's or CXF's code is retaining such a
reference, but, given the stack trace I would suspect that
UserServiceImpl in Syncope's code is where you should start looking.
As I am writing above, we have no issues with Tomcat 9.0.89 nor with Tomcat
10.1.25.
It looks like this change was made in 9.0.90 *only* and was not ported
to the other June releases. Honestly, this change should have been made
to all active branches... I'm not sure why Rémy only applied it to 9.0.x.
I'd tend to think that such change should be applied to all active branches,
for consistency.
Is there any issue referencing this change?
This is likely a long-standing bug in your application and it really
should be fixed. There is likely a security and/or privacy issue in the
application which this error is pointing-out to you.
Nope, nothing of that kind.
?
Syncope offers an OData-lilke batch feature [1] which implies, in
case of asynchronous processing request, to multiplex the incoming
request onto atomic requests, injected to CXF service processing.
If your application is retaining a reference to an HttpServletRequest
after the request has been completed, then your application has a bug.
You can tell me it doesn't have a bug, but it does. If you want
information from that request, you should copy it out of the request.
If you are using an asynchronous request, then you also need to take
care to only use that async request in the way it was intended to be
used. Object lifetimes still apply.
The current error derives from the atomic requests being constructed
as HttpServletRequestWrapper subclasses from the original request: it
seems that, after the change in Tomcat 9.0.90, this has become
problematic - while it is still not for Tomcat 10.1.25, Wildfly,
Undertow and Payara, against which Syncope integration tests are also
run.
Wrapping a request in an HttpServletRequestWrapper does not count as
copying it or the data it contains. That's wrapping it, and you still
have a reference to the original request... through the wrapper.
We should have a fix ready, going to push it soon.
A fix is good, even if you weren't willing to admit there was a problem
in the first place.
I wonder what the "fix" looks like for a non-bug in this context. I hope
you haven't just made the problem worse.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
