benlucchesi / grails-cookie-session Goto Github PK
View Code? Open in Web Editor NEWcookie sessions for grails applications
cookie sessions for grails applications
Happy user of this plugin, but ran into an edge case today.
When generating PDFs from our site, we make a connection using URL and then write the HTML file to file system. Then we use this file system file to convert to PDF.
More or less, the following code from Grails controller shows what I'm trying to describe:
URL print = new URL(printurl);
HttpURLConnection con = (HttpURLConnection)print.openConnection();
String xhtmlFileString = "${getConfig(CSSPATH)}${request.getSession().getId().substring(0, 10)}-gp.html"
File xhtmlFile = new File(xhtmlFileString);
FileOutputStream fos = new FileOutputStream(xhtmlFile)
Then we run a command line tool to convert the file to PDF.
The part related to grails-cookie-session is in printurl
variable above. Previous to the plugin, we tacked on jsessionid=
and the session id of the current user on to printurl
to make the URLConnection and still utilize values stored in the session. Hopefully, you see what I'm trying to describe.
With grails-cookie-session, we can't do that anymore.
Any ideas on how to resolve?
Best I have so far is adding the existing cookie to the con
request like
con.setRequestProperty("Cookie", "name1=value1; name2=value2");
where Cookie is the name of the cookie configured cookiename
such as "gsession"
Ideas? Suggestions?
bug - disabling the cookie session causes the application to fail to launch
I'm getting following error on Chrome incognito Android works without any issues in normal mode and desktop browsers.
2016-07-20 13:13:02,294 |-ERROR - CookieSessionRepository - An error occurred while deserializing a session.
java.lang.RuntimeException: = character not at end of base64 value
at org.codehaus.groovy.runtime.EncodingGroovyMethods.decodeBase64(EncodingGroovyMethods.java:163)
at org.codehaus.groovy.runtime.dgm$808.invoke(Unknown Source)
at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:274)
at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:56)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:117)
at grails.plugin.cookiesession.CookieSessionRepository.deserializeSession(CookieSessionRepository.groovy:413)
at grails.plugin.cookiesession.CookieSessionRepository$deserializeSession$0.callCurrent(Unknown Source)
at grails.plugin.cookiesession.CookieSessionRepository.restoreSession(CookieSessionRepository.groovy:317)
at grails.plugin.cookiesession.SessionRepositoryRequestWrapper.restoreSession(SessionRepositoryRequestWrapper.java:59)
at grails.plugin.cookiesession.CookieSessionFilter.doFilterInternal(CookieSessionFilter.java:78)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:120)
at org.springframework.boot.context.web.ErrorPageFilter.access$000(ErrorPageFilter.java:61)
at org.springframework.boot.context.web.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:95)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:113)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1502)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1458)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Hi,
We are using cookie session plugin. Version is the latest, 2.0.10 (started seeing the issue with 2.0.7 in a load-balanced env sporadically, so upgraded to latest, still seeing issue).
There is a login page which is displayed when hitting certain pages, we are using Spring-Security-LDAP. The effect for the user is that they keep getting redirected to the login page in a loop. The work-around is to check the "Remember Me" checkbox, which seems to break the loop.
Here are my config settings, the secret has been changed of course:
/*
grails.plugin.cookiesession.encryptcookie = true
grails.plugin.cookiesession.cryptoalgorithm = "Blowfish"
grails.plugin.cookiesession.secret = "abcdefghjk"
grails.plugin.cookiesession.cookiecount = 4
grails.plugin.cookiesession.maxcookiesize = 4096 // 4 KB
grails.plugin.cookiesession.sessiontimeout = 1800 // 30 minutes
grails.plugin.cookiesession.cookiename = 'csp'
grails.plugin.cookiesession.condenseexceptions = false
grails.plugin.cookiesession.serializer = 'java' // kryo does not work for us
grails.plugin.cookiesession.springsecuritycompatibility = true
Any ideas on how I can debug further would be much appreciated.
Here is the exceptions being logged:
LogLevel=ERROR; class=com.granicus.grails.plugins.cookiesession.CookieSessionRepository; cause: null;
LogLevel=ERROR; class=com.granicus.grails.plugins.cookiesession.CookieSessionRepository; An error occurred while deserializing a session. java.lang.RuntimeException: = character not at end of base64 value;
I inspected the cookie session cookie value and it does end with the '=' character. Pasting only last few chars below:
0G8vuo1W3NvIfLYGvqXq7v092ZC4LZccKrYsHqS+KuZPj5uOhkOnE+2Anip64YXQfkLyLbblN52fq/WozbRRuM8gq7PMIk2yc8IA=="
However, this issue is very sporadic and hard to reproduce.
Thanks!
Sundar
compile ":cookie-session:2.0.7"
Config.groovy:
grails.plugin.cookiesession.enabled = true
grails.plugin.cookiesession.encryptcookie = true
grails.plugin.cookiesession.cryptoalgorithm = "Blowfish" // DESEde,DES,AES,Blowfish
grails.plugin.cookiesession.secret = "secret"
grails.plugin.cookiesession.cookiecount = 10
grails.plugin.cookiesession.maxcookiesize = 5072
grails.plugin.cookiesession.sessiontimeout = 54000
grails.plugin.cookiesession.cookiename = 'cs'
grails.plugin.cookiesession.condenseexceptions = true
Bug for browser Chromium 25.0.1364.160 Ubuntu 13.04 (25.0.1364.160-0ubuntu3) :
| Error 2013-05-06 12:44:17,834 [http-bio-8080-exec-1] ERROR cookiesession.CookieSessionRepository - An error occurred while deserializing a session. javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
| Error 2013-05-06 12:44:17,843 [http-bio-8080-exec-1] ERROR cookiesession.CookieSessionRepository - cause: null
| Error javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
| Error at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:750)
| Error at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676)
| Error at com.sun.crypto.provider.BlowfishCipher.engineDoFinal(BlowfishCipher.java:319)
| Error at javax.crypto.Cipher.doFinal(Cipher.java:2087)
| Error at javax.crypto.Cipher$doFinal.call(Unknown Source)
| Error at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.deserializeSession(CookieSessionRepository.groovy:326)
| Error at com.granicus.grails.plugins.cookiesession.CookieSessionRepository$deserializeSession.callCurrent(Unknown Source)
| Error at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.restoreSession(CookieSessionRepository.groovy:232)
| Error at com.granicus.grails.plugins.cookiesession.SessionRepositoryRequestWrapper.restoreSession(SessionRepositoryRequestWrapper.java:58)
| Error at com.granicus.grails.plugins.cookiesession.CookieSessionFilter.doFilterInternal(CookieSessionFilter.java:74)
| Error at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
| Error at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
| Error at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
| Error at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
| Error at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
| Error at org.codehaus.groovy.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:66)
| Error at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
| Error at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
| Error at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
| Error at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
| Error at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
| Error at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
| Error at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
| Error at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
| Error at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
| Error at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
| Error at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
| Error at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
| Error at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
| Error at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
| Error at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
| Error at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1009)
| Error at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
| Error at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
| Error at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
| Error at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
| Error at java.lang.Thread.run(Thread.java:722)
We are using cookie session plugin in our application with spring security enabled . Seems like there is some unwanted data being stored in session which is causing the session size to increase dramatically. I have tried all of the above suggestions, bumping the number of cookies to 4 and increasing the header size and cookie session timeout. When increasing the number of cookies to 4 , it is having some issues when we try to logout /login. The exception we see is :
ERROR cookiesession.CookieSessionRepository - cause: null
java.lang.RuntimeException: = character not at end of base64 value.
Also we are seeing exceptions when it tries to deserialize the session and throws some gzip related to exceptions
This is the setting we have on config groovy:
grails.plugin.cookiesession.enabled = true
grails.plugin.cookiesession.encryptcookie = true
grails.plugin.cookiesession.cryptoalgorithm = "AES"
grails.plugin.cookiesession.secret = cookieSecret
grails.plugin.cookiesession.cookiecount = 1
grails.plugin.cookiesession.maxcookiesize = 8000
grails.plugin.cookiesession.sessiontimeout = 3600
grails.plugin.cookiesession.cookiename = 'gsession'
grails.plugin.cookiesession.condenseexceptions = true
grails.plugin.cookiesession.springsecuritycompatibility = true
Any help will be appreciated as this is causing too much havoc on our producion environment. The application is hosted on jboss 6.1 EAP.
HttpServletResponse.sendError() will cause response to be commited,
once the response is committed, cookies can not be written to the client.
so we should override sendError() of SessionRepositoryResponseWrapper
Hi,
We are using cookie session plugin cookie-session-2.0.18 to maintain session and we have configured it in spring security compatibility mode. So, we are saving security context in session before serialization and reading security context again after deserilizing session in next request. We are using KRYO as serializer. We have encountered few incidents of session bleeding in which users are getting switched to some other user's session while interacting with app. This happens only when app is under load and apdex score is falling leading to app crash. We have tried to debug problem and found out that code in SecurityContextSessionPersistenceListener in which security context is set from SCH to session variable SPRING_SECURITY_CONTEXT. We have also put logs in this part and tried to replicate problem thinking of this snippet as our culprit. We did not find any problem with this module. Digging further, I came to know that KRYO serializer is not thread safe and we are using kryo serializer in our configuration to serialize session. I found out that KRYO serializer is initialized in a way in KryoSessionSerializer.groovy's getConfiguredKryoSerializer method which is not thread safe. I am adding few first lines of this method below:
` private def getConfiguredKryoSerializer(){
log.trace "configuring kryo serializer"
def kryo = new Kryo()
kryo.setAsmEnabled(true)
`
I think this could be leading to session bleeding in our case. Please share your opinion on the same. It would be really appreciated if you could fix this asap.
Regards,
Rubinder Singh
Hello,
I have created a custom Session serializer which implements SessionSerializer
and that is declared as bean mySessionSerializer
.
But I cannot use it with : grails.plugin.cookiesession.serializer='mySessionSerializer'
The reason is that it seems that there is a bug in CookieSessionRepository.groovy
, in line :
else if( applicationContext.containsBean(serializer) && applicationContext.getType(serializer) instanceof SessionSerializer ){
Indeed, the test "applicationContext.getType(serializer) instanceof SessionSerializer
" is never 'true'.
It is even not 'true' for the 'javaSessionSerializer
' :
"applicationContext.getType('javaSessionSerializer') instanceof SessionSerializer
" is 'false'
My two cents is that the test should be :
"applicationContext.getBean(serializer) instanceof SessionSerializer
", which returns 'true' as expected
CookieSessionRepository.groovy: 53: unable to resolve class groovy.util.logging.Log4j , unable to find class for annotation
@ line 53, column 1.
@log4j
^
Is there a way to make this work for sessionRegistry? I have confirmed that with the plugin and registering the sessionRegistry bean, I can no longer login. Removing either of the two (either the plugin or the sessionRegistry) solves the issue.
Im following this post to let me get a list of logged in users and then from what Ive read, its also then possible to force particular users to be logged out.
http://classpattern.com/spring-security-sessionregistry-on-grails.html#.Vk1FtBArKK4
It looks like there is a known issue with some versions of Kryo when serializing Spring's SimpleGrantedAuthority due to an issue serializing TreeMap. I believe this may be fixed in more current versions of Kryo.
(See http://code.google.com/p/kryo/issues/detail?id=74 and http://grepcode.com/file/repo1.maven.org/maven2/de.javakaffee.msm/msm-kryo-serializer/1.8.1/de/javakaffee/web/msm/serializer/kryo/SpringSecurityUserRegistration.java)
2015-05-19 16:36:52,049 [ERROR] plugins.cookiesession.CookieSessionRepository - An error occurred while deserializing a session.
com.esotericsoftware.kryo.KryoException: java.lang.ClassCastException: org.springframework.security.core.authority.SimpleGrantedAuthority cannot be cast to java.lang.Comparable
Serialization trace:
authorities (com.jaredstewartconfig.authentication.userDetails.CustomUserDetails)
authentication (org.springframework.security.core.context.SecurityContextImpl)
attributes (com.granicus.grails.plugins.cookiesession.SerializableSession)
at com.esotericsoftware.kryo.serializers.ObjectField.read(ObjectField.java:125)
at com.esotericsoftware.kryo.serializers.FieldSerializer.read(FieldSerializer.java:507)
at com.esotericsoftware.kryo.Kryo.readClassAndObject(Kryo.java:776)
at com.esotericsoftware.kryo.Kryo$readClassAndObject$3.call(Unknown Source)
at com.granicus.grails.plugins.cookiesession.UsernamePasswordAuthenticationTokenSerializer.read(KryoSessionSerializer.groovy:402)
at com.esotericsoftware.kryo.Kryo.readObject(Kryo.java:694)
at com.esotericsoftware.kryo.serializers.ObjectField.read(ObjectField.java:106)
at com.esotericsoftware.kryo.serializers.FieldSerializer.read(FieldSerializer.java:507)
at com.esotericsoftware.kryo.Kryo.readClassAndObject(Kryo.java:776)
at com.esotericsoftware.kryo.serializers.MapSerializer.read(MapSerializer.java:139)
at com.esotericsoftware.kryo.serializers.MapSerializer.read(MapSerializer.java:17)
at com.esotericsoftware.kryo.Kryo.readObject(Kryo.java:694)
at com.esotericsoftware.kryo.serializers.ObjectField.read(ObjectField.java:106)
at com.esotericsoftware.kryo.serializers.FieldSerializer.read(FieldSerializer.java:507)
at com.esotericsoftware.kryo.Kryo.readObject(Kryo.java:672)
at com.esotericsoftware.kryo.Kryo$readObject$2.call(Unknown Source)
at com.granicus.grails.plugins.cookiesession.KryoSessionSerializer.deserialize(KryoSessionSerializer.groovy:85)
at com.granicus.grails.plugins.cookiesession.SessionSerializer$deserialize$0.call(Unknown Source)
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.deserializeSession(CookieSessionRepository.groovy:443)
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository$deserializeSession$4.callCurrent(Unknown Source)
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.restoreSession(CookieSessionRepository.groovy:314)
at com.granicus.grails.plugins.cookiesession.SessionRepositoryRequestWrapper.restoreSession(SessionRepositoryRequestWrapper.java:58)
at com.granicus.grails.plugins.cookiesession.CookieSessionFilter.doFilterInternal(CookieSessionFilter.java:74)
at com.jaredstewart.NoAssetsCookieSessionFilter.super$4$doFilterInternal(NoAssetsCookieSessionFilter.groovy)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.springsource.loaded.ri.OriginalClassInvoker.invoke(OriginalClassInvoker.java:47)
at org.springsource.loaded.ri.ReflectiveInterceptor.jlrMethodInvoke(ReflectiveInterceptor.java:1299)
at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:324)
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1206)
at groovy.lang.ExpandoMetaClass.invokeMethod(ExpandoMetaClass.java:1120)
at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:130)
at com.jaredstewart.NoAssetsCookieSessionFilter.doFilterInternal(NoAssetsCookieSessionFilter.groovy:22)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.codehaus.groovy.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:67)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:315)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.ClassCastException: org.springframework.security.core.authority.SimpleGrantedAuthority cannot be cast to java.lang.Comparable
at java.util.TreeMap.compare(TreeMap.java:1290)
at java.util.TreeMap.put(TreeMap.java:538)
at java.util.TreeSet.add(TreeSet.java:255)
at com.esotericsoftware.kryo.serializers.CollectionSerializer.read(CollectionSerializer.java:112)
at com.esotericsoftware.kryo.serializers.CollectionSerializer.read(CollectionSerializer.java:18)
at com.esotericsoftware.kryo.Kryo.readClassAndObject(Kryo.java:776)
at de.javakaffee.kryoserializers.UnmodifiableCollectionsSerializer.read(UnmodifiableCollectionsSerializer.java:71)
at com.esotericsoftware.kryo.Kryo.readObject(Kryo.java:694)
at com.esotericsoftware.kryo.serializers.ObjectField.read(ObjectField.java:106)
... 62 more
I updated cookie plugin and I think this plugin may use cookie plugin as dependency.
Could you check if it's useful?
I was getting some stacktraces while using the Kryo serializer:
com.esotericsoftware.kryo.KryoException: java.lang.ClassCastException: org.codehaus.groovy.grails.web.servlet.GrailsFlashScope cannot be cast to java.util.Comparator
Serialization trace:
headers (org.springframework.security.web.savedrequest.DefaultSavedRequest)
attributes (com.granicus.grails.plugins.cookiesession.SerializableSession)
Error |
at com.esotericsoftware.kryo.serializers.FieldSerializer$ObjectField.read(FieldSerializer.java:626)
Error |
at com.esotericsoftware.kryo.serializers.FieldSerializer.read(FieldSerializer.java:221)
Error |
at com.esotericsoftware.kryo.Kryo.readClassAndObject(Kryo.java:729)
Error |
at com.esotericsoftware.kryo.serializers.MapSerializer.read(MapSerializer.java:134)
Error |
at com.esotericsoftware.kryo.serializers.MapSerializer.read(MapSerializer.java:17)
Error |
at com.esotericsoftware.kryo.Kryo.readObject(Kryo.java:648)
Error |
at com.esotericsoftware.kryo.serializers.FieldSerializer$ObjectField.read(FieldSerializer.java:605)
Error |
at com.esotericsoftware.kryo.serializers.FieldSerializer.read(FieldSerializer.java:221)
Error |
at com.esotericsoftware.kryo.Kryo.readObject(Kryo.java:626)
Error |
at com.esotericsoftware.kryo.Kryo$readObject.call(Unknown Source)
Error |
at com.granicus.grails.plugins.cookiesession.KryoSessionSerializer.deserialize(KryoSessionSerializer.groovy:82)
Error |
at com.granicus.grails.plugins.cookiesession.SessionSerializer$deserialize.call(Unknown Source)
Error |
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.deserializeSession(CookieSessionRepository.groovy:354)
Error |
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository$deserializeSession.callCurrent(Unknown Source)
Error |
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.restoreSession(CookieSessionRepository.groovy:242)
Error |
at com.granicus.grails.plugins.cookiesession.SessionRepositoryRequestWrapper.restoreSession(SessionRepositoryRequestWrapper.java:58)
Error |
at com.granicus.grails.plugins.cookiesession.CookieSessionFilter.doFilterInternal(CookieSessionFilter.java:74)
Error |
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
Error |
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
Error |
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
Error |
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
Error |
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
Error |
at basset.reporting.app.servlet.CoreStaticContentUrlFilter.doFilter(CoreStaticContentUrlFilter.java:35)
Error |
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
Error |
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
Error |
at basset.reporting.app.servlet.CookieSessionInterceptorFilter.doFilter(CookieSessionInterceptorFilter.java:43)
Error |
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
Error |
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
Error |
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
Error |
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
Error |
at org.codehaus.groovy.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:67)
Error |
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
Error |
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
Error |
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
Error |
at javax.servlet.FilterChain$doFilter.call(Unknown Source)
Error |
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:45)
Error |
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108)
Error |
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:120)
Error |
at org.grails.plugin.resource.ProcessingFilter.doFilter(ProcessingFilter.groovy:44)
Error |
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
Error |
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
Error |
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
Error |
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
Error |
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
Error |
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
Error |
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
Error |
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
Error |
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
Error |
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
Error |
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
Error |
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
Error |
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
Error |
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
Error |
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
Error |
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
Error |
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
Error |
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
Error |
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
Error |
at java.lang.Thread.run(Thread.java:680)
Error |
Caused by: java.lang.ClassCastException: org.codehaus.groovy.grails.web.servlet.GrailsFlashScope cannot be cast to java.util.Comparator
Error |
at com.esotericsoftware.kryo.serializers.DefaultSerializers$TreeMapSerializer.create(DefaultSerializers.java:529)
Error |
at com.esotericsoftware.kryo.serializers.MapSerializer.read(MapSerializer.java:97)
Error |
at com.esotericsoftware.kryo.serializers.MapSerializer.read(MapSerializer.java:17)
Error |
at com.esotericsoftware.kryo.Kryo.readObject(Kryo.java:648)
Error |
at com.esotericsoftware.kryo.serializers.FieldSerializer$ObjectField.read(FieldSerializer.java:605)
Error |
... 58 more
Upgrading to the kryo-serializers library, v0.26 seemed to resolve this. It's an easy work-around, but the less I have to manage up transitive dependencies, the better. :)
Hi
I am trying to make grails cookie-session working with grails-2.3.4, but all seems to be going in vain. I also use spring-security-core:2.0-RC2. I keep on getting the following exception when trying to application url:
2014-01-04 12:00:09,565 [http-bio-8080-exec-5] TRACE cookiesession.SessionRepositoryResponseWrapper - intercepting getWriter to save session
2014-01-04 12:00:09,565 [http-bio-8080-exec-5] TRACE cookiesession.SessionRepositoryResponseWrapper - saveSession()
2014-01-04 12:00:09,565 [http-bio-8080-exec-5] TRACE cookiesession.SessionRepositoryResponseWrapper - session is already saved, not attempting to save again.
2014-01-04 12:00:09,567 [http-bio-8080-exec-5] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false)
2014-01-04 12:00:09,567 [http-bio-8080-exec-5] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false)
| Error 2014-01-04 12:00:09,567 [http-bio-8080-exec-5] ERROR [/].[gsp] - Servlet.service() for servlet [gsp] in context with path [] threw exception
Message: Error applying layout : public
Line | Method
->> 53 | doFilter in /grails-app/views/layouts/public.gsp
| 49 | doFilter in ''
| 82 | doFilter . . . . . . . . in ''
| 102 | invokeWithWrappedRequest in ''
| 69 | doFilter . . . . . . . . in ''
| 78 | doFilterInternal in ''
| 886 | runTask . . . . . . . . in ''
| 908 | run in ''
^ 662 | run . . . . . . . . . . in ''
Caused by GroovyPagesException: Error processing GroovyPageView: null
->> 85 | doFilter in /grails-app/views/layouts/public.gsp
Caused by EmptyStackException: null
->> 85 | peek in java.util.Stack
| 67 | pop in ''
| 53 | doFilter . . . . . . . . in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
| 49 | doFilter in grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter
| 82 | doFilter . . . . . . . . in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 102 | invokeWithWrappedRequest in grails.plugin.springsecurity.web.filter.DebugFilter
| 69 | doFilter . . . . . . . . in ''
| 78 | doFilterInternal in com.granicus.grails.plugins.cookiesession.CookieSessionFilter
| 886 | runTask . . . . . . . . in java.util.concurrent.ThreadPoolExecutor$Worker
| 908 | run in ''
^ 662 | run . . . . . . . . . . in java.lang.Thread
My Config.groovy :
grails.plugin.cookiesession.enabled = true
grails.plugin.cookiesession.encryptcookie = true
grails.plugin.cookiesession.cryptoalgorithm = "Blowfish"
grails.plugin.cookiesession.secret = "i am a secret"
grails.plugin.cookiesession.cookiecount = 5
grails.plugin.cookiesession.maxcookiesize = 10240 // 10kb
grails.plugin.cookiesession.sessiontimeout = 10 // 30 minutes
grails.plugin.cookiesession.cookiename = 'gsession-5'
grails.plugin.cookiesession.serializer = 'kryo'
grails.plugin.cookiesession.springsecuritycompatibility = true
My BuildConfig:
compile ':webxml:1.4.1'
compile ":cookie-session:2.0.13"
When I tried get back to an old branch (on grails 2.0.3, with spring-security-core:1.2.7.3 ) and added the same cookie-session plugin, my application worked fine. Any help will be appreciated.
I cannot get kryo to work, I get this exception when hitting any page:
Message: Cannot cast object 'com.esotericsoftware.shaded.org.objenesis.strategy.StdInstantiatorStrategy@3f0f64c2' with class 'com.esotericsoftware.shaded.org.objenesis.strategy.StdInstantiatorStrategy' to class 'org.objenesis.strategy.InstantiatorStrategy'
Line | Method
->> 154 | getConfiguredKryoSerializer in com.granicus.grails.plugins.cookiesession.KryoSessionSerializer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 70 | serialize in ''
| 369 | serializeSession . . . . . in com.granicus.grails.plugins.cookiesession.CookieSessionRepository
| 354 | saveSession in ''
| 95 | saveSession . . . . . . . . in com.granicus.grails.plugins.cookiesession.SessionRepositoryResponseWrapper
| 136 | sendRedirect in ''
| 62 | commence . . . . . . . . . in grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationEntryPoint
| 53 | doFilter in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
| 49 | doFilter . . . . . . . . . in grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter
| 82 | doFilter in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 84 | doFilterInternal . . . . . in com.granicus.grails.plugins.cookiesession.CookieSessionFilter
| 1145 | runWorker in java.util.concurrent.ThreadPoolExecutor
| 615 | run . . . . . . . . . . . . in java.util.concurrent.ThreadPoolExecutor$Worker
^ 745 | run in java.lang.Thread
I'm using Grails 2.4.4, cookie-session 2.0.17, the latest Kryo 3.0.1, spring-security-core 2.0-RC4 and the relevant cookie setting. I can run more tests to pinpoint the issue, or I can provide a minimal Grails app that shows the problem, if needed. I also tried the kryo-shaded release, same error.
Am I doing something wrong?
PS: Thank you for your work on cookie-session. I cannot believe this is not the default in the J2EE world! People are putting session data in the DB, in memcached, in MongoDB… it's crazy! You may want to put a prominent link to some article about the fundamental REST philosophy of the web, such as this great one, that clearly shows that application state belongs to the client, as opposed to resource state.
I'm using cookie-session with spring-security and spring-security-ui.
I have the following settings, as instructed:
grails.plugin.cookiesession.springsecuritycompatibility = true
grails.plugin.springsecurity.useSessionFixationPrevention = false
But the session gets bigger and bigger. For example, just by making a couple of failed logins, the session does not fit on 5 x 2048 cookies anymore and it all bombs out.
How can I tell Spring Security to cleanup after itself?
I think this is a key plugin for anyone looking to run on a stateless platform like Heroku – or just scale horizontally for that matter – and it would be great to have a Grails 3 version.
How to add the code before session destruction?
does not work, did the following:
package app
import javax.servlet.http.HttpSessionEvent
import javax.servlet.http.HttpSessionListener
/**
*
class SessionListener implements HttpSessionListener {
public void sessionCreated(HttpSessionEvent event) {
println "session created "+ new Date().toString()
}
public void sessionDestroyed(HttpSessionEvent event) {
println "session destroyed"+ new Date().toString()
}
}
When deploying on Heroku with the default grails buildpack, compilation of an app using the plugin fails because of a servlet 3.0 api call. The default Heroku buildpack deploys on Jetty 7.x, which doesn't support the 3.0 API. The API call in question is the this.getServletContext() call in SessionRepositoryRequestWrapper.
A workaround might be to call getServletContext() in CookieSessionFilter, and pass the context to SessionRepositoryRequestWrapper in it's constructor.
I'm seeing these errors pop up multiple times in our logs:
2013-11-18 14:15:58,027 [http-bio-8082-exec-10] ERROR cookiesession.CookieSessionRepository - cause: null
java.lang.RuntimeException: = character not at end of base64 value
at org.codehaus.groovy.runtime.EncodingGroovyMethods.decodeBase64(EncodingGroovyMethods.java:160)
at org.codehaus.groovy.runtime.dgm$644.invoke(Unknown Source)
at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:271)
at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:112)
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.deserializeSession(CookieSessionRepository.groovy:330)
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository$deserializeSession$8.callCurrent(Unknown Source)
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.restoreSession(CookieSessionRepository.groovy:242)
at com.granicus.grails.plugins.cookiesession.SessionRepositoryRequestWrapper.restoreSession(SessionRepositoryRequestWrapper.java:58)
at com.granicus.grails.plugins.cookiesession.CookieSessionFilter.doFilterInternal(CookieSessionFilter.java:74)
The fact that someone's sending in cookies with invalid values (or no cookies at all) isn't a problem, but these messages kind of spam our logs and obfuscate real errors.
unable to resolve class:
org.springframework.security.core.authority.GrantedAuthorityImpl
org.springframework.security.core.GrantedAuthority
org.springframework.security.web.context.SecurityContextRepository
Hello,
I am encountering a problem in 2.0.9 when deserializing the UsernamePasswordAuthenticationToken. With the debugger, I found that Kryo is mixing up the class IDs during deserialization. I did not find the exact root cause. Anyway, bumping the versions of kryo libs to
compile 'com.esotericsoftware.kryo:kryo:2.21'
compile 'de.javakaffee:kryo-serializers:0.23'
solves my problem.
When using the latest grails sdk, cookie-session does not longer compile :
KryoSessionSerializer.groovy: 40: unable to resolve class org.codehaus.groovy.grails.commons.ConfigurationHolder
It seems that a class used by the plugin has been removed by grails.
It looks like the object used to hold keys used by the withForm method isn't serializable and is getting dropped from the session object. either that or the object isn't getting written to/read from the session before or after the cookie session is loaded. need to investigate.
Could you provide guidance on creating a compatible secret for the Blowfish crypto algorithm for use with this plugin? I keep getting the error "Illegal key size or default parameters". The documentation specifies that non-ECB cipher modes, such as 'Blowfish/CBC/PKCS5Padding', require an initialization vector. How do I set the initialization vector?
Thanks
You can see an example small application?
When settings encryptcookie to true and keeping default config (Blowfish), encryption does not work.
It generates a java.security.InvalidKeyException ("Illegal key size or default parameters") in CookieSessionRepository.groovy L.234.
It looks like cipher initialization does not work.
cipher.init( Cipher.ENCRYPT_MODE, cryptoKey ).
Tested on JDK7.
Any idea how to solve this issue?
java.lang.NoClassDefFoundError: org/springframework/boot/context/embedded/FilterRegistrationBean
Build fails when using cookie-session-3.0.0 version even though I included https://repo.grails.org/grails/plugins.
I had to include the following in repositories to make it work...
maven { url "http://dl.bintray.com/benlucchesi/maven" }
I thought it would be helpful if someone is having the same issue.
On documentation, the property is sethttponly : grails.plugin.cookiesession.sethttponly (http://plugins.grails.org/plugin/benlucchesi/cookie-session#understanding-cookiecount-and-maxcookiesize)
If we set
grails.plugin.cookiesession.sethttponly = true
doesn't work.
On code, the property is httponly (https://github.com/benlucchesi/grails-cookie-session/blob/master/src/main/groovy/grails/plugin/cookiesession/CookieSessionRepository.groovy#L216)
If we set
grails.plugin.cookiesession.httponly = true
works
The CookieSessionRepository will store a session cookie, even if it's blank. While this isn't a terrible cost, it does mean unnecessary headers and cookies in each response. It'd be preferable for it to skip the storage of a cookie if the value is blank.
I have a simple registration controller where I create a user, add a role, flush, and then call SpringSecurityService.reauthenticate() to immediately log the user in. This works fine with standard sessions, but doesn't actually log the user in with cookie sessions active. Perhaps the Spring security internals are bypassing the wrapped request to create the security context? Some session debugging showed that after my attempted login, the session does not contain a security context.
The CookieSessionRepository stores cookies at a path of "/". This causes a problem if multiple apps are hosted on the same host. Our app wrote out session cookies that our own Tomcat instances could handle, but another app - on the same host but on a different path from our app - choked on the cookies.
The "want" of this, then, is to make the path to which the cookies are written configurable. A default of "/" is acceptable, but I'd just like to be able to avoid having my app break other apps. :)
Plugin stopped working with browser Mozilla FireFox 20.0. Probably due to https://support.mozilla.org/en-US/questions/955559
Hi would be difficult to add support for Tomcat6 ? Right know I have a null pointer error in the file CookieSessionRepository.groovy at the line 552 when doing: c.httpOnly = httpOnly
Apparently httpOnly property is only available in Tomcat7 and not Tomcat6, do you want to add support for tomcat6 ?
Thanks
It's difficult to vet changes made to the repository when the tests are in a separate repository; and likely a barrier to other potential contributors as well. It'd help quite a lot if the tests repo were merged into this one so it all lives in one place. Was there a technical reason for splitting it apart?
Hi,
If you use the spring security core plugin and set the session fixation prevention to true, then authentication at login fails.
grails.plugins.springsecurity.useSessionFixationPrevention = true
How to create new session after session is destroyed?
I use Grails 2.2.0
Config.groovy:
grails.plugin.cookiesession.enabled = true
grails.plugin.cookiesession.encryptcookie = true
grails.plugin.cookiesession.cryptoalgorithm = "Blowfish"
grails.plugin.cookiesession.secret = ":pt7tYlO0h4v5q"
grails.plugin.cookiesession.cookiecount = 10
grails.plugin.cookiesession.maxcookiesize = 3072
grails.plugin.cookiesession.sessiontimeout = 3600
grails.plugin.cookiesession.cookiename = 'gsession'
For authorization in the project is used the plugin spring-security-core:1.2.7.3.
and sequence following:
1 . I login;
2 . I logout;
3 . I login. There is an error:
Class: java.lang.NullPointerException
Message: null
Trace:
Line | Method
->> 44 | doFilterInternal in CookieSessionFilter.java
| 886 | runTask in java.util.concurrent.ThreadPoolExecutor$Worker
| 908 | run . . . . . . in ''
^ 662 | run in java.lang.Thread
thanks,
ildar
I can send the project.
class KryoForNewGrailsSerializer implements SessionSerializer, InitializingBean{
final static Logger log = Logger.getLogger(KryoForNewGrailsSerializer.class.getName());
@Override
void afterPropertiesSet() throws Exception {
}
@Override
byte[] serialize(SerializableSession session) {
return new byte[0]
}
@Override
SerializableSession deserialize(byte[] serializedSession) {
return null
}
}
Seems like the instanceOf if statement inside CookieSessionRepository is returning false, not sure why. Yes I have added it as a bean to resources.groovy
Hi,
unfortunately flash scopes don't work when I activate the cookie session plugin. This errors happens with an existing application. I also tried to create a new app, but once I install and activate the cookie-cookie session the flash scope stop working.
Please, any idea about how to solve this problem by myself? Or would be better waiting you to fix the issue?
Thanks,
Thiago
I'm working on an app in a very security conscious environment and having the ability to set the secure flag on the session cookies would be great. This, in combination with SSL, will prevent the commonly mentioned session replay vulnerability with cookie-based sessions because a man-in-the-middle would never be able to grab a cookie in the first place.
Seems like this should be an easy addition.
I have noticed somewhat odd behavior when using Spring Security and Cookie Session plugins together. A controller gets a request to create a new user account. As part of the processing, it (re-)authenticates the user to allow for seamless transition to the site's restricted area. The action concludes with a redirect (to prevent back button problems). There is however no authenticated user found within the action the flow was redirected to. After some debugging I figured this is because no session was actually created so far. That - looking at the code of SessionRepositoryResponseWrapper - means (logically) nothing is saved to cookie, including Spring Security Context. As result no authenticated user is available after the redirect.
Since Grails session is created upon accessing 'session' object within the controller, anything with 'session.' prior the redirect technically takes care of the problem. It is confusing since some operations (like working with flash scope) also create a session under the wraps.
It could be helpful to 1) mention this in plugin documentation (user needs to make sure a session exists if security context is expected to propagate) and 2) establish a configuration parameter that would allow for session creation in the response wrapper.
Anyone faced similar issue ever?
2016-07-20 14:23:42,728 |-ERROR - CookieSessionRepository - An error occurred while deserializing a session.
com.esotericsoftware.kryo.KryoException: java.lang.IndexOutOfBoundsException: Index: 95, Size: 60
Serialization trace:
provider (com.test.MyCommandClass)
current (org.grails.web.servlet.GrailsFlashScope)
attributes (grails.plugin.cookiesession.SerializableSession)
at com.esotericsoftware.kryo.serializers.ObjectField.read(ObjectField.java:125)
at com.esotericsoftware.kryo.serializers.FieldSerializer.read(FieldSerializer.java:507)
at com.esotericsoftware.kryo.Kryo.readClassAndObject(Kryo.java:776)
at com.esotericsoftware.kryo.serializers.MapSerializer.read(MapSerializer.java:139)
at com.esotericsoftware.kryo.serializers.MapSerializer.read(MapSerializer.java:17)
at com.esotericsoftware.kryo.Kryo.readObject(Kryo.java:694)
at com.esotericsoftware.kryo.serializers.ObjectField.read(ObjectField.java:106)
at com.esotericsoftware.kryo.serializers.FieldSerializer.read(FieldSerializer.java:507)
at com.esotericsoftware.kryo.Kryo.readClassAndObject(Kryo.java:776)
at com.esotericsoftware.kryo.serializers.MapSerializer.read(MapSerializer.java:139)
at com.esotericsoftware.kryo.serializers.MapSerializer.read(MapSerializer.java:17)
at com.esotericsoftware.kryo.Kryo.readObject(Kryo.java:694)
at com.esotericsoftware.kryo.serializers.ObjectField.read(ObjectField.java:106)
at com.esotericsoftware.kryo.serializers.FieldSerializer.read(FieldSerializer.java:507)
at com.esotericsoftware.kryo.Kryo.readObject(Kryo.java:672)
at com.esotericsoftware.kryo.Kryo$readObject$1.call(Unknown Source)
at grails.plugin.cookiesession.KryoSessionSerializer.deserialize(KryoSessionSerializer.groovy:85)
at grails.plugin.cookiesession.SessionSerializer$deserialize.call(Unknown Source)
at grails.plugin.cookiesession.CookieSessionRepository.deserializeSession(CookieSessionRepository.groovy:450)
at grails.plugin.cookiesession.CookieSessionRepository$deserializeSession$0.callCurrent(Unknown Source)
at grails.plugin.cookiesession.CookieSessionRepository.restoreSession(CookieSessionRepository.groovy:317)
at grails.plugin.cookiesession.SessionRepositoryRequestWrapper.restoreSession(SessionRepositoryRequestWrapper.java:59)
at grails.plugin.cookiesession.CookieSessionFilter.doFilterInternal(CookieSessionFilter.java:78)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:120)
at org.springframework.boot.context.web.ErrorPageFilter.access$000(ErrorPageFilter.java:61)
at org.springframework.boot.context.web.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:95)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:113)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1502)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1458)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IndexOutOfBoundsException: Index: 95, Size: 60
at java.util.ArrayList.rangeCheck(ArrayList.java:653)
at java.util.ArrayList.get(ArrayList.java:429)
at com.esotericsoftware.kryo.util.MapReferenceResolver.getReadObject(MapReferenceResolver.java:42)
at com.esotericsoftware.kryo.Kryo.readReferenceOrNull(Kryo.java:820)
at com.esotericsoftware.kryo.Kryo.readObjectOrNull(Kryo.java:743)
at com.esotericsoftware.kryo.serializers.ObjectField.read(ObjectField.java:113)
... 52 common frames omitted
If a user successfully logins to a site www.test.com and then is redirected to www2.test.com (which is the same web app), will the sessions be different? Know what I mean?
I'd like the sessions to be the same, so a user can authenticate and then be redirected back to same site with a site id; www2.
This is like sticky sessions and I know bad things will happen if www2 goes down, but it doesn't seem possible with this plugin. Or is it just me? My config below
grails:
plugin:
cookiesession:
enabled: true
cryptoalgorithm: "Blowfish"
secret: "sdfasflasdf"
cookiecount: 10
maxcookiesize: 2048 # 2kb
sessiontimeout: 3600 # one hour
cookiename: 'gsession'
condenseexceptions: false
path: '/'
domain: 'test.com'
First off, thank you very much for providing this plugin and continuing the development effort on it.
Everything seems to work fine for me while using the plugin in tandem with spring-security, however logout doesn't seem to function properly. When I log out via the provided spring-security controller, my cookie remains stored in the browser and subsequent log in attempts fail to replace the cookie. When I delete the cookie manually, I am then able to log in.
Here is my config for reference:
cookiesession {
enabled = true
encryptcookie = true
cryptoalgorithm = "Blowfish"
cookiecount = 10
maxcookiesize = 4096 // 4kb
sessiontimeout = 3600 * 24 // one day
cookiename = 'some.name'
condenseexceptions = true
setsecure = false
serializer = 'java'
springsecuritycompatibility = true
}
I appreciate any help you can provide. I will continue to investigate.
Thanks!
In upgrading from Grails 2.2.1 to Grails 2.3.0, we somehow lost the auto-wiring of CookieSessionFilter into the filter chain. I have to manually wire the beans together in my resources.groovy file and then add in the DelegatingFilterProxy explicitly to my web.xml.
I'm not sure if the plugin has been validated against Grails 2.3.0, much less a Mavenized Grails 2.3.0 project (which comes with its own joys and surprises).
Hi benlucchesi,
I am using cookie session plugin. but i found that sometimes it fails while deserializing session. The stacktrace is given below.
2015-10-21 15:14:37,407 [http-bio-8080-exec-576] ERROR cookiesession.CookieSessionRepository - An error occurred while deserializing a session.
java.lang.RuntimeException: bad character in base64 value
at org.codehaus.groovy.runtime.EncodingGroovyMethods.decodeBase64(EncodingGroovyMethods.java:177)
at org.codehaus.groovy.runtime.dgm$661.invoke(Unknown Source)
at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:271)
at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:112)
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.deserializeSession(CookieSessionRepository.groovy:410)
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository$deserializeSession$16.callCurrent(Unknown Source)
at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.restoreSession(CookieSessionRepository.groovy:314)
at com.granicus.grails.plugins.cookiesession.SessionRepositoryRequestWrapper.restoreSession(SessionRepositoryRequestWrapper.java:58)
at com.granicus.grails.plugins.cookiesession.CookieSessionFilter.doFilterInternal(CookieSessionFilter.java:74)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.codehaus.groovy.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:67)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at javax.servlet.FilterChain$doFilter$4.call(Unknown Source)
at com.brandseye.cors.CorsFilter.doFilterInternal(CorsFilter.groovy:32)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.