Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0010320Openbravo ERPA. Platformpublic2009-08-18 21:392009-08-21 00:00
Reportershuehner 
Assigned Toshuehner 
PriorityurgentSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Versionpi 
Target VersionFixed in Version 
Merge Request Status
Review Assigned To
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0010320: Exception in log always after pressing logout: Cannot create a session after the response has been committed
DescriptionAfter merging the obps security branch the following exception happens always when pressing the logout button:

36253 [http-8080-4] INFO org.openbravo.erpCommon.security.SessionListener - Closed session4FB7D467CE594D31AC9943F0AE16468D
36273 [http-8080-5] ERROR org.openbravo.erpCommon.security.Logout - Error captured:
java.lang.IllegalStateException: Cannot create a session after the response has been committed
    at org.apache.catalina.connector.Request.doGetSession(Request.java:2301)
    at org.apache.catalina.connector.Request.getSession(Request.java:2075)
    at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
    at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:844)
    at org.openbravo.authentication.basic.DefaultAuthenticationManager.logout(DefaultAuthenticationManager.java:112)
    at org.openbravo.base.secureApp.HttpSecureAppServlet.logout(HttpSecureAppServlet.java:466)
    at org.openbravo.erpCommon.security.Logout.doPost(Logout.java:37)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at org.openbravo.base.HttpBaseServlet.serviceInitialized(HttpBaseServlet.java:224)
    at org.openbravo.base.secureApp.HttpSecureAppServlet.service(HttpSecureAppServlet.java:327)
...
Steps To ReproduceLogin
Logout
see logfile/eclipse-console
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2009-08-18 21:39shuehnerNew Issue
2009-08-18 21:39shuehnerAssigned To => shuehner
2009-08-18 21:39shuehnerOBNetwork customer => No
2009-08-18 21:44shuehnerNote Added: 0019022
2009-08-19 06:39rafarodaStatusnew => scheduled
2009-08-19 14:37hgbotCheckin
2009-08-19 14:37hgbotNote Added: 0019057
2009-08-19 14:37hgbotStatusscheduled => resolved
2009-08-19 14:37hgbotResolutionopen => fixed
2009-08-19 14:37hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/59c0ede95a86d4d18b3180c52f0947c8796b5cc1 [^]
2009-08-20 13:53plujanStatusresolved => closed
2009-08-21 00:00anonymoussf_bug_id0 => 2841478

Notes
(0019022)
shuehner   
2009-08-18 21:44   
Problem is that on Logout the logout method in HSAS is called, which does invalidate the HTTP session (which is the technical logout), and then calls the logout method of the currently active AuthenticationManager.

The DefaultAuthenticationManager does then try to remove the #Authenticated_user attribute from the session (which is already destroyed/invalidated). While doing this the code tries to recreated the seesion with getSession(true) which is not necessary and not possible after the session has been invalidated in the same response.
(0019057)
hgbot   
2009-08-19 14:37   
Repository: erp/devel/pi
Changeset: 59c0ede95a86d4d18b3180c52f0947c8796b5cc1
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Wed Aug 19 14:37:33 2009 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/59c0ede95a86d4d18b3180c52f0947c8796b5cc1 [^]

Fixed 10320: On logout only remove the #Authenticated_user attribute, if the session has not already been invalidated
- If it has not need to do anything otherwiese remove attribute without checking, as removeAttribute is a no-op with the attr missing

---
M src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
---