cayenne-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrus Adamchik (JIRA)" <>
Subject [jira] [Closed] (CAY-1739) Cayenne ROP server resets session on every request if BASIC auth is used
Date Sat, 15 Sep 2012 02:09:07 GMT


Andrus Adamchik closed CAY-1739.

       Resolution: Fixed
    Fix Version/s: 3.2M1

A workaround for Tomcat. Just add context.xml file to the META-INF/ dir of the webapp, with
the following contents:

	<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" 
			changeSessionIdOnAuthentication="false" />

This is alos placed in 3.1 and 3.2 docs, and added to the tutorial code. In the future we
may do something more advanced:
> Cayenne ROP server resets session on every request if BASIC auth is used
> ------------------------------------------------------------------------
>                 Key: CAY-1739
>                 URL:
>             Project: Cayenne
>          Issue Type: Bug
>    Affects Versions: 3.1B1
>            Reporter: Andrus Adamchik
>            Assignee: Andrus Adamchik
>             Fix For: 3.1B2, 3.2M1
> Per
Tomcat 7 resets HTTP session on every ROP request resulting in a loss of state on the client.

> I reproduced that on Tomcat 7 and Jetty 8. Jetty 6 works correctly. 
> Debugging on Jetty shows that if BASIC auth is present, container invalidates the existing
session and creates a new one during auth credentials checking phase. So it goes like this:
> 1. Connect ... session1 is established
> 2. Bootstrap ... session1 cookie is accepted, but session is immediately invalidated
and session2 is created
> 3. Commit ... Client still sends session1 cookie, while the server expects session2,
causing an exception:
> org.apache.cayenne.remote.service.MissingSessionException: [v.3.2M1-SNAPSHOT Sep 10 2012
23:14:19] No session associated with request.
> 	at org.apache.cayenne.remote.service.BaseRemoteService.processMessage(
> I wonder if the new servlet spec is specifying this behavior (?).
> A possible fix is to read the session cookie on the client and reset session ID on every
> A hideous workaround for the users is to remove BASIC auth.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message