Bug 1316949

Summary: Active-sessions can exceed property MAX_ACTIVE_SESSIONS
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Michael Cada <mcada>
Component: WebAssignee: Enrique Gonzalez Martinez <egonzale>
Status: CLOSED WONTFIX QA Contact: Radim Hatlapatka <rhatlapa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4.7CC: bbaranow, egonzale, rmaucher
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-21 07:07:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Simple web app for session counting
none
Simple web app for session counting
none
patch 7.5.x none

Description Michael Cada 2016-03-11 14:02:26 UTC 
Created attachment 1135254 [details]
Simple web app for session counting

Description of problem:

If you start EAP with org.apache.catalina.session.StandardManager.MAX_ACTIVE_SESSIONS set and then create sessions in parallel, you can exceed this limit.


How reproducible: 90%


Steps to Reproduce:
1. Start EAP with:
      ./standalone.sh -Dorg.apache.catalina.session.StandardManager.MAX_ACTIVE_SESSIONS=3
2. Deploy attached application something.war 
3. Connect to jboss-cli and check web resource status for something.war:
      /deployment=something.war/subsystem=web:read-resource(include-runtime=true)
4. Open more sessions than MAX_ACTIVE_SESSIONS (I tried it with 16) in parallel on URL:
      http://localhost:8080/something/SessionAccessCounter
5. Check web resource status again

Actual results:
There can be more active-sessions than you set with property MAX_ACTIVE_SESSIONS


Expected results:
All sessions over MAX_ACTIVE_SESSIONS limit are rejected
Comment 1 Michael Cada 2016-03-11 14:36:30 UTC 
Created attachment 1135260 [details]
Simple web app for session counting
Comment 2 Enrique Gonzalez Martinez 2016-03-15 08:33:05 UTC 
It is a race condition in the StandardManager class

when the session is created, the manager tries to calculate the number of active sessions

https://source.jboss.org/browse/JBossWeb/branches/7.5.x/src/main/java/org/apache/catalina/session/StandardManager.java?hb=true#to295

and after that it creates the session adding it to the session map
https://source.jboss.org/browse/JBossWeb/branches/7.5.x/src/main/java/org/apache/catalina/session/StandardManager.java?hb=true#to300

This is the cause of the race condition. this makes possible to create more sessions that the property MAX_ACTIVE_SESSIONS
Comment 3 Enrique Gonzalez Martinez 2016-03-15 08:57:33 UTC 
Created attachment 1136458 [details]
patch 7.5.x

guarding the concurrent block for avoiding the race condition.