Bug 1316949 - Active-sessions can exceed property MAX_ACTIVE_SESSIONS
Active-sessions can exceed property MAX_ACTIVE_SESSIONS
Status: CLOSED WONTFIX
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web (Show other bugs)
6.4.7
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Enrique Gonzalez Martinez
Radim Hatlapatka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-11 09:02 EST by Michael Cada
Modified: 2016-03-21 03:07 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-21 03:07:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Simple web app for session counting (2.66 KB, application/zip)
2016-03-11 09:02 EST, Michael Cada
no flags Details
Simple web app for session counting (2.78 KB, application/zip)
2016-03-11 09:36 EST, Michael Cada
no flags Details
patch 7.5.x (998 bytes, patch)
2016-03-15 04:57 EDT, Enrique Gonzalez Martinez
no flags Details | Diff

  None (edit)
Description Michael Cada 2016-03-11 09:02:26 EST
Created attachment 1135254 [details]
Simple web app for session counting

Description of problem:

If you start EAP with org.apache.catalina.session.StandardManager.MAX_ACTIVE_SESSIONS set and then create sessions in parallel, you can exceed this limit.


How reproducible: 90%


Steps to Reproduce:
1. Start EAP with:
      ./standalone.sh -Dorg.apache.catalina.session.StandardManager.MAX_ACTIVE_SESSIONS=3
2. Deploy attached application something.war 
3. Connect to jboss-cli and check web resource status for something.war:
      /deployment=something.war/subsystem=web:read-resource(include-runtime=true)
4. Open more sessions than MAX_ACTIVE_SESSIONS (I tried it with 16) in parallel on URL:
      http://localhost:8080/something/SessionAccessCounter
5. Check web resource status again

Actual results:
There can be more active-sessions than you set with property MAX_ACTIVE_SESSIONS


Expected results:
All sessions over MAX_ACTIVE_SESSIONS limit are rejected
Comment 1 Michael Cada 2016-03-11 09:36 EST
Created attachment 1135260 [details]
Simple web app for session counting
Comment 2 Enrique Gonzalez Martinez 2016-03-15 04:33:05 EDT
It is a race condition in the StandardManager class

when the session is created, the manager tries to calculate the number of active sessions

https://source.jboss.org/browse/JBossWeb/branches/7.5.x/src/main/java/org/apache/catalina/session/StandardManager.java?hb=true#to295

and after that it creates the session adding it to the session map
https://source.jboss.org/browse/JBossWeb/branches/7.5.x/src/main/java/org/apache/catalina/session/StandardManager.java?hb=true#to300

This is the cause of the race condition. this makes possible to create more sessions that the property MAX_ACTIVE_SESSIONS
Comment 3 Enrique Gonzalez Martinez 2016-03-15 04:57 EDT
Created attachment 1136458 [details]
patch 7.5.x

guarding the concurrent block for avoiding the race condition.

Note You need to log in before you can comment on or make changes to this bug.