Cannot create a session after the response has been committed

**mraible** · Mar 2nd, 2006, 06:45 PM

I'm doing some performance testing on an AppFuse-based application that uses Acegi Security heavily. Using 20 concurrent users, I start to see the following error after about 6 minutes:

Code:

ERROR [http-8080-Processor25] [jsp].invoke(260) | Servlet.service() for servlet jsp threw exception
java.lang.IllegalStateException: Cannot create a session after the response has been committed
        at org.apache.catalina.connector.Request.doGetSession(Request.java:2206)
        at org.apache.catalina.connector.Request.getSession(Request.java:2024)
        at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:831)
        at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:215)
        at org.acegisecurity.ui.WebAuthenticationDetails.<init>(WebAuthenticationDetails.java:55)
        at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.createAuthentication(AnonymousProcessingFilter.java:99)
        at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:140)
        at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
        at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:165)
        at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
        at org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:50)
        at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
        at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:246)
        at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
        at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:220)
        at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
        at org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:173)
        at org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:120)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
        at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:613)

This seems to be triggered by my logout.jsp, which is:

Code:

%@ include file="/common/taglibs.jsp"%>
<%@ page import="javax.servlet.http.Cookie" %>
<%@ page import="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices" %>

<%
session.invalidate();
Cookie terminate = new Cookie(TokenBasedRememberMeServices.ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, null);

terminate.setMaxAge(0);
response.addCookie(terminate);
%>

<c:redirect url="/"/>

I've tried changing <c:redirect/> to <jsp:forward/>, but that didn't help either. BTW, it's cool to see that forwarding now works (I'm using AS 1.0.0 RC2) - I remember having to redirect in previous versions.

The strange thing is that everything works fine under normal load, and you never see this exception in the logs. It only happens under heavy load - but it takes 6 minutes or so for this to happen.

The good news is I've been able to achieve the following numbers (don't know how these compare to others):

20 active users
41 pages per second
10 MB per second

In 130,000 pages served, errors only occur on 415, and they're all from logout.jsp. 0.32 % isn't too bad is my guess. ;-)

Any ideas why logout.jsp could be causing this problem? It's possible my test is invalid. However, all I did was recorded using WAPT - and clicked through 45 different pages, logging out at the end.

http://www.loadtestingtool.com/

Thanks,

Matt

**katentim** · Mar 3rd, 2006, 03:39 AM

Any ideas why logout.jsp could be causing this problem?

Not sure, but it mnay be related to SEC-200. I haven't looked into what's causing this yet.

**Ben Alex** · Mar 6th, 2006, 08:56 AM

Would it be possible to record a test using Contacts, so that I have something we can run it against at this end?

**Luke Taylor** · Mar 6th, 2006, 02:16 PM

I think it would be worth verifying that it's not some problem with WAST and its session handling. I remember having trouble with it in the (distant) past.

**Luke Taylor** · Mar 6th, 2006, 02:28 PM

Sorry, I read WAST for WAPT... I haven't used WAPT

**Ben Alex** · Mar 7th, 2006, 06:46 AM

We believe this is fixed in CVS as per http://opensource2.atlassian.com/pro...browse/SEC-211 - would you please try CVS HEAD and comment on the issue as to whether it works for you.

Thanks
Ben

**Sam Brannen** · Mar 20th, 2006, 06:02 AM

Hi Ben,

Originally Posted by Ben Alex

We believe this is fixed in CVS as per http://opensource2.atlassian.com/pro...browse/SEC-211 - would you please try CVS HEAD and comment on the issue as to whether it works for you.

I was experiencing the exact same problem. This was, however, only occurring if you attempted to logout when you were not currently logged in.

In the latest nightly snapshot from CVS, acegisecurity-2006-03-17_145720, this appears to be fixed.

Thanks
Ben

Thank you!

- Sam

**mraible** · Mar 20th, 2006, 03:56 PM

Sorry, I must've not had a subscription to this thread b/c I've missed all the replies. Is it possible to download the nightly build from somewhere?

**Luke Taylor** · Mar 20th, 2006, 04:32 PM

No, but there are a nightly archives of the source tree at

acegisecurity.sourceforge.net/nightly

(Obviously the 700k plus ones are the ones to go for).

**Dosihris** · Jun 23rd, 2007, 11:37 AM

Hi, this is almost 3 years ago, but today i have the same problem. i downloaded the acegi 1.0.4 right now (before i used 1.0.3), and i still have this problem when i wanna logout. i get this exception

Code:

java.lang.IllegalStateException: Cannot create a session after the response has been committed
	at org.apache.catalina.connector.Request.doGetSession(Request.java:2214)
	at org.apache.catalina.connector.Request.getSession(Request.java:2024)
	at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:831)
	at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:842)
	at de.nfranze.sf.servlets.URLFilter.doFilter(URLFilter.java:24)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:174)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
	at java.lang.Thread.run(Unknown Source)

Does anybody know whats wrong here?

Thread: Cannot create a session after the response has been committed

Thread Tools

Display

Cannot create a session after the response has been committed

Posting Permissions