HomeSupportForumsGeneralGeneral Discussion

ClassCastException: org.jsecurity.web.servlet.JSecurityHttpSession

Fri, 05/30/2008 - 10:27pm — freddy

Hi,

Came across JSecurity and it looks interesting. I ran the quickstart sample fine, but the spring example gives me a ClassCastException: org.jsecurity.web.servlet.JSecurityHttpSession when I try to log in. This is from the beta2 after running ant samples and deploying jsecurity-spring.war to Jetty 6.1.10. Any ideas?

Please let me know if I need to provide more info or if I missed something..

Thanks!
Freddy

‹ WS-Security w/ JSecurity? How stable is 0.9.*? ›
Sun, 06/01/2008 - 2:30pm — lhazlewood

Re: ClassCastException

This is a Jetty bug.

Explanation:

When using Enterprise sessions (as the jsecurity-spring sample app does), The servlet container's HttpSession is not used. When you interact with an HttpServletRequest, the JSecurityFilter intercepts it and wraps the container's HttpServletRequest with its own implementation. This is required so when you call httpServletRequest.getSession(), it bypasses the container's method entirely and it instead returns an HttpSession implementation that wraps the underlying 'real' JSecurity enterprise session instead of the container's HttpSession.

This is required for heterogeneous client access - if using standard container sessions, a standalone desktop application could not access the same exact session that a web MVC framework uses - different http socket clients mean different http sessions (until JSecurity came along of course). JSecurity's enterprise session management allows this via the filter swapping technique discussed above.

Apparently when the sample app tries to issue a forward, Jetty's servlet Dispatcher is attempting to cast the HttpSession instance to its own implementation. But since the instance is a JSecurityHttpSession instead, you see the exception. This is bad practice because a servlet Filter is allowed to do what I describe above. That Jetty does the cast without checking for instanceof or just using the HttpSession interface "as is", appears to be a lack of flexibility regarding Servlet Filters on the Jetty team's part.

Tomcat on the other hand works perfectly.

I recommend that you open a bug report to the Jetty team.

Best regards,

Les

P.S. Here is the relevant stack trace that you can use to report it with:

java.lang.ClassCastException: org.jsecurity.web.servlet.JSecurityHttpSession
at org.mortbay.jetty.servlet.AbstractSessionManager.access(AbstractSessionManager.java:106)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:162)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
at org.mortbay.jetty.servlet.Dispatcher.forward(Dispatcher.java:285)
at org.mortbay.jetty.servlet.Dispatcher.forward(Dispatcher.java:126)
at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:171)
at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:251)
at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1160)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:901)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:809)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:476)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:431)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:49)
at org.jsecurity.web.servlet.WebInterceptorFilter.doFilter(WebInterceptorFilter.java:66)
at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:54)
at org.jsecurity.web.servlet.WebInterceptorFilter.doFilter(WebInterceptorFilter.java:66)
at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:54)
at org.jsecurity.web.servlet.WebInterceptorFilter.doFilter(WebInterceptorFilter.java:66)
at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:54)
at org.jsecurity.web.servlet.WebInterceptorFilter.doFilter(WebInterceptorFilter.java:66)
at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:54)
at org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:519)
at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:111)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)

Sun, 06/01/2008 - 2:43pm — freddy

Re: ClassCastException

Les,

Thanks very much for taking the time to reply and for the detailed explanation. I will see about addressing the issue with Jetty. In the meantime, I'll try the example out with Tomcat.

Cheers,
Freddy
http://jroller.com/javelotinfo/

Sun, 06/01/2008 - 11:16pm — lhazlewood

Re: Re: ClassCastException

Hi Freddy,

Sounds good. Please keep us posted on your feedback from the Jetty team.

Cheers,

Les

Mon, 06/02/2008 - 7:32am — freddy

Re: Re: ClassCastException

Hi Les,

Will do. I'll let you know if they address the issue. Here's a link to the issue that I opened if you're interested in checking on the progress.

http://jira.codehaus.org/browse/JETTY-595

Cheers,
Freddy

Mon, 06/02/2008 - 7:52am — lhazlewood

Re: Re: Re: ClassCastException

Hi Freddy,

I've added myself as a 'watcher' to that Jira issue, so I'll see any changes as they occur.

Thanks for the notice!

Regards,

Les