会议混淆 - apache httpd的与mod_jk的，Tomcat的，春天的安全性 - 其他用户的数据服务 [英] Session mix up - apache httpd with mod_jk, tomcat, spring security - serving data of other user

问题描述

最近，我们都面临着一个严重的问题，一个用户投放了其他用户的数据。这个问题是几乎不可能再现。

Recently we have faced a serious problem, that one user was served data of another user. This problem is almost impossible to reproduce.

我们正在使用由Spring的安全性提供的标准已登录用户管理，我们相信，这个问题是不是在存储用户的实例变量或类似的并发东西在我们的应用程序。

We are using standard logged-users-management provided by Spring-security, and we are sure that the problem isn't in storing user in instance variable or similar concurrency stuff in our app.

我们真的很怀疑，问题是出在SpringSecurity或Tomcat本身。

We really doubt that the problem is in SpringSecurity or Tomcat itself.

我们的前端服务器是apache httpd的，通过AJP连接器（mod_jk的）连接到Tomcat。我们没有做任何负载平衡（httpd的关心只是SSL，某些URL重写，并提供一些PHP模块）

Our front-server is apache httpd, connected to tomcat via ajp connector (mod_jk). We are not doing any load balancing (httpd cares just about SSL, some url rewrites and serving some php modules)

下面是我们的设置：

## OS
OS Name:        Linux 
OS Version:     2.6.32-5-686
Architecture:   i386

## Apache httpd
Server version: Apache/2.2.16 (Debian)
Server built:   Sep  4 2011 20:27:42

## mod_jk
mod_jk/1.2.30 (installed via apt-get)

## JVM
JVM Version:    1.6.0_18-b18
JVM Vendor:     Sun Microsystems Inc.

## Tomcat
Server version: Apache Tomcat/6.0.28
Server built:   February 12 2011 1443

我们责怪的httpd / mod_jk的从本次会议混淆所以我们唯一的解决方法是删除apache httpd的。但是，我们离开这个流行和广泛使用的配置之前，我们想知道是否有人已经面临类似的问题。

We blame httpd / mod_jk from this session mix up so our only solution would be to remove apache httpd. But before we leave this popular and widely used configuration, we would like to know if anyone has faced the similar problem.

我发现的唯一类似的问题是负载ballancing或mod_jk的。

The only similar problems I have found were in load ballancing or mod_jk.

您是否曾经面临着一些类似的问题？
任何提示，想法，链接或经验将是非常美联社preciated。
谢谢！

Have you ever faced some similar problem? Any hints, ideas, links or experience will be highly appreciated. Thanks!

推荐答案

到目前为止，我们无法重现bug，但我们发现，一些人面临同样的问题mod_jk的：

So far we were not able to reproduce the bug, but we have found that some people faced same problem with mod_jk:

• https://issues.apache.org/bugzilla/show_bug.cgi？ ID = 47714


• http://grails.1312388.n4.nabble.com/Spring-Security-after-log-in-user-changed-and-session-mixed-up-td4636714.html （底部）

• https://issues.apache.org/bugzilla/show_bug.cgi?id=47714
• http://grails.1312388.n4.nabble.com/Spring-Security-after-log-in-user-changed-and-session-mixed-up-td4636714.html (at the bottom)

所以，现在我们与此设置运行：

So now we are running with this settings:

• JkOptions DisableReuse： http://tomcat.apache.org/connectors-doc /webserver_howto/apache.html


• 工人重试= 0： http://tomcat.apache.org /connectors-doc/reference/workers.html#Advanced 工人指令

• JkOptions DisableReuse : http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html
• worker retries = 0 : http://tomcat.apache.org/connectors-doc/reference/workers.html#Advanced Worker Directives

和我们打算切换为mod_jk的mod_proxy_http。

And we are planning to switch mod_jk for mod_proxy_http.

我要离开这个问题未回答，因为我不能保证（没有人面临同样的问题，能够保证），该解决方案修复的bug。

I am leaving this question not-answered, because I can't assure (and nobody facing same problem was able to assure) that the solution fixes the bug.

如果任何人都可以分享任何信息，我会AP preciate了很多！谢谢你。

If anyone could share any information, I would appreciate it a lot! Thanks.

这篇关于会议混淆 - apache httpd的与mod_jk的，Tomcat的，春天的安全性 - 其他用户的数据服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！