Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPSPRINGSECURITYCORE-232: java.lang.IllegalStateException: Cannot forward after response has been committed #238

Open
graemerocher opened this issue Sep 15, 2013 · 3 comments
Open

GPSPRINGSECURITYCORE-232: java.lang.IllegalStateException: Cannot forward after response has been committed #238

graemerocher opened this issue Sep 15, 2013 · 3 comments
Assignees
@burtbeckwith
Labels
type: bug type: major

Comments

@graemerocher
Copy link
Member

Original Reporter: confile
Environment: grails 2.2.4
Version: Grails-Spring-Security-Core 1.2.7.3
Migrated From: http://jira.grails.org/browse/GPSPRINGSECURITYCORE-232

I am not sure if this issue belongs to spring security but the stack trace shows a lot of spring security related stuff:

Sep 15, 2013 7:20:26 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [] threw exception
java.lang.IllegalStateException: Cannot forward after response has been committed
   at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:349)
   at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
   at org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:314)
   at org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:279)
   at org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:270)
   at org.codehaus.groovy.grails.web.mapping.filter.UrlMappingsFilter.doFilterInternal(UrlMappingsFilter.java:222)
   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.obtainContent(GrailsPageFilter.java:206)
   at org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.doFilter(GrailsPageFilter.java:152)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:369)
   at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
   at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
   at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
   at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
   at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:119)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
   at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
   at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
   at org.codehaus.groovy.grails.plugins.springsecurity.RequestHolderAuthenticationFilter.doFilter(RequestHolderAuthenticationFilter.java:40)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
   at org.codehaus.groovy.grails.plugins.springsecurity.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:79)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
   at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
   at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
   at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
   at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.codehaus.groovy.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:69)
   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.codehaus.groovy.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:66)
   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
   at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
   at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
   at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1686)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:724)
@graemerocher
Copy link
Member Author

burtbeckwith said:
Does it fail the same way with the plugin disabled?

@graemerocher
Copy link
Member Author

confile said:
I cannot disable the plugin, since it is working in a big application. I reported this issue here as well: http://stackoverflow.com/questions/18658021/image-byte-to-response-outputstream-in-grails-leads-to-cannot-forward-after

This is my springsecurity config:

grails.plugins.springsecurity.userLookup.userDomainClassName = 'test.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'test.UserRole'
grails.plugins.springsecurity.authority.className = 'test.Role'
// Spring Security Core Event Listener
grails.plugins.springsecurity.useSecurityEventListener = true
grails.plugins.springsecurity.logout.handlerNames = [
    'rememberMeServices', 'securityContextLogoutHandler', 'mySecurityEventListener'
   ]

grails.plugins.springsecurity.rememberMe.cookieName = 'testRememberMe'
grails.plugins.springsecurity.rememberMe.alwaysRemember = true
grails.plugins.springsecurity.rememberMe.tokenValiditySeconds = 31536000 // 365 days
grails.plugins.springsecurity.rememberMe.key = 'testRocks'
grails.plugins.springsecurity.rememberMe.parameter = '_spring_security_remember_me'

grails.plugins.springsecurity.rememberMe.persistent = true
grails.plugins.springsecurity.rememberMe.persistentToken.domainClassName = 'test.PersistentLogin'
grails.plugins.springsecurity.rememberMe.useSecureCookie= false
grails.plugins.springsecurity.rememberMe.persistentToken.tokenLength=16
grails.plugins.springsecurity.rememberMe.persistentToken.seriesLength=16

I used a new rememberMe service which can be found here: http://www.cloudseal.com/2013/03/grails-cookie-theft-exceptions/ under "DISABLE THE COOKIE REWRITING"

It turns out that the error can be produced the following way: I login on my app in my browser. I login with my smart phone which has a different IP but uses the same account as I have used in the browser. After a couple of page reloads on my smart phone and on my browser I can produce this bug.

What I tried to do is to put a return statement after every redurect, render and forward. But nothing helps.

Burt do you have any idea? I have no idea what to do. Thank you for your help.

@graemerocher graemerocher added this to the spring-security-core-Grails-Spring-Security-Core 2.0 milestone Jun 2, 2015
@alvarosanchez alvarosanchez removed this from the spring-security-core-Grails-Spring-Security-Core 2.0 milestone Oct 1, 2015
@mikedehaan
Copy link

I'm also getting this error, though the stack trace varies on occasion (I'm almost certain they're related). This is a rather large application as well, so I'm unable to disable spring security. We are unable to reproduce this issue reliably, though the more users we throw at the server, the more likely we are to see the issue pop-up. We've seen it occur on anything from attempting to render a template, to a GET request for an icon.

  • Java 1.8
  • Grails 2.5.3
  • Tomcat 7.0.67
  • spring-security-core:2.0-RC4
StackTrace: java.lang.IllegalStateException: Cannot forward after response has been committed
        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:347)
        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337)
        at org.codehaus.groovy.grails.web.mapping.UrlMappingUtils.forwardRequestForUrlMappingInfo(UrlMappingUtils.java:178)
        at org.codehaus.groovy.grails.web.mapping.UrlMappingUtils.forwardRequestForUrlMappingInfo(UrlMappingUtils.java:144)
        at org.codehaus.groovy.grails.web.mapping.UrlMappingUtils.forwardRequestForUrlMappingInfo(UrlMappingUtils.java:135)
        at org.codehaus.groovy.grails.web.mapping.filter.UrlMappingsFilter.doFilterInternal(UrlMappingsFilter.java:216)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

Caused by: java.lang.IllegalStateException: getOutputStream() has already been called for this response
        at org.apache.catalina.connector.Response.getWriter(Response.java:679)
        at org.apache.catalina.connector.ResponseFacade.getWriter(ResponseFacade.java:213)
        at javax.servlet.ServletResponseWrapper.getWriter(ServletResponseWrapper.java:104)
        at javax.servlet.ServletResponseWrapper.getWriter(ServletResponseWrapper.java:104)
        at javax.servlet.ServletResponseWrapper.getWriter(ServletResponseWrapper.java:104)

StackTrace: java.lang.IllegalStateException: Cannot call sendRedirect() after the response has been committed
        at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:482)
        at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:137)
        at grails.plugin.databasesession.WindowIdResponseWrapper.sendRedirect(WindowIdResponseWrapper.java:32)
        at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:137)
        at org.springframework.security.web.firewall.FirewalledResponse.sendRedirect(FirewalledResponse.java:25)
        at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:137)
        at org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper.sendRedirect(SaveContextOnUpdateOrErrorResponseWrapper.java:107)
        at org.springframework.security.web.DefaultRedirectStrategy.sendRedirect(DefaultRedirectStrategy.java:39)
        at org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.commence(LoginUrlAuthenticationEntryPoint.java:162)
        at grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationEntryPoint.commence(AjaxAwareAuthenticationEntryPoint.java:62)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@burtbeckwith burtbeckwith

Labels
type: bug type: major
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@graemerocher @burtbeckwith @alvarosanchez @mikedehaan