When sessionservice get some invalid sessionid, it may return
There is more other areas that causes this then the one fixed in
The impact of this is that Web agent when receiving this and not an exception response will not do the right thing for an invalid token and forever stuck returning forbidden rather than goto the logon page to get a new session token.
Here's some analysis done with report for an enduser.
The other place that
OPENAM-8910 did not handle is that in SessionRequestHandler.java
Should guard against ex.getMessage() == null due to the failure that NPE may happen. so that CDATA[nul] is returned (and how this is originated in the first place). As we should address this by doing something like replace line 143 like and it will address all the NPE issues that may happen. This handle with the fix although some NPE cleanup may be needed over the code as encountered by this enduser.
The next issue is that in processSessionRequest(...)
- The NPE due to previous bug and so the previous
OPENAM-8910may help but we should handle Session.getSessionServiceURL(hostServerID) outside the forward(). Should refactor Session.getSessionServiceURL(hostServerID) so that if this has exception then should not retry or checkServerUp again and just fail. Something like
Lastly the the debugging session for a multi-site HA environment of this enduser indicates in ClusterStateService.java
So we need to guard at line 372 as info is NULL too.