AnsweredAssumed Answered

Login null pointer bug explanation and workaround

Question asked by mschrock on Sep 9, 2013
There has been a bug in the default configuration of Activiti Explorer since version 5.12 relating to being unable to login after restarting Tomcat.

How to recreate bug:
1) Start up a fresh Tomcat 7 installation and install activiti-explorer.war 5.12 or 5.13.
2) Login to Activiti Explorer.
3) Logout from Activiti Explorer.
4) Shutdown Tomcat.
5) Startup Tomcat.
6) Try to login to Activiti Explorer. This will fail with a null pointer exception related to the identityService member in DefaultLoginHandler.

Explanation:
The default session manager used by Tomcat 7 will attempt to serialize any current sessions to disk upon shutdown and deserialize these sessions upon startup. With Activiti Explorer 5.11, this behavior was fine, but 5.12 changed the IdentityService member in DefaultLoginHandler to be transient. This means that the IdentityService member, which handles login password checks, will not get serialized to disk upon Tomcat shutdown and will be null once Tomcat is started again and the session deserialized. As such, if the same user attempts to login again, it will fail with a NPE because the IdentityService member is null.

Workaround:
The simplest way to fix this is to configure Activiti Explorer's context.xml (activiti-explorer/META-INF/context.xml) with a non-default Tomcat session manager which will not attempt to persist sessions across Tomcat shutdown/startup cycles. In order to do this change the bundled context.xml file to look like this:
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/activiti-explorer2">
   <Manager pathname="" />
</Context>


Suggested fix for future Activiti versions:
Either revert DefaultLoginHandler's IdentityService member to be non-transient as it was in 5.11 or make sure the bundled context.xml file uses a non-default Tomcat session manager as described in the above workaround.

Outcomes