node-webkit chrome based browser throws exceptions (internal DoS)

[ghost]

node-webkit creates serious problems when using atmosphere.

https://github.com/rogerwang/node-webkit

[ghost]

node-webkit gives thousands of these, along with these, thousands of unique sessions are created.

java.lang.IllegalStateException: Response object no longer valid. This object has been cancelled
    at org.atmosphere.cpr.AtmosphereResourceImpl.getResponse(AtmosphereResourceImpl.java:423)
    at org.atmosphere.cpr.AtmosphereResourceImpl.getResponse(AtmosphereResourceImpl.java:435)
    at com.neurokernel.server.task.RuntimeSocket.onTextMessage(RuntimeSocket.java:215)
    at org.atmosphere.websocket.WebSocketProcessor$WebSocketHandlerProxy.onTextMessage(WebSocketProcessor.java:180)
    at org.atmosphere.websocket.DefaultWebSocketProcessor.invokeInterceptors(DefaultWebSocketProcessor.java:396)
    at org.atmosphere.websocket.DefaultWebSocketProcessor.invokeInterceptors(DefaultWebSocketProcessor.java:352)
    at org.atmosphere.websocket.DefaultWebSocketProcessor.invokeWebSocketProtocol(DefaultWebSocketProcessor.java:432)
    at org.atmosphere.websocket.DefaultWebSocketProcessor.dispatchReader(DefaultWebSocketProcessor.java:793)
    at org.atmosphere.websocket.DefaultWebSocketProcessor.invokeWebSocketProtocol(DefaultWebSocketProcessor.java:535)
    at org.atmosphere.container.TomcatWebSocketHandler.onTextData(TomcatWebSocketHandler.java:104)
    at org.apache.catalina.websocket.StreamInbound.doOnTextData(StreamInbound.java:191)
    at org.apache.catalina.websocket.StreamInbound.onData(StreamInbound.java:139)
    at org.apache.coyote.http11.upgrade.UpgradeProcessor.upgradeDispatch(UpgradeProcessor.java:88)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
java.lang.IllegalStateException: Response object no longer valid. This object has been cancelled
    at org.atmosphere.cpr.AtmosphereResourceImpl.getResponse(AtmosphereResourceImpl.java:423)
    at org.atmosphere.cpr.AtmosphereResourceImpl.getResponse(AtmosphereResourceImpl.java:435)
    at com.neurokernel.server.task.RuntimeSocket.onTextMessage(RuntimeSocket.java:215)
    at org.atmosphere.websocket.WebSocketProcessor$WebSocketHandlerProxy.onTextMessage(WebSocketProcessor.java:180)
    at org.atmosphere.websocket.DefaultWebSocketProcessor.invokeInterceptors(DefaultWebSocketProcessor.java:396)
    at org.atmosphere.websocket.DefaultWebSocketProcessor.invokeInterceptors(DefaultWebSocketProcessor.java:352)
    at org.atmosphere.websocket.DefaultWebSocketProcessor.invokeWebSocketProtocol(DefaultWebSocketProcessor.java:432)
    at org.atmosphere.websocket.DefaultWebSocketProcessor.dispatchReader(DefaultWebSocketProcessor.java:793)
    at org.atmosphere.websocket.DefaultWebSocketProcessor.invokeWebSocketProtocol(DefaultWebSocketProcessor.java:535)
    at org.atmosphere.container.TomcatWebSocketHandler.onTextData(TomcatWebSocketHandler.java:104)
    at org.apache.catalina.websocket.StreamInbound.doOnTextData(StreamInbound.java:191)
    at org.apache.catalina.websocket.StreamInbound.onData(StreamInbound.java:139)
    at org.apache.coyote.http11.upgrade.UpgradeProcessor.upgradeDispatch(UpgradeProcessor.java:88)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)

[ghost]

Atmosphere is implicitly calling getSession() method instead of getSession(false) when session support is turned on. Atmosphere framework should not create a session by itself, but instead should use an existing one if one created. The above scenario proves this invasive behavior. A node-webkit or a similar browser with web socket implementation problems would just bring the servlet container running atmosphere on its knees with above mentioned internal DoS ( in 5 seconds 3000 sessions were created), and eventually JVM will exit with an out of memory error.

[jfarcand]

@bertung Which line exactly? The code always first looks at config.isSupportSession() before calling getSession. Also the exception aboves => http://goo.gl/DfCn0. It just means your code is trying to use a dead AtmosphereResource. Please use the isSuspended and isCancelled before calling getRequest

[ghost]

Thanks for the info. Shouldnt getRequest method return null if the resource is dead?

[ghost]

I thought isCancelled has fixed it because the exception has disappeared, but Atmosphere still creates thousands of Sessions internally. I will investigate further. 16,737 sessions created until I terminated nodewebkit (in about 10 seconds). By the way, we switched on the session support of Atmosphere.

[ghost]

I have created a new issue

#1834