Vaadin - connection problem

Hello everyone,

I tried to send a simple request to my vaadin application (with an apache tomcat running in the background).
However… I receive some error message which contains following content:

[code]
for(;;);[{“changes”:{},“resources”:{},“locales”:{},“meta”:{“appError”:{“caption”:“Internal error”,“url”:null,“message”:“Please notify the administrator.
Take note of any unsaved data, and click here or press ESC to continue.”,“details”:null}},“syncId”:-1}]

[/code]Can anyone help me with that?
Best regards,
Nazar

Hi,

what do you mean by “send a simple request” exactly? Can you describe what you’re doing in more detail?

-Olli

This kind of error comes normally together with some stacktrace in Tomcat-log. Please post that as well.

The first request I sent, was the following one:

[code]
POST /vaadin_vulnerabilities/UIDL/?v-uiId=0 HTTP/1.1

Host: localhost:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/json; charset=UTF-8

Referer: http://localhost:8080/vaadin_vulnerabilities/

Content-Length: 297

Cookie: JSESSIONID=ECA0E675E5C8F416C6D0C13FD9776865

Connection: close

{“csrfToken”:“f4266a0d-6a78-4652-9d9e-6c00022165df”,“rpc”:[[“15”,“com.vaadin.shared.ui.button.ButtonServerRpc”,“click”,[{“altKey”:false,“button”:“LEFT”,“clientX”:122,“clientY”:697,“ctrlKey”:false,“metaKey”:false,“relativeX”:85,“relativeY”:6,“shiftKey”:false,“type”:1}]
]],“syncId”:30,“clientId”:49}
[/code]I received no error messages. I looked in the response and everything was fine.
After that, I sent another request which was a little different to the previous one:

[code]
POST /vaadin_vulnerabilities/UIDL/?v-uiId=0 HTTP/1.1

Host: localhost:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/json; charset=UTF-8

Referer: http://localhost:8080/vaadin_vulnerabilities/

Content-Length: 421

Cookie: JSESSIONID=ECA0E675E5C8F416C6D0C13FD9776865

Connection: close

{“csrfToken”:“f4266a0d-6a78-4652-9d9e-6c00022165df”,“rpc”:[[“0”,“com.vaadin.shared.ui.ui.UIServerRpc”,“scroll”,[132,0]
],[“14”,“v”,“v”,[“text”,[“s”,“ls”]
]],[“14”,“v”,“v”,[“c”,[“i”,2]
]],[“15”,“com.vaadin.shared.ui.button.ButtonServerRpc”,“click”,[{“altKey”:false,“button”:“LEFT”,“clientX”:114,“clientY”:723,“ctrlKey”:false,“metaKey”:false,“relativeX”:77,“relativeY”:21,“shiftKey”:false,“type”:1}]
]],“syncId”:6,“clientId”:50}
[/code]This request caused an error message. Here is my stacktrace:

Nov 09, 2016 5:10:57 AM com.vaadin.server.communication.UidlRequestHandler synchronizedHandleRequest SEVERE: Error writing JSON to response elemental.json.JsonException: Invalid object: expecting } or , at elemental.json.impl.JsonTokenizer.parseObject(JsonTokenizer.java:236) at elemental.json.impl.JsonTokenizer.nextValue(JsonTokenizer.java:171) at elemental.json.impl.JreJsonFactory.parse(JreJsonFactory.java:64) at elemental.json.impl.JsonUtil.parse(JsonUtil.java:200) at com.vaadin.server.communication.ServerRpcHandler$RpcRequest.<init>(ServerRpcHandler.java:86) at com.vaadin.server.communication.ServerRpcHandler.handleRpc(ServerRpcHandler.java:231) at com.vaadin.server.communication.UidlRequestHandler.synchronizedHandleRequest(UidlRequestHandler.java:90) at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:41) at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1414) at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:365) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1452) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Can anyone explain this to me?
Best regards,
Nazar

Looks like there’s an error in your JSON, at least according to Elemental’s JSON parser.

-Olli

Yes, but how can there be an error?.. I mean my request does not contain any irregular expressions. The only thing I recognized is, that the value of syncId remained at 6. Could this has any influence?

Nazar

Have you tried with a different syncId?

-Olli

I just tried it out… Unfortunately the same error message. But this time, I could sent at least four request in a row until I received the message.

Nazar

Can you explain me another thing maybe?
I enter a value in a textfield and press the enter-key to send the request. The request contains following content:[code]
POST /vaadin_vulnerabilities/UIDL/?v-uiId=0 HTTP/1.1

Host: localhost:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/json; charset=UTF-8

Referer: http://localhost:8080/vaadin_vulnerabilities/

Content-Length: 292

Cookie: JSESSIONID=ECA0E675E5C8F416C6D0C13FD9776865

Connection: close

{“csrfToken”:“f4266a0d-6a78-4652-9d9e-6c00022165df”,“rpc”:[[“0”,“com.vaadin.shared.ui.ui.UIServerRpc”,“scroll”,[132,0]
],[“12”,“v”,“v”,[“text”,[“s”,“Nazar”]
]],[“12”,“v”,“v”,[“c”,[“i”,5]
]],[“0”,“v”,“v”,[“actiontarget”,[“c”,“12”]
]],[“0”,“v”,“v”,[“action”,[“s”,“1”]
]]],“syncId”:101,“clientId”:69}
[/code]When I don’t change the value in the textfield and send the same request again, the content of the request changes to following:

[code]
POST /vaadin_vulnerabilities/UIDL/?v-uiId=0 HTTP/1.1

Host: localhost:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/json; charset=UTF-8

Referer: http://localhost:8080/vaadin_vulnerabilities/

Content-Length: 164

Cookie: JSESSIONID=ECA0E675E5C8F416C6D0C13FD9776865

Connection: close

{“csrfToken”:“f4266a0d-6a78-4652-9d9e-6c00022165df”,“rpc”:[[“0”,“v”,“v”,[“actiontarget”,[“c”,“12”]
]],[“0”,“v”,“v”,[“action”,[“s”,“1”]
]]],“syncId”:102,“clientId”:70}
[/code]You can see the changes in the token. The second one is much shorter. Why is this the case?
Best regards,
Nazar

It depends on the changed state of your application. In the first one, the textual contents of the TextField have changed, so they have to be sent to the server. In the second one, the contents are the same, so they don’t have to be passed to the server anymore.

-Olli

Hmm… the content doesn’t have to be sent anymore, but a request is sent anyway, is it not? Using an http-Listener showed me, that also the second request was sent to the server. Have I understood someting wrong?

Nazar

No, that’s correct, your Action (the enter-key press) is still sent to the server in the second case.

-Olli

I found out why this error occurs. The first time you open a vaadin application and send a request, the clientId starts usually at 0 and increases by 1 for each request. When you send exactly the same request again, you won’t get any problems until the clientId reaches the value 10. At this point I got an error because the id contains TWO characters this time which is unexpected for the server.

Another situation… In case you start to send the request at 10, there won’t be any problems until the id reaches 100.

Best regards,
Nazar

Maybe the Content-Length parameter is wrong when you change the length of the content string? Like this:

Content-length=5
payload=“12345”
->ok

Content-length=5
payload=“12346”
→ ok

Content-length=5
payload=“123456”
→ not ok

-Olli

Hi Olli,

this was exactly the first thing I thought about and it is the correct suggestion!!!

Thanks a lot!

Best regards,
Nazar

No problem, you’re welcome.

-Olli

Hi Olli,

I could need your knowledge again.
When I send a request without increasing the clientId, I don’t get an error but I don’t get a correct response either. What I receive in such case looks a little bit weird. Could you explain this to me, please?




for(;;);[{“syncId”: 4, “resynchronize”: true, “clientId”: 3, “changes” : [[“change”,{“pid”:“0”},[“0”,{“id”:“0”,“location”:“http://localhost:8080/vaadin_vulnerabilities/#!main/hauptansicht”,“v”:{“action”:“”}},[“actions”,{},[“action”,{“key”:“1”,“caption”:“Shortcut Name”,“kc”:13,“mk”:[]
}]]]],[“change”,{“pid”:“18”},[“1”,{“id”:“18”}]
],[“change”,{“pid”:“13”},[“1”,{“id”:“13”,“iem”:“EAGER”,“iet”:400,“nvc”:true}]
],[“change”,{“pid”:“16”},[“1”,{“id”:“16”}]
],[“change”,{“pid”:“14”},[“1”,{“id”:“14”}]
]], “state”:{“0”:{“pageState”:{“title”:“Vaadin vulnerabilities”},“localeServiceState”:{“localeData”:[{“name”:“en_US”,“monthNames”:[“January”,“February”,“March”,“April”,“May”,“June”,“July”,“August”,“September”,“October”,“November”,“December”]
,“shortMonthNames”:[“Jan”,“Feb”,“Mar”,“Apr”,“May”,“Jun”,“Jul”,“Aug”,“Sep”,“Oct”,“Nov”,“Dec”]
,“shortDayNames”:[“Sun”,“Mon”,“Tue”,“Wed”,“Thu”,“Fri”,“Sat”]
,“dayNames”:[“Sunday”,“Monday”,“Tuesday”,“Wednesday”,“Thursday”,“Friday”,“Saturday”]
,“firstDayOfWeek”:0,“dateFormat”:“M/d/yy”,“twelveHourClock”:true,“hourMinuteDelimiter”:“:”,“am”:“AM”,“pm”:“PM”}]},“theme”:“mytheme”,“height”:“100.0%”,“width”:“100.0%”},“13”:{“text”:“k”,“immediate”:true,“caption”:“First name”,“errorMessage”:"

java.lang.NullPointerException at com.e







“caption”:“Last name”},“15”:{“caption”:“Search by name”},“16”:{“text”:“”,“caption”:“Eingabe für XSS”},“17”:{“contentMode”:“HTML”,“width”:“100.0%”},“18”:{“text”:“”,“caption”:“Eingabe für command injection”},“19”:{“caption”:"Command


You can even see the contentMode of some Widgets. Is there a way I can hide this kind of information?

Thanks in advance!
Best regards,
Nazar

In what sense is the response you get not correct?

-Olli

The code I posted above is a “standard” response which I receive every time when I send a request again that has been already issued. To be more clear… I can send a request with a constant id (no increasing…) 10 times in a row and I get that kind of response. In case I increase the id (as expected from the server) the response is much shorter and I can even see the values I wanted to see e. g. names in a table.

Best regards,
Nazar

I think ultimately the state change you’re proposing just leads to that result.

-Olli