Cross tenant PO on login - can't explain why

[Nicolas Micoud]

Hello,

This morning, a user was not able to log into our internal iDempiere.
Popup was : Cross tenant PO reading request detected from session  for table AD_User Record_ID=1001793

We have 2 tenants (1000001 and 1000002), and each people has a user in the two tenants (with same LDAPUser).
Password are stored in LDAPUser

Her AD_User_ID are 1001793 and 1001794.

ClientID      UserID

1000001    1001794
1000002    1001793

Previous sessions were :

Yesterday she logged into 1000002 tenant for the first time since migration from 6.2.
And this morning, writing username/password leads to this blocking popup.

She managed to log in after several tries, and AFAIU, ticking the "Choose Role" checkbox.

Here's the log:

08:03:22.005===========> DefaultModelFactory.saveError: Error - Table=AD_User,Class=class org.compiere.model.MUser [203]
08:03:22.006-----------> GenericPO.checkCrossTenant: Table=AD_User Record_ID=1001793 Env.AD_Client_ID=1000001 PO.AD_Client_ID=1000002 writing=false Session= [203]
08:03:22.007===========> UiEngineImpl.error:  [203]
org.adempiere.exceptions.AdempiereException: Cross tenant PO reading request detected from session  for table AD_User Record_ID=1001793
    at org.compiere.model.PO.checkCrossTenant(PO.java:5023)
    at org.compiere.model.PO.<init>(PO.java:212)
    at org.adempiere.model.GenericPO.<init>(GenericPO.java:81)
    at org.compiere.model.MTable.getPO(MTable.java:598)
    at org.compiere.model.Query.list(Query.java:286)
    at org.compiere.util.Login.getClients(Login.java:1316)
    at org.adempiere.webui.panel.LoginPanel.validateLogin(LoginPanel.java:580)
    at org.adempiere.webui.window.LoginWindow.onEvent(LoginWindow.java:166)
    at org.zkoss.zk.ui.AbstractComponent.onEvent(AbstractComponent.java:3184)
    at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3154)
    at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3096)
    at org.zkoss.zk.ui.impl.EventProcessor.process(EventProcessor.java:138)
    at org.zkoss.zk.ui.impl.UiEngineImpl.processEvent(UiEngineImpl.java:1890)
    at org.zkoss.zk.ui.impl.UiEngineImpl.process(UiEngineImpl.java:1662)
    at org.zkoss.zk.ui.impl.UiEngineImpl.execUpdate(UiEngineImpl.java:1329)
    at org.zkoss.zk.au.http.DHtmlUpdateServlet.process(DHtmlUpdateServlet.java:570)
    at org.zkoss.zk.au.http.DHtmlUpdateServlet.doGet(DHtmlUpdateServlet.java:450)
    at org.zkoss.zk.au.http.DHtmlUpdateServlet.doPost(DHtmlUpdateServlet.java:458)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1418)
    

From what I understand, the program sets ClientID 1000001 in the Context, but PO object loaded was from clientID 1000002.

I'm trying to reproduce it but I can't. Anyway, she managed to and I would like to fix that.

Anyone faced something similar ? Any idea where to look ?

Thanks,

Nicolas

[Carlos Antonio Ruiz Gomez]

I did some tests and it seems weird, this part:

GenericPO.checkCrossTenant: Table=AD_User Record_ID=1001793 Env.AD_Client_ID=1000001 PO.AD_Client_ID=1000002 writing=false Session=

On my tests, on login time there is not AD_Client_ID on env context, so it always returned zero and passed the validation OK.

So, I don't see how your login ended with a client set at that point.

NOTE: the login/logout on swing client is broken with similar errors, maybe testing there can give it a clue

Regards,

Carlos Ruiz

El 29/1/21 a las 08:54, Nicolas Micoud escribió:

Nicolas --

[Nicolas Micoud]

I agree this is weird as I was not able to reproduce it and it just appears once.

And I didn't notice this morning, but ClientID was set but SessionID was empty.

I'll try to conduct more tests

thanks,

Nicolas

[Heng Sin Low]

probably a bad behaving piece of code or process that doesn't clear the thread local environment context after execution is complete.

--
You received this message because you are subscribed to the Google Groups "iDempiere" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idempiere+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/idempiere/74cc9965-3687-4b86-a3bc-ce95c34d1eeen%40googlegroups.com.

[Norbert Bede]

Hi, 

I can confirm same behaviour returning periodically. 

i will attach the log here  - need to find in older logs.

we could't fund the reason well.

norbert

[Norbert Bede]

Issue created: https://idempiere.atlassian.net/browse/IDEMPIERE-4685

[mpow...@gmail.com]

Hi all,

same here when performing Requisition>Doc.Action=Complete: 10:00:49.437-----------> MWFNodeNext.checkCrossTenant: Table=AD_WF_NodeNext Record_ID=176 Env.AD_Client_ID=1000000 PO.AD_Client_ID=11 writing=false Session=1277325 [119]

[Nicolas Micoud]

Hi,

Quite the same message

I think the requisition issue has already been solved (https://idempiere.atlassian.net/browse/IDEMPIERE-4643 / https://github.com/idempiere/idempiere/commit/ccb84c6dfc46e38d3bc22a14ddbdb0a239ac2707)

Regards,

Nicolas

[Michael Powacht]

Thanks Nicolas, yes I also just spotted that a few moments ago.

Cheers,

Michael

--
You received this message because you are subscribed to a topic in the Google Groups "iDempiere" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/idempiere/JGu16iMm5OU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to idempiere+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/idempiere/49d3c0ac-46cd-4919-894f-43773b65b706n%40googlegroups.com.