Hello,
I am running AM 7.1 on GF b53.
I have deployed an application protected by the J2EE Policy agent.
A certain points in time, the authentication fails and the browser
enters in an infinite redirect loop.
It looks the iPlanetDirectoryPRO cookie is incorrectly URL encoded.
Cookie value is
AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQACMDE=#
But was is seen by the J2EE filter is
AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X kcf8=_at_AAJTSQACMDE=#
(notice the space at the position of the + sign in the original cookie
value)
There AM returns a FORBIDDEN value as policy, which cause the browser to
redirect to AM etc ...
See below the error at the agent side.
Because I am not sure this is GF or OpenSSO issue, I cross-post my question.
Any suggestion ?
Thanks
Seb
07/19/2007 02:07:27:960 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
AmFilter: incoming request =>
-----------------------------------------------------------
HttpServletRequest: class => uri: /FineGrainedSample/
method: GET
QueryString: null
Parameters:
Headers:
Name: host Value: spirou.sun.com:18080
Name: user-agent Value: Mozilla/5.0 (Macintosh; U; Intel
Mac OS X; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
Name: accept Value:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Name: accept-language Value: en-us,en;q=0.5
Name: accept-encoding Value: gzip,deflate
Name: accept-charset Value: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Name: keep-alive Value: 300
Name: connection Value: keep-alive
Name: referer Value:
http://spirou.sun.com:8080/amserver/UI/Login?goto=http%3A%2F%2Fspirou.sun.com%3A18080%2FFineGrainedSample%2F&gx_charset=UTF-8
Name: cookie Value: JSESSIONID=e5ffee21849800471c08ca7b9b9c;
JSESSIONID=e5fb58534cc2c0f52194ce398ad1; amlbcookie=01;
iPlanetDirectoryPro=AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQA=#;
amFilterRDParam=AQICh3Obt+fW1byJEdr6+mYrG3263bidnTb+j++GS5Rtl2y6clP6bBCRp+AFrjRoRerCtQarKGP8ZbXKryoic778WLMsJkRw/de+EZg7ziJdNOkqdjnBhdPY+rNTvDEXa8CMqw3pyGFxUq2bFAYEEuCJUD0o4NWLt4GFRaGyeh/Z/7HaQy4vQ2sAeg==
Character Encoding : null
Content Lenght : -1
Content Type : null
Locale : en_US
Accept Locales:
en_US
en
Protocol : HTTP/1.1
Remote Address : 192.168.0.5
Remote Host : 192.168.0.5
Scheme : http
Server Name : spirou.sun.com
Server Port : 18080
Is Secure : false
Auth Type : null
Context Path : /FineGrainedSample
Cookies:
JSESSIONID: e5ffee21849800471c08ca7b9b9c
JSESSIONID: e5fb58534cc2c0f52194ce398ad1
amlbcookie: 01
iPlanetDirectoryPro:
AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQACMDE=#
amFilterRDParam:
AQICh3Obt+fW1byJEdr6+mYrG3263bidnTb+j++GS5Rtl2y6clP6bBCRp+AFrjRoRerCtQarKGP8ZbXKryoic778WLMsJkRw/de+EZg7ziJdNOkqdjnBhdPY+rNTvDEXa8CMqw3pyGFxUq2bFAYEEuCJUD0o4NWLt4GFRaGyeh/Z/7HaQy4vQ2sAeg==
Headers:
host:
spirou.sun.com:18080
user-agent:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X;
en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
accept-language:
en-us,en;q=0.5
accept-encoding:
gzip,deflate
accept-charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive:
300
connection:
keep-alive
referer:
http://spirou.sun.com:8080/amserver/UI/Login?goto=http%3A%2F%2Fspirou.sun.com%3A18080%2FFineGrainedSample%2F&gx_charset=UTF-8
cookie:
JSESSIONID=e5ffee21849800471c08ca7b9b9c;
JSESSIONID=e5fb58534cc2c0f52194ce398ad1; amlbcookie=01;
iPlanetDirectoryPro=AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQA=#;
amFilterRDParam=AQICh3Obt+fW1byJEdr6+mYrG3263bidnTb+j++GS5Rtl2y6clP6bBCRp+AFrjRoRerCtQarKGP8ZbXKryoic778WLMsJkRw/de+EZg7ziJdNOkqdjnBhdPY+rNTvDEXa8CMqw3pyGFxUq2bFAYEEuCJUD0o4NWLt4GFRaGyeh/Z/7HaQy4vQ2sAeg==
Method : GET
Path Info : /Page1.jsp
Path Trans :
/Users/sst/NetBeansProjects/FineGrainedSample/build/web/Page1.jsp
Query String : null
Remote User : null
Requested Session ID : e5fb58534cc2c0f52194ce398ad1
Request URI : /FineGrainedSample/
Servlet Path : /faces
Session : false
User Principal : <not queried>
Attributes:
com.sun.enterprise.http.sessionTracker:
org.apache.coyote.tomcat5.SessionTracker_at_2cb1b1
-----------------------------------------------------------
07/19/2007 02:07:27:961 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
AmFilter: now processing: Notification Task Handler
07/19/2007 02:07:27:961 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
AmFilter: now processing: FQDN Task Handler
07/19/2007 02:07:27:961 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
FQDNHelper: Incoming Server Name: [spirou.sun.com] Result: null
07/19/2007 02:07:27:961 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
AmFilter: now processing: SSO Task Handler
07/19/2007 02:07:27:967 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
SSOTokenValidator.validate(): Exception caught
com.iplanet.sso.SSOException: AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X
kcf8=_at_AAJTSQACMDE=# Invalid session
ID.AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X kcf8=_at_AAJTSQACMDE=#
at
com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:193)
at
com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:322)
at
com.sun.identity.agents.common.SSOTokenValidator.validateInternal(SSOTokenValidator.java:226)
at
com.sun.identity.agents.common.SSOTokenValidator.validate(SSOTokenValidator.java:133)
at
com.sun.identity.agents.filter.SSOTaskHandler.process(SSOTaskHandler.java:69)
at
com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:172)
at
com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:135)
at
com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:66)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at
org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:368)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:624)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:624)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:624)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at
org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:268)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:631)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:562)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:803)
at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
at
com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at
com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
07/19/2007 02:07:27:967 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
SSOTaskHandler: SSO Validation failed for
AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X kcf8=_at_AAJTSQACMDE=#
--
<http://www.java.com> * Sebastien Stormacq*
Software Architect
GSS, Software Practice
Belgium & Luxembourg
*Sun Microsystems, sarl*
Parc d'Activités 77-79
Capellen L8308
Phone x48356/+352 49 11 33 56
Mobile +352 621 503 626
Fax +352 49 11 33 33
Email sebastien.stormacq_at_sun.com