users@glassfish.java.net

Wrong cookie encoding ? -> open SSO issue

From: Sebastien Stormacq <Sebastien.Stormacq_at_Sun.COM>
Date: Thu, 19 Jul 2007 14:14:07 +0200

Hello,

I am running AM 7.1 on GF b53.
I have deployed an application protected by the J2EE Policy agent.

A certain points in time, the authentication fails and the browser
enters in an infinite redirect loop.

It looks the iPlanetDirectoryPRO cookie is incorrectly URL encoded.
Cookie value is
AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQACMDE=#
But was is seen by the J2EE filter is
AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X kcf8=_at_AAJTSQACMDE=#

(notice the space at the position of the + sign in the original cookie
value)


There AM returns a FORBIDDEN value as policy, which cause the browser to
redirect to AM etc ...
See below the error at the agent side.

Because I am not sure this is GF or OpenSSO issue, I cross-post my question.

Any suggestion ?

Thanks

Seb

07/19/2007 02:07:27:960 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
AmFilter: incoming request =>
-----------------------------------------------------------
HttpServletRequest: class => uri: /FineGrainedSample/
method: GET
QueryString: null
Parameters:
Headers:
        Name: host Value: spirou.sun.com:18080
        Name: user-agent Value: Mozilla/5.0 (Macintosh; U; Intel
Mac OS X; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
        Name: accept Value:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
        Name: accept-language Value: en-us,en;q=0.5
        Name: accept-encoding Value: gzip,deflate
        Name: accept-charset Value: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Name: keep-alive Value: 300
        Name: connection Value: keep-alive
        Name: referer Value:
http://spirou.sun.com:8080/amserver/UI/Login?goto=http%3A%2F%2Fspirou.sun.com%3A18080%2FFineGrainedSample%2F&gx_charset=UTF-8
        Name: cookie Value: JSESSIONID=e5ffee21849800471c08ca7b9b9c;
JSESSIONID=e5fb58534cc2c0f52194ce398ad1; amlbcookie=01;
iPlanetDirectoryPro=AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQA=#;
amFilterRDParam=AQICh3Obt+fW1byJEdr6+mYrG3263bidnTb+j++GS5Rtl2y6clP6bBCRp+AFrjRoRerCtQarKGP8ZbXKryoic778WLMsJkRw/de+EZg7ziJdNOkqdjnBhdPY+rNTvDEXa8CMqw3pyGFxUq2bFAYEEuCJUD0o4NWLt4GFRaGyeh/Z/7HaQy4vQ2sAeg==


        Character Encoding : null
        Content Lenght : -1
        Content Type : null
        Locale : en_US

        Accept Locales:
                en_US
                en

        Protocol : HTTP/1.1
        Remote Address : 192.168.0.5
        Remote Host : 192.168.0.5
        Scheme : http
        Server Name : spirou.sun.com
        Server Port : 18080
        Is Secure : false
        Auth Type : null
        Context Path : /FineGrainedSample
        Cookies:
                JSESSIONID: e5ffee21849800471c08ca7b9b9c
                JSESSIONID: e5fb58534cc2c0f52194ce398ad1
                amlbcookie: 01
                iPlanetDirectoryPro:
AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQACMDE=#
                amFilterRDParam:
AQICh3Obt+fW1byJEdr6+mYrG3263bidnTb+j++GS5Rtl2y6clP6bBCRp+AFrjRoRerCtQarKGP8ZbXKryoic778WLMsJkRw/de+EZg7ziJdNOkqdjnBhdPY+rNTvDEXa8CMqw3pyGFxUq2bFAYEEuCJUD0o4NWLt4GFRaGyeh/Z/7HaQy4vQ2sAeg==

        Headers:
                host:
                        spirou.sun.com:18080
                user-agent:
                        Mozilla/5.0 (Macintosh; U; Intel Mac OS X;
en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
                accept:
                        
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
                accept-language:
                        en-us,en;q=0.5
                accept-encoding:
                        gzip,deflate
                accept-charset:
                        ISO-8859-1,utf-8;q=0.7,*;q=0.7
                keep-alive:
                        300
                connection:
                        keep-alive
                referer:
                        
http://spirou.sun.com:8080/amserver/UI/Login?goto=http%3A%2F%2Fspirou.sun.com%3A18080%2FFineGrainedSample%2F&gx_charset=UTF-8
                cookie:
                        JSESSIONID=e5ffee21849800471c08ca7b9b9c;
JSESSIONID=e5fb58534cc2c0f52194ce398ad1; amlbcookie=01;
iPlanetDirectoryPro=AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQA=#;
amFilterRDParam=AQICh3Obt+fW1byJEdr6+mYrG3263bidnTb+j++GS5Rtl2y6clP6bBCRp+AFrjRoRerCtQarKGP8ZbXKryoic778WLMsJkRw/de+EZg7ziJdNOkqdjnBhdPY+rNTvDEXa8CMqw3pyGFxUq2bFAYEEuCJUD0o4NWLt4GFRaGyeh/Z/7HaQy4vQ2sAeg==
        Method : GET
        Path Info : /Page1.jsp
        Path Trans :
/Users/sst/NetBeansProjects/FineGrainedSample/build/web/Page1.jsp
        Query String : null
        Remote User : null
        Requested Session ID : e5fb58534cc2c0f52194ce398ad1
        Request URI : /FineGrainedSample/
        Servlet Path : /faces
        Session : false
        User Principal : <not queried>
        Attributes:
                com.sun.enterprise.http.sessionTracker:
org.apache.coyote.tomcat5.SessionTracker_at_2cb1b1


-----------------------------------------------------------

07/19/2007 02:07:27:961 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
AmFilter: now processing: Notification Task Handler
07/19/2007 02:07:27:961 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
AmFilter: now processing: FQDN Task Handler
07/19/2007 02:07:27:961 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
FQDNHelper: Incoming Server Name: [spirou.sun.com] Result: null
07/19/2007 02:07:27:961 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
AmFilter: now processing: SSO Task Handler
07/19/2007 02:07:27:967 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
SSOTokenValidator.validate(): Exception caught
com.iplanet.sso.SSOException: AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X
kcf8=_at_AAJTSQACMDE=# Invalid session
ID.AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X kcf8=_at_AAJTSQACMDE=#
        at
com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:193)
        at
com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:322)
        at
com.sun.identity.agents.common.SSOTokenValidator.validateInternal(SSOTokenValidator.java:226)
        at
com.sun.identity.agents.common.SSOTokenValidator.validate(SSOTokenValidator.java:133)
        at
com.sun.identity.agents.filter.SSOTaskHandler.process(SSOTaskHandler.java:69)
        at
com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:172)
        at
com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:135)
        at
com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:66)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
        at
org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:368)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
        at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
        at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:624)
        at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
        at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:624)
        at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
        at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:624)
        at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
        at
org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:268)
        at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:631)
        at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:562)
        at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:803)
        at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
        at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
        at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
        at
com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
        at
com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)

07/19/2007 02:07:27:967 PM CEST:
Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
SSOTaskHandler: SSO Validation failed for
AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X kcf8=_at_AAJTSQACMDE=# 
-- 
<http://www.java.com> 	* Sebastien Stormacq*
Software Architect
GSS, Software Practice
Belgium & Luxembourg
	*Sun Microsystems, sarl*
Parc d'Activités 77-79
Capellen L8308
Phone x48356/+352 49 11 33 56
Mobile +352 621 503 626
Fax +352 49 11 33 33
Email sebastien.stormacq_at_sun.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.