Bug 793309 (JBEPP-393)

Summary: Malformed security token root:john:appid:cont:url:0 error when adding gadgets
Product: [JBoss] JBoss Enterprise Portal Platform 5 Reporter: Martin Weiler <mweiler>
Component: PortalAssignee: Sohil Shah <sohil.shah>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.0.0.GACC: epp-bugs, frederic.drouet
Target Milestone: ---   
Target Release: 5.0.1.GA   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEPP-393
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-31 14:10:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 793367    
Bug Blocks:    

Description Martin Weiler 2010-07-09 10:28:36 UTC 
Affects: Release Notes
Help Desk Ticket Reference: https://access.redhat.com/issue-tracker/947393
project_key: JBEPP

A customer reports this problem when running EPP 5, freshly installed, on RHEL 5 with JDK 1.6.0_20:

1. Extract EPP 5.0 GA
2. Start with run.sh
3. Login with any default user accounts
4. Add Gadget

Instead of a functional gadget, the following error message display within the gadget

HTTP Status 401 - Malformed security token root:john:appid:cont:url:0Invalid security token root:john:appid:cont:url:0

Part of the stacktrace:
Malformed security token root:john:appid:cont:url:0
org.apache.shindig.auth.SecurityTokenException: Invalid security token root:john:appid:cont:url:0
at org.apache.shindig.auth.BlobCrypterSecurityTokenDecoder.createToken(BlobCrypterSecurityTokenDecoder.java:103)
at org.apache.shindig.auth.DefaultSecurityTokenDecoder.createToken(DefaultSecurityTokenDecoder.java:66)
at org.apache.shindig.auth.UrlParameterAuthenticationHandler.getSecurityTokenFromRequest(UrlParameterAuthenticationHandler.java:51)

The only way I could reproduce this issue was by enabling the RequestDumperValve in deploy/jbossweb.sar/server.xml. Or in fact any valve that reads out the request parameters. As a result, the BlobCrypterSecurityTokenDecoder is used instead of the BasicSecurityTokenDecoder.
Comment 1 Sohil Shah 2010-08-03 16:34:49 UTC 
This has to do with processing incoming POST requests to the Shindig Gadget Server. The issue is with the "doPost" method on the "org.apache.shindig.gadgets.servlet.RpcServlet"

<code>
protected void doPost(HttpServletRequest request, HttpServletResponse response)
      throws IOException {

    int length = request.getContentLength();
    if (length <= 0) {
      logger.info("No Content-Length specified.");
      response.setStatus(HttpServletResponse.SC_LENGTH_REQUIRED);
      return;
    }
    if (length > POST_REQUEST_MAX_SIZE) {
      logger.info("Request size too large: " + length);
      response.setStatus(HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE);
      return;
    }

    //Here is the issue.......
    ServletInputStream is = request.getInputStream();
    byte[] body = IOUtils.toByteArray(is);

    if (body.length != length) {
      logger.info("Wrong size. Length: " + length + " real: " + body.length);
      response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
      return;
    }

    Result result = process(request, response, body);
    response.getWriter().write(result.getOutput());
  }
</code>

It reads the JSON payload from the http servlet's input stream. That in itself is not a bad thing. But the problem happens when you have some pre-processing that already reads this InputStream before it
hits the servlet. In our case, that happens when you activate the "RequestDumperValve". 

At this point I would say this issue is not in the code, but in "whatever pre-processing" that occurs before the doPost invocation. This invocation needs to happen with the 'InputStream unread".
Comment 2 Thomas Heute 2010-08-23 09:33:12 UTC 
Would a reset on the input stream (in shindig) work around ?
Comment 3 Thomas Heute 2010-08-31 13:32:11 UTC 
Requires an update to 1.0-r790473-Patch03
Comment 4 Thomas Heute 2010-09-01 06:50:51 UTC 
Affects: Added: [Release Notes]
Comment 5 Thomas Heute 2010-09-01 06:58:50 UTC 
This requires a fix in Shindig and an upgrade to 1.0-r790473-Patch03
Comment 6 Thomas Heute 2010-09-01 06:58:50 UTC 
Link: Added: This issue depends JBEPP-450
Comment 7 Thomas Heute 2010-09-13 07:32:24 UTC 
Link: Added: This issue related GTNPORTAL-1474