Bug 819097

Summary: The gadget service can't handle redirect situation and throws "Malformed security token root:john:appid:cont:url:0" error.
Product: [JBoss] JBoss Enterprise Portal Platform 5 Reporter: Gary Hu <ghu>
Component: PortalAssignee: Thomas Heute <theute>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.2.2.ER04CC: bdawidow, dchia, epp-bugs, hfnukal, myarboro, theute
Target Milestone: ---   
Target Release: 5.2.x   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-26 07:45:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
eXoGadgetServer.war servlet filter none

Description Gary Hu 2012-05-04 20:12:17 UTC 
The following errors are throwing when rendering a gadget in EPP 5.2.


2012-04-16 14:52:48,007 INFO  [org.apache.shindig.auth.AuthenticationServletFilter] (ajp-10.177.43.74-8009-1) Malformed security token root:john:appid:cont:url:0
org.apache.shindig.auth.SecurityTokenException: Invalid security token root:john:appid:cont:url:0

After further troubleshooting, we realize this issue is caused by a redirect rule from http to https configured on F5 Bigip device. 

We've checked the source file org.exoplatform.portal.webui.application.GadgetUtil.java

         URL url = new URL(gadgetServer + (gadgetServer.endsWith("/") ? "" : "/") + "metadata");
         URLConnection conn = url.openConnection();
         conn.setDoOutput(true);
         OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
         wr.write(data);
         wr.flush();
         // Get the response
         result = IOUtils.toString(conn.getInputStream(), "UTF-8");
         wr.close(); 

It appears that the URLConnection can't follow the redirection [1].

Can we make our code able to handle the redirect situation?

[1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4620571
Comment 1 Thomas Heute 2012-05-08 14:33:48 UTC 
Do we already have a way to reproduce without F5 setup ?
Comment 2 Gary Hu 2012-05-08 16:01:57 UTC 
We can't exactly reproduce the issue without F5 setup.

Here is what I did:

1) create a filter with the following code:
  public void doFilter(ServletRequest request, ServletResponse response,
                        FilterChain chain) throws IOException, ServletException {
     HttpServletResponse httpResp = (HttpServletResponse) response;
     httpResp.sendRedirect("/eXoGadgetServer/gadgets/redirectapirpc/");
     return;
  }

2) add this filter as the last one in the filter chain in eXoGadgetServer.war/WEB-INF/web.xml:
   <filter>
    <filter-name>myRedirectFilter</filter-name>
    <filter-class>com.redhat.jboss.web.util.filter.RedirectFilter</filter-class>
   </filter>

   <filter-mapping>
    <filter-name>myRedirectFilter</filter-name>
    <url-pattern>/gadgets/api/rpc</url-pattern>
   </filter-mapping>

3) replace every instance of the url-pattern "/gadgets/api/rpc/*" in web.xml with "/gadgets/redirectapirpc/*" (for the JsonRpcServlet servlet mapping and all relevant filter mappings)

Now I'm getting error:

java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:8080/eXoGadgetServer/gadgets/redirectapirpc

It indicates that the redirection is not honored by the code.
Comment 3 Gary Hu 2012-05-08 16:04:14 UTC 
(In reply to comment #2)
> We can't exactly reproduce the issue without F5 setup.
> 
> Here is what I did:
> 
> 1) create a filter with the following code:
>   public void doFilter(ServletRequest request, ServletResponse response,
>                         FilterChain chain) throws IOException, ServletException
> {
>      HttpServletResponse httpResp = (HttpServletResponse) response;
>      httpResp.sendRedirect("/eXoGadgetServer/gadgets/redirectapirpc/");
>      return;
>   }
> 
> 2) add this filter as the last one in the filter chain in
Actually, it should be adding this filter as the first one in the filter chain.
> eXoGadgetServer.war/WEB-INF/web.xml:
>    <filter>
>     <filter-name>myRedirectFilter</filter-name>
>    
> <filter-class>com.redhat.jboss.web.util.filter.RedirectFilter</filter-class>
>    </filter>
> 
>    <filter-mapping>
>     <filter-name>myRedirectFilter</filter-name>
>     <url-pattern>/gadgets/api/rpc</url-pattern>
>    </filter-mapping>
> 
> 3) replace every instance of the url-pattern "/gadgets/api/rpc/*" in web.xml
> with "/gadgets/redirectapirpc/*" (for the JsonRpcServlet servlet mapping and
> all relevant filter mappings)
> 
> Now I'm getting error:
> 
> java.io.IOException: Server returned HTTP response code: 400 for URL:
> http://localhost:8080/eXoGadgetServer/gadgets/redirectapirpc
> 
> It indicates that the redirection is not honored by the code.
Comment 4 Gary Hu 2012-05-08 20:59:32 UTC 
I'm able to reproduce the exact error in my test case now.

In my previous attemps, I tested the import/export gadget. In this test I used the dashboard to launch the calculator gadget provided by EPP. 

I'm receiving the error message:

2012-05-08 15:43:30,895 INFO  [org.apache.shindig.auth.AuthenticationServletFilter] (http-0.0.0.0-8080-2) Malformed security token root:john:appid:cont:url:0
org.apache.shindig.auth.SecurityTokenException: Invalid security token root:john:appid:cont:url:0
	at org.apache.shindig.auth.BlobCrypterSecurityTokenCodec.createToken(BlobCrypterSecurityTokenCodec.java:106)
	at org.apache.shindig.auth.DefaultSecurityTokenCodec.createToken(DefaultSecurityTokenCodec.java:68)
	at org.apache.shindig.auth.UrlParameterAuthenticationHandler.getSecurityTokenFromRequest(UrlParameterAuthenticationHandler.java:56)
	at org.apache.shindig.auth.AuthenticationServletFilter.doFilter(AuthenticationServletFilter.java:84)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.shindig.common.servlet.HostFilter.doFilter(HostFilter.java:44)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:183)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.valves.GadgetCookie.invoke(GadgetCookie.java:27)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
	at java.lang.Thread.run(Thread.java:662)


Please note that the redirection fails with the shindig authentication servlet just as mentioned in the javadoc [1] "When output streaming is enabled, authentication and redirection cannot be handled automatically." 

I believe the redirection works fine with a normal servlet situation. But it fails with shindig which requires some kind of authentication.

[1] http://docs.oracle.com/javase/6/docs/api/java/net/HttpURLConnection.html#setChunkedStreamingMode
Comment 5 Gary Hu 2012-05-08 21:10:16 UTC 
Created attachment 583073 [details]
eXoGadgetServer.war servlet filter
Comment 6 Gary Hu 2012-05-08 21:12:32 UTC 
I've uploaded the servlet filter used in my test. To use it just place it under eXoGadgetServer.war/WEB-INF/lib and configure it as mentioned in comment #2 as the very first in the filter chain in eXoGadgetServer.war/WEB-INF/web.xml.
Comment 8 Boleslaw Dawidowicz 2012-06-25 17:26:26 UTC 
We won't be able to fix for 5.2.2ER01. More likely 5.2.2.ER02 but I'm setting GA for now as it is only currently available option in BZ.
Comment 9 Thomas Heute 2012-07-10 08:17:00 UTC 
I'm not able to replicate the environment and still not able to find out what's wrong with the resources links.