Bug 1045113 - RTGov authutentication does not work
Summary: RTGov authutentication does not work
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Fuse Service Works 6
Classification: JBoss
Component: Installer
Version: 6.0.0 GA
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: CR1
: ---
Assignee: Thomas Hauser
QA Contact: Jiri Pechanec
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-19 15:59 UTC by Jiri Pechanec
Modified: 2014-02-06 15:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
ER8
Last Closed:
Type: Bug

Attachments (Terms of Use)
Install script (3.08 KB, application/xml)
2013-12-20 07:42 UTC, Jiri Pechanec 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Jiri Pechanec 2013-12-19 15:59:42 UTC 
RTGov gadgets throws and exception
16:55:55,165 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/gadget-web].[makeRequest]] (http-/127.0.0.1:8080-5) JBWEB000236: Servlet.service() for servlet makeRequest threw exception: java.lang.RuntimeException: java.io.IOException: Keystore was tampered with, or password was incorrect
	at org.overlord.gadgets.web.server.http.auth.SAMLBearerTokenAuthenticationProvider.createSAMLBearerTokenAssertion(SAMLBearerTokenAuthenticationProvider.java:88) [classes:]
	at org.overlord.gadgets.web.server.http.auth.SAMLBearerTokenAuthenticationProvider.provideAuthentication(SAMLBearerTokenAuthenticationProvider.java:72) [classes:]
	at org.overlord.gadgets.web.server.http.AuthenticatingHttpFetcher.fetch(AuthenticatingHttpFetcher.java:97) [classes:]
	at org.apache.shindig.gadgets.http.DefaultRequestPipeline.execute(DefaultRequestPipeline.java:108) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.shindig.gadgets.servlet.MakeRequestHandler.fetch(MakeRequestHandler.java:150) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.shindig.gadgets.servlet.MakeRequestServlet.doGet(MakeRequestServlet.java:55) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.shindig.gadgets.servlet.MakeRequestServlet.doPost(MakeRequestServlet.java:68) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.shindig.gadgets.servlet.ETagFilter.doFilter(ETagFilter.java:55) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.shindig.auth.AuthenticationServletFilter.callChain(AuthenticationServletFilter.java:151) [shindig-common-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.shindig.auth.AuthenticationServletFilter.doFilter(AuthenticationServletFilter.java:96) [shindig-common-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.shindig.common.servlet.HostFilter.doFilter(HostFilter.java:39) [shindig-common-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.1.Final-redhat-10.jar:7.2.1.Final-redhat-10]
	at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.1.Final-redhat-10.jar:7.2.1.Final-redhat-10]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:499) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.1.Final-redhat-10.jar:7.2.1.Final-redhat-10]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) [rt.jar:1.7.0_25]
	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) [rt.jar:1.7.0_25]
	at java.security.KeyStore.load(KeyStore.java:1214) [rt.jar:1.7.0_25]
	at org.overlord.commons.auth.jboss7.SAMLBearerTokenUtil.loadKeystore(SAMLBearerTokenUtil.java:156) [overlord-commons-auth-1.1.0-redhat-5.jar:1.1.0-redhat-5]
	at org.overlord.gadgets.web.server.http.auth.SAMLBearerTokenAuthenticationProvider.createSAMLBearerTokenAssertion(SAMLBearerTokenAuthenticationProvider.java:84) [classes:]
	... 34 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) [rt.jar:1.7.0_25]
	... 38 more

The problem seems to be present if dtgov is not installed
Comment 1 kconner 2013-12-19 16:37:44 UTC 
Saw this in the installer window

"Connected to Management Interface.
Vault installation failed.
Running on-fail server check."
Comment 2 kconner 2013-12-19 17:00:10 UTC 
Ignore last comment, I may have had another server running in the background. Retesting now.
Comment 3 kconner 2013-12-19 17:06:07 UTC 
This appears to work with the current ER8 installer, can you please retest?  If it fails can you add details of your environment (OS etc) and include the installer log?
Comment 4 Thomas Hauser 2013-12-19 17:07:14 UTC 
I am not able to reproduce this when installing only RTGov Server. Please supply an auto-xml that can be used to reproduce the exact installation conditions, thanks.
Comment 5 Jiri Pechanec 2013-12-20 07:42:14 UTC 
Created attachment 839427 [details]
Install script

Reproduced with every install - see attached script.

Have you had any gadget present?
Comment 6 Jiri Pechanec 2013-12-20 07:47:28 UTC 
This might be the root cause
jpechane@jpechane:~/releases/er8/rtgov2/jboss-eap-6.1$ grep password standalone/configuration/gadget-server.properties 
gadget-server.db.password=
gadget-server.config.auth.saml.keystore-password=
gadget-server.config.auth.saml.key-password=
gadget-server.rest-proxy.service-overview.authentication.saml.keystore-password=
gadget-server.rest-proxy.service-overview.authentication.saml.key-password=

The passwords are not empty when dtgov is installed.
Comment 7 Thomas Hauser 2013-12-20 17:12:58 UTC 
I see the issue in the ER8 installer. Fixed for CR1.
Comment 8 Thomas Hauser 2013-12-20 17:27:50 UTC 
By the way, the root cause is that the job in the installer that modifies the password properties in gadget-server.properties had an erroneous reliance upon SRAMP being installed.
Comment 9 Jiri Pechanec 2014-01-15 09:09:24 UTC 
Verified in CR1
Note You need to log in before you can comment on or make changes to this bug.