Hide Forgot
Affects: Release Notes Help Desk Ticket Reference: https://access.redhat.com/issue-tracker/947393 project_key: JBEPP A customer reports this problem when running EPP 5, freshly installed, on RHEL 5 with JDK 1.6.0_20: 1. Extract EPP 5.0 GA 2. Start with run.sh 3. Login with any default user accounts 4. Add Gadget Instead of a functional gadget, the following error message display within the gadget HTTP Status 401 - Malformed security token root:john:appid:cont:url:0Invalid security token root:john:appid:cont:url:0 Part of the stacktrace: Malformed security token root:john:appid:cont:url:0 org.apache.shindig.auth.SecurityTokenException: Invalid security token root:john:appid:cont:url:0 at org.apache.shindig.auth.BlobCrypterSecurityTokenDecoder.createToken(BlobCrypterSecurityTokenDecoder.java:103) at org.apache.shindig.auth.DefaultSecurityTokenDecoder.createToken(DefaultSecurityTokenDecoder.java:66) at org.apache.shindig.auth.UrlParameterAuthenticationHandler.getSecurityTokenFromRequest(UrlParameterAuthenticationHandler.java:51) The only way I could reproduce this issue was by enabling the RequestDumperValve in deploy/jbossweb.sar/server.xml. Or in fact any valve that reads out the request parameters. As a result, the BlobCrypterSecurityTokenDecoder is used instead of the BasicSecurityTokenDecoder.
This has to do with processing incoming POST requests to the Shindig Gadget Server. The issue is with the "doPost" method on the "org.apache.shindig.gadgets.servlet.RpcServlet" <code> protected void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException { int length = request.getContentLength(); if (length <= 0) { logger.info("No Content-Length specified."); response.setStatus(HttpServletResponse.SC_LENGTH_REQUIRED); return; } if (length > POST_REQUEST_MAX_SIZE) { logger.info("Request size too large: " + length); response.setStatus(HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE); return; } //Here is the issue....... ServletInputStream is = request.getInputStream(); byte[] body = IOUtils.toByteArray(is); if (body.length != length) { logger.info("Wrong size. Length: " + length + " real: " + body.length); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); return; } Result result = process(request, response, body); response.getWriter().write(result.getOutput()); } </code> It reads the JSON payload from the http servlet's input stream. That in itself is not a bad thing. But the problem happens when you have some pre-processing that already reads this InputStream before it hits the servlet. In our case, that happens when you activate the "RequestDumperValve". At this point I would say this issue is not in the code, but in "whatever pre-processing" that occurs before the doPost invocation. This invocation needs to happen with the 'InputStream unread".
Would a reset on the input stream (in shindig) work around ?
Requires an update to 1.0-r790473-Patch03
Affects: Added: [Release Notes]
This requires a fix in Shindig and an upgrade to 1.0-r790473-Patch03
Link: Added: This issue depends JBEPP-450
Link: Added: This issue related GTNPORTAL-1474