Bug 819097 - The gadget service can't handle redirect situation and throws "Malformed security token root:john:appid:cont:url:0" error.
The gadget service can't handle redirect situation and throws "Malformed secu...
Status: CLOSED WONTFIX
Product: JBoss Enterprise Portal Platform 5
Classification: JBoss
Component: Portal (Show other bugs)
5.2.2.ER04
Unspecified Unspecified
high Severity high
: ---
: 5.2.x
Assigned To: Thomas Heute
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-04 16:12 EDT by Gary Hu
Modified: 2014-09-26 03:45 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-26 03:45:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
eXoGadgetServer.war servlet filter (8.02 KB, application/x-java-archive)
2012-05-08 17:10 EDT, Gary Hu
no flags Details

  None (edit)
Description Gary Hu 2012-05-04 16:12:17 EDT
The following errors are throwing when rendering a gadget in EPP 5.2.


2012-04-16 14:52:48,007 INFO  [org.apache.shindig.auth.AuthenticationServletFilter] (ajp-10.177.43.74-8009-1) Malformed security token root:john:appid:cont:url:0
org.apache.shindig.auth.SecurityTokenException: Invalid security token root:john:appid:cont:url:0

After further troubleshooting, we realize this issue is caused by a redirect rule from http to https configured on F5 Bigip device. 

We've checked the source file org.exoplatform.portal.webui.application.GadgetUtil.java

         URL url = new URL(gadgetServer + (gadgetServer.endsWith("/") ? "" : "/") + "metadata");
         URLConnection conn = url.openConnection();
         conn.setDoOutput(true);
         OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
         wr.write(data);
         wr.flush();
         // Get the response
         result = IOUtils.toString(conn.getInputStream(), "UTF-8");
         wr.close(); 

It appears that the URLConnection can't follow the redirection [1].

Can we make our code able to handle the redirect situation?

[1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4620571
Comment 1 Thomas Heute 2012-05-08 10:33:48 EDT
Do we already have a way to reproduce without F5 setup ?
Comment 2 Gary Hu 2012-05-08 12:01:57 EDT
We can't exactly reproduce the issue without F5 setup.

Here is what I did:

1) create a filter with the following code:
  public void doFilter(ServletRequest request, ServletResponse response,
                        FilterChain chain) throws IOException, ServletException {
     HttpServletResponse httpResp = (HttpServletResponse) response;
     httpResp.sendRedirect("/eXoGadgetServer/gadgets/redirectapirpc/");
     return;
  }

2) add this filter as the last one in the filter chain in eXoGadgetServer.war/WEB-INF/web.xml:
   <filter>
    <filter-name>myRedirectFilter</filter-name>
    <filter-class>com.redhat.jboss.web.util.filter.RedirectFilter</filter-class>
   </filter>

   <filter-mapping>
    <filter-name>myRedirectFilter</filter-name>
    <url-pattern>/gadgets/api/rpc</url-pattern>
   </filter-mapping>

3) replace every instance of the url-pattern "/gadgets/api/rpc/*" in web.xml with "/gadgets/redirectapirpc/*" (for the JsonRpcServlet servlet mapping and all relevant filter mappings)

Now I'm getting error:

java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:8080/eXoGadgetServer/gadgets/redirectapirpc

It indicates that the redirection is not honored by the code.
Comment 3 Gary Hu 2012-05-08 12:04:14 EDT
(In reply to comment #2)
> We can't exactly reproduce the issue without F5 setup.
> 
> Here is what I did:
> 
> 1) create a filter with the following code:
>   public void doFilter(ServletRequest request, ServletResponse response,
>                         FilterChain chain) throws IOException, ServletException
> {
>      HttpServletResponse httpResp = (HttpServletResponse) response;
>      httpResp.sendRedirect("/eXoGadgetServer/gadgets/redirectapirpc/");
>      return;
>   }
> 
> 2) add this filter as the last one in the filter chain in
Actually, it should be adding this filter as the first one in the filter chain.
> eXoGadgetServer.war/WEB-INF/web.xml:
>    <filter>
>     <filter-name>myRedirectFilter</filter-name>
>    
> <filter-class>com.redhat.jboss.web.util.filter.RedirectFilter</filter-class>
>    </filter>
> 
>    <filter-mapping>
>     <filter-name>myRedirectFilter</filter-name>
>     <url-pattern>/gadgets/api/rpc</url-pattern>
>    </filter-mapping>
> 
> 3) replace every instance of the url-pattern "/gadgets/api/rpc/*" in web.xml
> with "/gadgets/redirectapirpc/*" (for the JsonRpcServlet servlet mapping and
> all relevant filter mappings)
> 
> Now I'm getting error:
> 
> java.io.IOException: Server returned HTTP response code: 400 for URL:
> http://localhost:8080/eXoGadgetServer/gadgets/redirectapirpc
> 
> It indicates that the redirection is not honored by the code.
Comment 4 Gary Hu 2012-05-08 16:59:32 EDT
I'm able to reproduce the exact error in my test case now.

In my previous attemps, I tested the import/export gadget. In this test I used the dashboard to launch the calculator gadget provided by EPP. 

I'm receiving the error message:

2012-05-08 15:43:30,895 INFO  [org.apache.shindig.auth.AuthenticationServletFilter] (http-0.0.0.0-8080-2) Malformed security token root:john:appid:cont:url:0
org.apache.shindig.auth.SecurityTokenException: Invalid security token root:john:appid:cont:url:0
	at org.apache.shindig.auth.BlobCrypterSecurityTokenCodec.createToken(BlobCrypterSecurityTokenCodec.java:106)
	at org.apache.shindig.auth.DefaultSecurityTokenCodec.createToken(DefaultSecurityTokenCodec.java:68)
	at org.apache.shindig.auth.UrlParameterAuthenticationHandler.getSecurityTokenFromRequest(UrlParameterAuthenticationHandler.java:56)
	at org.apache.shindig.auth.AuthenticationServletFilter.doFilter(AuthenticationServletFilter.java:84)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.shindig.common.servlet.HostFilter.doFilter(HostFilter.java:44)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:183)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.valves.GadgetCookie.invoke(GadgetCookie.java:27)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
	at java.lang.Thread.run(Thread.java:662)


Please note that the redirection fails with the shindig authentication servlet just as mentioned in the javadoc [1] "When output streaming is enabled, authentication and redirection cannot be handled automatically." 

I believe the redirection works fine with a normal servlet situation. But it fails with shindig which requires some kind of authentication.

[1] http://docs.oracle.com/javase/6/docs/api/java/net/HttpURLConnection.html#setChunkedStreamingMode
Comment 5 Gary Hu 2012-05-08 17:10:16 EDT
Created attachment 583073 [details]
eXoGadgetServer.war servlet filter
Comment 6 Gary Hu 2012-05-08 17:12:32 EDT
I've uploaded the servlet filter used in my test. To use it just place it under eXoGadgetServer.war/WEB-INF/lib and configure it as mentioned in comment #2 as the very first in the filter chain in eXoGadgetServer.war/WEB-INF/web.xml.
Comment 8 Boleslaw Dawidowicz 2012-06-25 13:26:26 EDT
We won't be able to fix for 5.2.2ER01. More likely 5.2.2.ER02 but I'm setting GA for now as it is only currently available option in BZ.
Comment 9 Thomas Heute 2012-07-10 04:17:00 EDT
I'm not able to replicate the environment and still not able to find out what's wrong with the resources links.

Note You need to log in before you can comment on or make changes to this bug.