glassfish
  1. glassfish
  2. GLASSFISH-15142

wl-run-as-principal-name unit test unstable

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.1_b38
    • Component/s: deployment
    • Labels:
      None

      Description

      wl-run-as-principal-name unit test is failing in hudson about 50% of the times making the build unstable. The failure is also reproducible non-hudon environment. It isn't clear that the test needs to be updated to be more robust or this bug only happens occasionally.

      [java] Unexpected return code: 500
      [java] Generating report at /files/hudson/workspace/webtier-dev-tests-v3/appserv-tests/test_results.xml
      [java]
      [java]
      [java] -----------------------------------------
      [java] - wl-run-as-principal-name: FAIL -
      [java] -----------------------------------------
      [java] - Total PASS : 0 -
      [java] - Total FAIL : 1 -
      [java] - Total DID NOT RUN : 0 -
      [java] -----------------------------------------

      [#|2010-12-13T12:52:17.244-0800|INFO|glassfish3.1|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=15;_ThreadName=Thread-1;|WEB0671: Loading application [web-wl-run-as-principal-name-web] at [/web-wl-run-as-principal-name]|#]

      [#|2010-12-13T12:52:17.259-0800|INFO|glassfish3.1|javax.enterprise.system.tools.admin.org.glassfish.deployment.admin|_ThreadID=15;_ThreadName=Thread-1;|web-wl-run-as-principal-name-web was successfully deployed in 1,338 milliseconds.|#]

      [#|2010-12-13T12:52:17.892-0800|INFO|glassfish3.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=Thread-1;|JACC Policy Provider: Failed Permission Check, context(web-wl-run-as-principal-name-web/web-wl-run-as-principal-name-web_internal)- permission((javax.security.jacc.EJBMethodPermission StatelessBean hello,Local,))|#]

      [#|2010-12-13T12:52:17.893-0800|WARNING|glassfish3.1|javax.enterprise.system.container.ejb.com.sun.ejb.containers|_ThreadID=15;_ThreadName=Thread-1;|A system exception occurred during an invocation on EJB StatelessBean method public java.lang.String test.StatelessBean.hello()
      javax.ejb.AccessLocalException: Client not authorized for this invocation.
      at com.sun.ejb.containers.BaseContainer.preInvoke(BaseContainer.java:1885)
      at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:212)
      at com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88)
      at $Proxy127.hello(Unknown Source)
      at test._EJB31_GeneratedStatelessBeanIntf__Bean_.hello(Unknown Source)
      at test.TestServlet.doGet(TestServlet.java:60)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
      at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1534)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
      at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:98)
      at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:91)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:162)
      at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:326)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:227)
      at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:170)
      at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:817)
      at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:718)
      at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1007)
      at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:225)
      at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
      at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
      at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
      at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
      at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
      at java.lang.Thread.run(Thread.java:619)

      #]

      [#|2010-12-13T12:52:17.945-0800|WARNING|glassfish3.1|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=15;_ThreadName=Thread-1;|Standar
      dWrapperValve[test.TestServlet]: PWC1406: Servlet.service() for servlet test.TestServlet threw exceptionjavax.ejb.EJBAccessException
      at com.sun.ejb.containers.BaseContainer.mapLocal3xException(BaseContainer.java:2314)
      at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:2088)
      at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:1990)
      at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:222)
      at com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88)
      at $Proxy127.hello(Unknown Source)
      at test._EJB31_GeneratedStatelessBeanIntf__Bean_.hello(Unknown Source)
      at test.TestServlet.doGet(TestServlet.java:60)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
      at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1534)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
      at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:98)
      at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:91)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:162)
      at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:326)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:227)
      at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:170)
      at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:817)
      at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:718)
      at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1007)
      at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:225)
      at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
      at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
      at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
      at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
      at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
      at java.lang.Thread.run(Thread.java:619)
      Caused by: javax.ejb.AccessLocalException: Client not authorized for this invocation.
      at com.sun.ejb.containers.BaseContainer.preInvoke(BaseContainer.java:1885)
      at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:212)
      ... 31 more

      #]
      1. Failure.png
        219 kB
      2. Successful.png
        199 kB

        Activity

        Hide
        Shing Wai Chan added a comment -

        The test fails occasionally.
        When it passes, the generated policy is as follows:
        grant

        { permission javax.security.jacc.WebResourcePermission "/:/mytest"; permission javax.security.jacc.WebUserDataPermission "/mytest"; permission javax.security.jacc.WebUserDataPermission "/:/mytest"; }

        ;

        grant principal org.glassfish.security.common.PrincipalImpl "aprincipal"

        { permission javax.security.jacc.WebRoleRefPermission "", "arole"; permission javax.security.jacc.WebRoleRefPermission "jsp", "arole"; permission javax.security.jacc.WebRoleRefPermission "test.TestServlet", "arole"; permission javax.security.jacc.WebRoleRefPermission "default", "arole"; }

        ;

        grant principal org.glassfish.security.common.PrincipalImpl "javaee"

        { permission javax.security.jacc.WebResourcePermission "/mytest"; permission javax.security.jacc.WebRoleRefPermission "", "javaee"; permission javax.security.jacc.WebRoleRefPermission "default", "javaee"; permission javax.security.jacc.WebRoleRefPermission "test.TestServlet", "javaee"; permission javax.security.jacc.WebRoleRefPermission "jsp", "javaee"; };

        When it fails, the generated policy is as follows:
        grant { permission javax.security.jacc.WebResourcePermission "/:/mytest"; permission javax.security.jacc.WebUserDataPermission "/mytest"; permission javax.security.jacc.WebUserDataPermission "/:/mytest"; };

        grant principal org.glassfish.security.common.PrincipalImpl "javaee" { permission javax.security.jacc.WebResourcePermission "/mytest"; permission javax.security.jacc.WebRoleRefPermission "", "javaee"; permission javax.security.jacc.WebRoleRefPermission "default", "javaee"; permission javax.security.jacc.WebRoleRefPermission "test.TestServlet", "javaee"; permission javax.security.jacc.WebRoleRefPermission "jsp", "javaee"; }

        ;

        Notice that in the case of failure, the block for "aprincipal" is missing.

        Show
        Shing Wai Chan added a comment - The test fails occasionally. When it passes, the generated policy is as follows: grant { permission javax.security.jacc.WebResourcePermission "/:/mytest"; permission javax.security.jacc.WebUserDataPermission "/mytest"; permission javax.security.jacc.WebUserDataPermission "/:/mytest"; } ; grant principal org.glassfish.security.common.PrincipalImpl "aprincipal" { permission javax.security.jacc.WebRoleRefPermission "", "arole"; permission javax.security.jacc.WebRoleRefPermission "jsp", "arole"; permission javax.security.jacc.WebRoleRefPermission "test.TestServlet", "arole"; permission javax.security.jacc.WebRoleRefPermission "default", "arole"; } ; grant principal org.glassfish.security.common.PrincipalImpl "javaee" { permission javax.security.jacc.WebResourcePermission "/mytest"; permission javax.security.jacc.WebRoleRefPermission "", "javaee"; permission javax.security.jacc.WebRoleRefPermission "default", "javaee"; permission javax.security.jacc.WebRoleRefPermission "test.TestServlet", "javaee"; permission javax.security.jacc.WebRoleRefPermission "jsp", "javaee"; }; When it fails, the generated policy is as follows: grant { permission javax.security.jacc.WebResourcePermission "/:/mytest"; permission javax.security.jacc.WebUserDataPermission "/mytest"; permission javax.security.jacc.WebUserDataPermission "/:/mytest"; }; grant principal org.glassfish.security.common.PrincipalImpl "javaee" { permission javax.security.jacc.WebResourcePermission "/mytest"; permission javax.security.jacc.WebRoleRefPermission "", "javaee"; permission javax.security.jacc.WebRoleRefPermission "default", "javaee"; permission javax.security.jacc.WebRoleRefPermission "test.TestServlet", "javaee"; permission javax.security.jacc.WebRoleRefPermission "jsp", "javaee"; } ; Notice that in the case of failure, the block for "aprincipal" is missing.
        Hide
        Nithya Ramakrishnan added a comment -

        It appears that during the cases in which the test fails, EjbBundleValidator.computeRunAsPrincipalDefault is never invoked. This seems to be because the WebComponentDescriptor.runAs is null instead of being assigned the value from the weblogic.xml. Since the runAs is not set to the valid value, it causes the policies to be incorrectly generated in the security code.

        Attaching the screenshots of the successful case - where the WebComponentDescriptor.runAs has a valid value and the failure case, where runAs always has a null value.

        Assigned back to Shing Wai for appropriate re-assignment.

        Show
        Nithya Ramakrishnan added a comment - It appears that during the cases in which the test fails, EjbBundleValidator.computeRunAsPrincipalDefault is never invoked. This seems to be because the WebComponentDescriptor.runAs is null instead of being assigned the value from the weblogic.xml. Since the runAs is not set to the valid value, it causes the policies to be incorrectly generated in the security code. Attaching the screenshots of the successful case - where the WebComponentDescriptor.runAs has a valid value and the failure case, where runAs always has a null value. Assigned back to Shing Wai for appropriate re-assignment.
        Hide
        Nithya Ramakrishnan added a comment -

        Screenshots of successful and failure cases - Debugger results

        Show
        Nithya Ramakrishnan added a comment - Screenshots of successful and failure cases - Debugger results
        Hide
        Shing Wai Chan added a comment -

        I have fixed a typo in the test case.
        I still see random behavior by just running that particular test.

        The WebComponentDescriptor.runAs object is null. This means that @RunAs is not processed in this case.

        Show
        Shing Wai Chan added a comment - I have fixed a typo in the test case. I still see random behavior by just running that particular test. The WebComponentDescriptor.runAs object is null. This means that @RunAs is not processed in this case.
        Hide
        Shing Wai Chan added a comment -

        How bad is its impact? (Severity)
        High as related to security

        How often does it happen? (Frequency)
        Random.

        How much effort is required to fix it? (Cost)
        low

        What is the risk of fixing it? (Risk)
        low

        Does a work around for the issue exist? Can the workaround be reasonably employed by the end user?
        no

        If the issue is not fixed should the issue and its workaround (if applicable) be described in the Release Notes?
        yes

        Show
        Shing Wai Chan added a comment - How bad is its impact? (Severity) High as related to security How often does it happen? (Frequency) Random. How much effort is required to fix it? (Cost) low What is the risk of fixing it? (Risk) low Does a work around for the issue exist? Can the workaround be reasonably employed by the end user? no If the issue is not fixed should the issue and its workaround (if applicable) be described in the Release Notes? yes
        Hide
        Shing Wai Chan added a comment -

        Sending src/main/java/com/sun/enterprise/deployment/annotation/handlers/RunAsHandler.java
        Transmitting file data .
        Committed revision 44583.

        Show
        Shing Wai Chan added a comment - Sending src/main/java/com/sun/enterprise/deployment/annotation/handlers/RunAsHandler.java Transmitting file data . Committed revision 44583.

          People

          • Assignee:
            Shing Wai Chan
            Reporter:
            Amy Roh
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: