glassfish
  1. glassfish
  2. GLASSFISH-17198

ArrayIndexOutOfBoundsException in RealmAdapter

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.1
    • Fix Version/s: 3.1.2_b02
    • Component/s: security
    • Labels:
      None
    • Environment:

      Linux 2.6.35, GlassFish 3.1.1, Apache 2.2.16,

      Description

      We have an app that we've been running under GlassFish 3.0.1, and we
      want to run it under 3.1.1. We've been running GlassFish fronted by
      Apache, which handles SSL, and everything works OK. For 3.1.1, we used
      these commands in place of the "old way" of putting the Tomcat jars in
      GlassFish's lib/ directory:

      asadmin create-http-listener --listenerport 8009 --listeneraddress 0.0.0.0 --defaultvs server jk-listener
      asadmin set server-config.network-config.network-listeners.network-listener.jk-listener.jk-enabled=true

      We are not yet using clustering/load balancing, so we are using the
      default "server-config" configuration. Apache correctly forwards most
      pages to GlassFish, except those that are protected.

      In web.xml, we have this:

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>phoenix_auth</web-resource-name>
      <description>Phoenix security</description>
      <!-- the pages which will be protected: -->
      <url-pattern>/customers/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>HEAD</http-method>
      <http-method>PUT</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>TRACE</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      This all worked fine under 3.0.1, but under 3.1.1, when I hit a page under /customers/, I get this:

      [#|2011-08-16T16:38:07.075-0500|INFO|glassfish3.1.1|javax.enterprise.system.core.security|_ThreadID=22;_ThreadName=Thread-2;|JACC P
      olicy Provider:Failed Permission Check: context (" phoenix-jee6/phoenix-jee6-war-bo_war ") , permission (" (javax.security.jacc.Web
      UserDataPermission /customers/checkout.html GET) ") |#]

      [#|2011-08-16T16:38:07.076-0500|SEVERE|glassfish3.1.1|org.apache.catalina.connector.CoyoteAdapter|_ThreadID=22;_ThreadName=Thread-2
      ;|PWC3989: An exception or error occurred in the container during the request processing
      java.lang.ArrayIndexOutOfBoundsException: 1
      at com.sun.web.security.RealmAdapter.getHostAndPort(RealmAdapter.java:971)
      at com.sun.web.security.RealmAdapter.redirect(RealmAdapter.java:1090)
      at com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:941)
      at com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:865)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:511)

      After posting to the GlassFish users mailing list, Kumar Jayanti asked me to file it as a regression.

        Activity

        Hide
        Nithya Ramakrishnan added a comment - - edited

        Hi,

        Could you please enlist all the steps that you had performed, including the conf file information (like glassfish-jk.properties or workers.properties, httpd.conf ,jk.conf etc), this will help us to analyze the issue better.

        Thanks
        Nithya

        Show
        Nithya Ramakrishnan added a comment - - edited Hi, Could you please enlist all the steps that you had performed, including the conf file information (like glassfish-jk.properties or workers.properties, httpd.conf ,jk.conf etc), this will help us to analyze the issue better. Thanks Nithya
        Hide
        slominskir added a comment -

        The problem appears to be that the automatic redirect from http to https is now broken in 3.1.1.

        One workaround might be to configure Apache with mod_rewrite to redirect requests for secured resources to use the https scheme (and secured port if different). This way GlassFish will never see requests for secured resources over an unsecured path (in other words move this automatic redirect to Apache).

        This isn't a problem in GlassFish 3.1 so I might just stick with that.

        Show
        slominskir added a comment - The problem appears to be that the automatic redirect from http to https is now broken in 3.1.1. One workaround might be to configure Apache with mod_rewrite to redirect requests for secured resources to use the https scheme (and secured port if different). This way GlassFish will never see requests for secured resources over an unsecured path (in other words move this automatic redirect to Apache). This isn't a problem in GlassFish 3.1 so I might just stick with that.
        Hide
        gholmer added a comment - - edited

        I should have noted that when a link to a URL in /customers/ is clicked, the
        URL says "http://" and not "https://".

        1) We name our domains after the machine, so in the case of my workstation,
        I used these commands:

        asadmin delete-domain domain1
        asadmin create-domain --savemasterpassword shadow

        2) The jk-connector was created like this:

        asadmin create-http-listener --listenerport 8009 --listeneraddress 0.0.0.0 --defaultvs server jk-listener
        asadmin set server-config.network-config.network-listeners.network-listener.jk-listener.jk-enabled=true

        3) In /etc/apache2/conf.d/jk.conf (include file), we have this:

        <IfModule mod_jk.c>
        JkWorkersFile /usr/share/glassfish-3.1.1/glassfish/domains/shadow/config/workers.properties
        JkLogFile /var/log/apache2/mod_jk.log
        JkLogLevel debug
        JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
        JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
        JkRequestLogFormat "%w %V %T"
        JkMountCopy all
        </IfModule>

        JkMount /shop/* ajp13
        JkMount /csi/* ajp13

        <Location "/shop/WEB-INF/">
        deny from all
        </Location>
        <Location "/csi/WEB-INF/">
        deny from all
        </Location>

        4) workers.properties looks like this:

        worker.list=ajp13
        worker.ajp13.type=ajp13
        worker.ajp13.host=localhost
        worker.ajp13.port=8009
        connection_pool_size=10
        connection_pool_timeout=600
        worker.ajp13.socket_keepalive=False
        worker.ajp13.socket_timeout=30

        Show
        gholmer added a comment - - edited I should have noted that when a link to a URL in /customers/ is clicked, the URL says "http://" and not "https://". 1) We name our domains after the machine, so in the case of my workstation, I used these commands: asadmin delete-domain domain1 asadmin create-domain --savemasterpassword shadow 2) The jk-connector was created like this: asadmin create-http-listener --listenerport 8009 --listeneraddress 0.0.0.0 --defaultvs server jk-listener asadmin set server-config.network-config.network-listeners.network-listener.jk-listener.jk-enabled=true 3) In /etc/apache2/conf.d/jk.conf (include file), we have this: <IfModule mod_jk.c> JkWorkersFile /usr/share/glassfish-3.1.1/glassfish/domains/shadow/config/workers.properties JkLogFile /var/log/apache2/mod_jk.log JkLogLevel debug JkLogStampFormat " [%a %b %d %H:%M:%S %Y] " JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkRequestLogFormat "%w %V %T" JkMountCopy all </IfModule> JkMount /shop/* ajp13 JkMount /csi/* ajp13 <Location "/shop/WEB-INF/"> deny from all </Location> <Location "/csi/WEB-INF/"> deny from all </Location> 4) workers.properties looks like this: worker.list=ajp13 worker.ajp13.type=ajp13 worker.ajp13.host=localhost worker.ajp13.port=8009 connection_pool_size=10 connection_pool_timeout=600 worker.ajp13.socket_keepalive=False worker.ajp13.socket_timeout=30
        Hide
        Nithya Ramakrishnan added a comment -

        Fixed in the 3.1.2 branch.

        Committed revision 49107.

        Show
        Nithya Ramakrishnan added a comment - Fixed in the 3.1.2 branch. Committed revision 49107.

          People

          • Assignee:
            kumarjayanti
            Reporter:
            gholmer
          • Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: