X

This blog introduces how to diagnose Agile PLM related issues.

  • July 5, 2013

Agile 9.3.2 URL PX error javax.security.auth.login.LoginException in Tomcat 6/7

Jie Chen
Senior Principal Technical Support Engineer

We have a published Knowledge Document (Note 1549998.1) describing one strange issue that with the correct usage of cookie authentication of URL PX deployed in Tomcat6/7 againt Agile PLM 9.3.2.0 we MAY continuously see below error.

Error code : 60062
Error message : Invalid username or password
Root Cause exception : javax.security.auth.login.LoginException: java.lang.SecurityException: User: cee71a234165ffc3:-5926181d:13fa9e51af6:-7ffd::e0FFUzoxMjh9REU3NDAyNjI4RENCOTYxMTExRkNCMDUwQzIwNjkxNzFCMkEx, failed to be authenticated.
at com.agile.api.common.WebLogicAuthenticator.login(WebLogicAuthenticator.java:78)
at com.agile.api.pc.Session.authenticate(Session.java:1123)
at com.agile.api.pc.Session.(Session.java:216)
...
at com.agile.api.AgileSessionFactory.createSession(AgileSessionFactory.java:927)
at org.apache.jsp.login_jsp._jspService(login_jsp.java:91)
...
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
...
at java.lang.Thread.run(Thread.java:619)

The Note describes that was originally introduced by parameter agile.sso.checkOneTimePXToken, which is used to increase the security of Agile authentication from external. "checkOneTimePXToken" will make Agile to use a different encode method to encrypt the cookie token, it may append a "=" symbol in the encrypted j_password cookie value. However by default, Tomcat 6/7 will ignore the "=" symbol and treat it as a second cookie.

Below we will discuss how we identify the problem. We focus on how we think/analyze, not what the solution is.

First let us code JSP page like below to create Agile session in URL PX which is deployed in Tomcat 6 or 7.

Now we login Agile WebClient and use Wireshark to capture the TCP data, narrow to cookie section. As the cookies string is too long, Wireshark may truncate it. We can copy the value into notepad and get the whole cookie array like below.

JSESSIONID=A9812A7FF1BDC8C65B26456AEDE35729
invalidate_session=false
j_username=e0FFUzoxMjh9REU3NDAyNjI4RENCOTYxMTExRkNCMDUwQzIwNjkxNzFCMkEx
j_password=JSUle0FFUzoxMjh9ODgzQjI0RDM1Qjc0QzA5M0NDQUU0NUZFNjJBODU5QkYzNjFCMDMxQjQ2RjQwM0ZDRDVENTJBODMyNDIwOTBDRTgwQkRDQkREMDhEQkNGRkY4RDRDQzE4QjNCNDRFNzZBMTJGN0M2REQ1QzM3NTI1NEE0OUFGNDRFMTZBODRGODQ0ODQxOUZERTkzMzE3MjFGMEUwQUYzQjM2MTJGNTU1QzJCMTE=JSUl

We notice there is a "=" in the tail of cookie "j_password".

Then we trigger the URL PX, check the JSP page, we see below.

j_username=e0FFUzoxMjh9REU3NDAyNjI4RENCOTYxMTExRkNCMDUwQzIwNjkxNzFCMkEx 
j_password=JSUle0FFUzoxMjh9ODgzQjI0RDM1Qjc0QzA5M0NDQUU0NUZFNjJBODU5QkYzNjFCMDMxQjQ2RjQwM0ZDRDVENTJBODMyNDIwOTBDRTgwQkRDQkREMDhEQkNGRkY4RDRDQzE4QjNCNDRFNzZBMTJGN0M2REQ1QzM3NTI1NEE0OUFGNDRFMTZBODRGODQ0ODQxOUZERTkzMzE3MjFGMEUwQUYzQjM2MTJGNTU1QzJCMTE
Invalid username or password

Absolutely "=JSUl" is lost from javax.servlet.http.Cookie value. This is Tomcat's behavior to ignore them intentionally. We can add below parameter to TOMCAT/conf/catalina.conf to avoid this. It is described in link http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html

org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE=true

In above link, there are another two parameter reminding us that some special characters also could be ignored if they are not enabled, these could be / , < and > .

org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR


Join the discussion

Comments ( 16 )
  • guest Friday, September 27, 2013

    I continuously receive another error when deployed WebPX to Tomcat 6. The PX will run fine for a while and then throw this error and

    java.lang.NoClassDefFoundError: weblogic/rjvm/PeerGoneEvent

    at weblogic.rjvm.RJVMImpl.peerGone(RJVMImpl.java:1350)

    at weblogic.rjvm.RJVMImpl.gotExceptionSending(RJVMImpl.java:940)

    at weblogic.rjvm.ConnectionManager.gotExceptionSending(ConnectionManager.java:1106)

    .....

    Have you even came across this error and what could possibly causes this error?

    Thanks for sharing any information.

    Alex


  • Jie Chen Sunday, September 29, 2013

    1. Is your Weblogic cluster?

    2. What is the URL your webpx is connecting to? Is it a managed server or the proxy server?

    3. What is the content in your jndiurl.properties file?

    4. Do you see any error in your weblogic server log in that time?


  • guest Monday, September 30, 2013

    Hi jie,

    Thanks for the reply! Below are the answers to your questions:

    1) No, the WebLogic server is a standalone server.

    2) The URL that I used is the direct URL of the Agile Application Server (http://hostname.domain.com:7001/Agile), not the proxy.

    3) server1=t3://hostname.domain.com:7001

    4) I could not find any entries in stdout.log / stderr.log that was related.

    Regards,

    Alex


  • guest Tuesday, October 22, 2013

    Hi Jie Chen,

    Great article as the others! There is a way to do the login from the otherside way? I have an application that create session in Agile with Agile API with some links to Agile Application. There is a way to create automatically a login in Agile PLM with my IAgileSession?

    I have WebLogic 12c and Agile 9.3.2

    Thanks in advance

    Best Regards


  • Jie Chen Monday, October 28, 2013

    Hello Alex,

    I would suggest your to create Service Request to Oracle Agile Support.

    Jie


  • Jie Chen Monday, October 28, 2013

    Hello An Lagamma

    Please read the Knowledge document in My Oracle Support site.

    --

    How To Support Single-Sign-On In Api Sessions for Web Services (Doc ID 1339957.1)

    --

    Jie


  • Daniel Friday, March 13, 2015

    I made a URL-Based Process Extension and assigned with a Report.

    When I use Chrome or Firefox I can see j_username and j_password cookies. When I use IE (any version) i can´t see then i can not login.

    There are a patch? I tried already change browser settings. Put low security, accept all third-party cookies and nothing.

    What can be?

    Daniel

    * Sorry for the English.


  • Daniel Friday, March 13, 2015

    I am developing a report based on URL PX. When I use chrome or firefox I can see cookies (j_password and j_username). When I use IE (any version) cookies are not being created.

    I have shifted in your browser settings and nothing. What can be?


  • guest Tuesday, March 17, 2015

    hello Daniel

    Please check if your IE browser disables cookie. FYI

    http://windows.microsoft.com/en-us/windows-vista/block-or-allow-cookies

    If you disable IE cookie per your company policy, then you can use PX_REQUEST instead of PX_USERNAME cookie to create session. For example below

    private IAgileSession connect(HttpServletRequest request) throws ServletExceptio

    {

    HashMap params = new HashMap();

    params.put(AgileSessionFactory.PX_REQUEST, request);

    session = factory.createSession(params);

    return session;

    }

    Thanks

    Jie Chen


  • Daniel Tuesday, March 17, 2015

    Hi Jie,

    I tried both solutions. When I enable the development tool of IE it pops an exception in javascript specifically in PCFormsLib.js file in the section:

    AGILE.grid.HandleDeleteObjectAudtiException = function (reqParams) {

       postHandleDeleteObjectAudtiException (reqParams);

    };

    The error is "AGILE is undefined".

    You know what can it be?


  • Daniel Tuesday, March 17, 2015

    I tried both solutions. When I enable the development tool of IE it pops an exception in javascript specifically in PCFormsLib.js file in the section:

    AGILE.grid.HandleDeleteObjectAudtiException = function (reqParams) {

       postHandleDeleteObjectAudtiException (reqParams);

    };

    The error is "AGILE is undefined".

    You know what can it be?


  • Jie Chen Monday, March 23, 2015

    No, I do not hear of this error. It appears much scenario specific issue. Can you log service request in My Oracle Support website?

    Jie


  • Anand Tuesday, October 27, 2015

    Hi Jie,

    I am trying to get session using PX_REQUEST, but getting invalid username/password error. so this article is for only to create session with cookies or applicable for PX_REQUEST too?

    Thanks,

    Anand


  • MengYuan Sun Monday, March 28, 2016

    Greate article!

    I want to pop a window when an user enter a too long description when he/she create a new item,but i don't know how to solve this problem.

    Very gratefu for your help!


  • MengYuan Sun Monday, March 28, 2016

    Greate article!

    I want to pop a window when an user enter a too long description when he/she create a new item,but i don't know how to solve this problem.

    Very gratefu for your help!


  • Jie Chen Monday, March 28, 2016

    Hello Mengyuan,

    PX executes at Agile Application Server level, it is impossible to popup a window from server to client.

    The workaround is to simply display a line text message on WebClient based on Update Table event.

    Thanks

    Jie


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.