Agile 9.3.2 URL PX error javax.security.auth.login.LoginException in Tomcat 6/7

We have a published Knowledge Document (Note 1549998.1) describing one strange issue that with the correct usage of cookie authentication of URL PX deployed in Tomcat6/7 againt Agile PLM 9.3.2.0 we MAY continuously see below error.

Error code : 60062
Error message : Invalid username or password
Root Cause exception : javax.security.auth.login.LoginException: java.lang.SecurityException: User: cee71a234165ffc3:-5926181d:13fa9e51af6:-7ffd::e0FFUzoxMjh9REU3NDAyNjI4RENCOTYxMTExRkNCMDUwQzIwNjkxNzFCMkEx, failed to be authenticated.
        at com.agile.api.common.WebLogicAuthenticator.login(WebLogicAuthenticator.java:78)
        at com.agile.api.pc.Session.authenticate(Session.java:1123)
        at com.agile.api.pc.Session.(Session.java:216)
        ...
        at com.agile.api.AgileSessionFactory.createSession(AgileSessionFactory.java:927)
        at org.apache.jsp.login_jsp._jspService(login_jsp.java:91)
        ...
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        ...
        at java.lang.Thread.run(Thread.java:619)

The Note describes that was originally introduced by parameter agile.sso.checkOneTimePXToken, which is used to increase the security of Agile authentication from external. "checkOneTimePXToken" will make Agile to use a different encode method to encrypt the cookie token, it may append a "=" symbol in the encrypted j_password cookie value. However by default, Tomcat 6/7 will ignore the "=" symbol and treat it as a second cookie.

Below we will discuss how we identify the problem. We focus on how we think/analyze, not what the solution is.

First let us code JSP page like below to create Agile session in URL PX which is deployed in Tomcat 6 or 7.

Now we login Agile WebClient and use Wireshark to capture the TCP data, narrow to cookie section. As the cookies string is too long, Wireshark may truncate it. We can copy the value into notepad and get the whole cookie array like below.

JSESSIONID=A9812A7FF1BDC8C65B26456AEDE35729
invalidate_session=false
j_username=e0FFUzoxMjh9REU3NDAyNjI4RENCOTYxMTExRkNCMDUwQzIwNjkxNzFCMkEx
j_password=JSUle0FFUzoxMjh9ODgzQjI0RDM1Qjc0QzA5M0NDQUU0NUZFNjJBODU5QkYzNjFCMDMxQjQ2RjQwM0ZDRDVENTJBODMyNDIwOTBDRTgwQkRDQkREMDhEQkNGRkY4RDRDQzE4QjNCNDRFNzZBMTJGN0M2REQ1QzM3NTI1NEE0OUFGNDRFMTZBODRGODQ0ODQxOUZERTkzMzE3MjFGMEUwQUYzQjM2MTJGNTU1QzJCMTE=JSUl

We notice there is a "=" in the tail of cookie "j_password".

Then we trigger the URL PX, check the JSP page, we see below.

j_username=e0FFUzoxMjh9REU3NDAyNjI4RENCOTYxMTExRkNCMDUwQzIwNjkxNzFCMkEx 
j_password=JSUle0FFUzoxMjh9ODgzQjI0RDM1Qjc0QzA5M0NDQUU0NUZFNjJBODU5QkYzNjFCMDMxQjQ2RjQwM0ZDRDVENTJBODMyNDIwOTBDRTgwQkRDQkREMDhEQkNGRkY4RDRDQzE4QjNCNDRFNzZBMTJGN0M2REQ1QzM3NTI1NEE0OUFGNDRFMTZBODRGODQ0ODQxOUZERTkzMzE3MjFGMEUwQUYzQjM2MTJGNTU1QzJCMTE 
Invalid username or password 

Absolutely "=JSUl" is lost from javax.servlet.http.Cookie value. This is Tomcat's behavior to ignore them intentionally. We can add below parameter to TOMCAT/conf/catalina.conf to avoid this. It is described in link http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html

org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE=true

In above link, there are another two parameter reminding us that some special characters also could be ignored if they are not enabled, these could be / , < and > .

org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR


Comments:

I continuously receive another error when deployed WebPX to Tomcat 6. The PX will run fine for a while and then throw this error and

java.lang.NoClassDefFoundError: weblogic/rjvm/PeerGoneEvent
at weblogic.rjvm.RJVMImpl.peerGone(RJVMImpl.java:1350)
at weblogic.rjvm.RJVMImpl.gotExceptionSending(RJVMImpl.java:940)
at weblogic.rjvm.ConnectionManager.gotExceptionSending(ConnectionManager.java:1106)
.....

Have you even came across this error and what could possibly causes this error?

Thanks for sharing any information.

Alex

Posted by guest on September 28, 2013 at 05:28 AM CST #

1. Is your Weblogic cluster?
2. What is the URL your webpx is connecting to? Is it a managed server or the proxy server?
3. What is the content in your jndiurl.properties file?
4. Do you see any error in your weblogic server log in that time?

Posted by Jie Chen on September 29, 2013 at 10:36 AM CST #

Hi jie,

Thanks for the reply! Below are the answers to your questions:

1) No, the WebLogic server is a standalone server.
2) The URL that I used is the direct URL of the Agile Application Server (http://hostname.domain.com:7001/Agile), not the proxy.
3) server1=t3://hostname.domain.com:7001
4) I could not find any entries in stdout.log / stderr.log that was related.

Regards,

Alex

Posted by guest on October 01, 2013 at 12:38 AM CST #

Hi Jie Chen,
Great article as the others! There is a way to do the login from the otherside way? I have an application that create session in Agile with Agile API with some links to Agile Application. There is a way to create automatically a login in Agile PLM with my IAgileSession?
I have WebLogic 12c and Agile 9.3.2

Thanks in advance
Best Regards

Posted by guest on October 22, 2013 at 04:57 PM CST #

Hello Alex,
I would suggest your to create Service Request to Oracle Agile Support.

Jie

Posted by Jie Chen on October 28, 2013 at 09:31 AM CST #

Hello An Lagamma
Please read the Knowledge document in My Oracle Support site.
--
How To Support Single-Sign-On In Api Sessions for Web Services (Doc ID 1339957.1)
--

Jie

Posted by Jie Chen on October 28, 2013 at 09:34 AM CST #

Post a Comment:
  • HTML Syntax: NOT allowed
About


Jie Chen is the L3 memeber in Oracle Agile Support.
This blog focuses on the Maintenance, Diagnosis and Tuning related technical skills.
The technology covers Java/JavaEE, Weblogic, Security, Clustering, and Database of course.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today