Agile 9.3.2 URL PX error javax.security.auth.login.LoginException in Tomcat 6/7

We have a published Knowledge Document (Note 1549998.1) describing one strange issue that with the correct usage of cookie authentication of URL PX deployed in Tomcat6/7 againt Agile PLM 9.3.2.0 we MAY continuously see below error.

Error code : 60062
Error message : Invalid username or password
Root Cause exception : javax.security.auth.login.LoginException: java.lang.SecurityException: User: cee71a234165ffc3:-5926181d:13fa9e51af6:-7ffd::e0FFUzoxMjh9REU3NDAyNjI4RENCOTYxMTExRkNCMDUwQzIwNjkxNzFCMkEx, failed to be authenticated.
        at com.agile.api.common.WebLogicAuthenticator.login(WebLogicAuthenticator.java:78)
        at com.agile.api.pc.Session.authenticate(Session.java:1123)
        at com.agile.api.pc.Session.(Session.java:216)
        ...
        at com.agile.api.AgileSessionFactory.createSession(AgileSessionFactory.java:927)
        at org.apache.jsp.login_jsp._jspService(login_jsp.java:91)
        ...
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        ...
        at java.lang.Thread.run(Thread.java:619)

The Note describes that was originally introduced by parameter agile.sso.checkOneTimePXToken, which is used to increase the security of Agile authentication from external. "checkOneTimePXToken" will make Agile to use a different encode method to encrypt the cookie token, it may append a "=" symbol in the encrypted j_password cookie value. However by default, Tomcat 6/7 will ignore the "=" symbol and treat it as a second cookie.

Below we will discuss how we identify the problem. We focus on how we think/analyze, not what the solution is.

First let us code JSP page like below to create Agile session in URL PX which is deployed in Tomcat 6 or 7.

Now we login Agile WebClient and use Wireshark to capture the TCP data, narrow to cookie section. As the cookies string is too long, Wireshark may truncate it. We can copy the value into notepad and get the whole cookie array like below.

JSESSIONID=A9812A7FF1BDC8C65B26456AEDE35729
invalidate_session=false
j_username=e0FFUzoxMjh9REU3NDAyNjI4RENCOTYxMTExRkNCMDUwQzIwNjkxNzFCMkEx
j_password=JSUle0FFUzoxMjh9ODgzQjI0RDM1Qjc0QzA5M0NDQUU0NUZFNjJBODU5QkYzNjFCMDMxQjQ2RjQwM0ZDRDVENTJBODMyNDIwOTBDRTgwQkRDQkREMDhEQkNGRkY4RDRDQzE4QjNCNDRFNzZBMTJGN0M2REQ1QzM3NTI1NEE0OUFGNDRFMTZBODRGODQ0ODQxOUZERTkzMzE3MjFGMEUwQUYzQjM2MTJGNTU1QzJCMTE=JSUl

We notice there is a "=" in the tail of cookie "j_password".

Then we trigger the URL PX, check the JSP page, we see below.

j_username=e0FFUzoxMjh9REU3NDAyNjI4RENCOTYxMTExRkNCMDUwQzIwNjkxNzFCMkEx 
j_password=JSUle0FFUzoxMjh9ODgzQjI0RDM1Qjc0QzA5M0NDQUU0NUZFNjJBODU5QkYzNjFCMDMxQjQ2RjQwM0ZDRDVENTJBODMyNDIwOTBDRTgwQkRDQkREMDhEQkNGRkY4RDRDQzE4QjNCNDRFNzZBMTJGN0M2REQ1QzM3NTI1NEE0OUFGNDRFMTZBODRGODQ0ODQxOUZERTkzMzE3MjFGMEUwQUYzQjM2MTJGNTU1QzJCMTE 
Invalid username or password 

Absolutely "=JSUl" is lost from javax.servlet.http.Cookie value. This is Tomcat's behavior to ignore them intentionally. We can add below parameter to TOMCAT/conf/catalina.conf to avoid this. It is described in link http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html

org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE=true

In above link, there are another two parameter reminding us that some special characters also could be ignored if they are not enabled, these could be / , < and > .

org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0
org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR


Comments:

I continuously receive another error when deployed WebPX to Tomcat 6. The PX will run fine for a while and then throw this error and

java.lang.NoClassDefFoundError: weblogic/rjvm/PeerGoneEvent
at weblogic.rjvm.RJVMImpl.peerGone(RJVMImpl.java:1350)
at weblogic.rjvm.RJVMImpl.gotExceptionSending(RJVMImpl.java:940)
at weblogic.rjvm.ConnectionManager.gotExceptionSending(ConnectionManager.java:1106)
.....

Have you even came across this error and what could possibly causes this error?

Thanks for sharing any information.

Alex

Posted by guest on September 28, 2013 at 05:28 AM CST #

1. Is your Weblogic cluster?
2. What is the URL your webpx is connecting to? Is it a managed server or the proxy server?
3. What is the content in your jndiurl.properties file?
4. Do you see any error in your weblogic server log in that time?

Posted by Jie Chen on September 29, 2013 at 10:36 AM CST #

Hi jie,

Thanks for the reply! Below are the answers to your questions:

1) No, the WebLogic server is a standalone server.
2) The URL that I used is the direct URL of the Agile Application Server (http://hostname.domain.com:7001/Agile), not the proxy.
3) server1=t3://hostname.domain.com:7001
4) I could not find any entries in stdout.log / stderr.log that was related.

Regards,

Alex

Posted by guest on October 01, 2013 at 12:38 AM CST #

Hi Jie Chen,
Great article as the others! There is a way to do the login from the otherside way? I have an application that create session in Agile with Agile API with some links to Agile Application. There is a way to create automatically a login in Agile PLM with my IAgileSession?
I have WebLogic 12c and Agile 9.3.2

Thanks in advance
Best Regards

Posted by guest on October 22, 2013 at 04:57 PM CST #

Hello Alex,
I would suggest your to create Service Request to Oracle Agile Support.

Jie

Posted by Jie Chen on October 28, 2013 at 09:31 AM CST #

Hello An Lagamma
Please read the Knowledge document in My Oracle Support site.
--
How To Support Single-Sign-On In Api Sessions for Web Services (Doc ID 1339957.1)
--

Jie

Posted by Jie Chen on October 28, 2013 at 09:34 AM CST #

I made a URL-Based Process Extension and assigned with a Report.

When I use Chrome or Firefox I can see j_username and j_password cookies. When I use IE (any version) i can´t see then i can not login.

There are a patch? I tried already change browser settings. Put low security, accept all third-party cookies and nothing.

What can be?

Daniel

* Sorry for the English.

Posted by Daniel on March 13, 2015 at 08:58 PM CST #

I am developing a report based on URL PX. When I use chrome or firefox I can see cookies (j_password and j_username). When I use IE (any version) cookies are not being created.

I have shifted in your browser settings and nothing. What can be?

Posted by Daniel on March 13, 2015 at 09:01 PM CST #

hello Daniel
Please check if your IE browser disables cookie. FYI
http://windows.microsoft.com/en-us/windows-vista/block-or-allow-cookies

If you disable IE cookie per your company policy, then you can use PX_REQUEST instead of PX_USERNAME cookie to create session. For example below

private IAgileSession connect(HttpServletRequest request) throws ServletExceptio
{
HashMap params = new HashMap();
params.put(AgileSessionFactory.PX_REQUEST, request);
session = factory.createSession(params);
return session;
}

Thanks
Jie Chen

Posted by guest on March 17, 2015 at 01:58 PM CST #

Hi Jie,

I tried both solutions. When I enable the development tool of IE it pops an exception in javascript specifically in PCFormsLib.js file in the section:

AGILE.grid.HandleDeleteObjectAudtiException = function (reqParams) {
   postHandleDeleteObjectAudtiException (reqParams);
};

The error is "AGILE is undefined".

You know what can it be?

Posted by Daniel on March 17, 2015 at 08:00 PM CST #

I tried both solutions. When I enable the development tool of IE it pops an exception in javascript specifically in PCFormsLib.js file in the section:

AGILE.grid.HandleDeleteObjectAudtiException = function (reqParams) {
   postHandleDeleteObjectAudtiException (reqParams);
};

The error is "AGILE is undefined".

You know what can it be?

Posted by Daniel on March 17, 2015 at 08:01 PM CST #

No, I do not hear of this error. It appears much scenario specific issue. Can you log service request in My Oracle Support website?

Jie

Posted by Jie Chen on March 23, 2015 at 02:16 PM CST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today