[JBoss JIRA] (SECURITY-573) Improve handling of IOException thrown from NegotiationAuthenticator
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/SECURITY-573?page=com.atlassian.jira.plug... ]
Darran Lofthouse updated SECURITY-573:
--------------------------------------
Fix Version/s: Negotiation_2_1_7
(was: Negotiation_2_1_6)
> Improve handling of IOException thrown from NegotiationAuthenticator
> --------------------------------------------------------------------
>
> Key: SECURITY-573
> URL: https://issues.jboss.org/browse/SECURITY-573
> Project: PicketBox
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Negotiation
> Affects Versions: Negotiation_2.0.3.GA
> Environment: JBoss EPP 5.1.GA with SPNEGO support, JBoss Negotiation 2.0.3, commons-http-client 3.1 used as HTTP client
> Reporter: Marek Posolda
> Assignee: Darran Lofthouse
> Fix For: Negotiation_2_1_7
>
>
> Currently if IOException is thrown from NegotiationAuthenticator (For example from line 123 from statement: NegotiationMessage requestMessage = mf.createMessage(authTokenIS); )
> then this exception is never logged but it's catched and ignored in CoyoteAdapter.service. Result is that client receives response code 200 OK and emtpy HTTP response. And there is nothing in server log, which can be used to recognize error. So I need to debug if I want to find the real cause of IO issue.
> Example for simulating of this issue can be using of Kerberos OID instead of SPNEGO OID as described in Jira SECURITY-572
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 5 months
[JBoss JIRA] (WFLY-3281) Cannot call getOutputStream(), getWriter() already called
by Jakob Munih (JIRA)
[ https://issues.jboss.org/browse/WFLY-3281?page=com.atlassian.jira.plugin.... ]
Jakob Munih resolved WFLY-3281.
-------------------------------
Fix Version/s: 8.1.0.Final
Resolution: Done
With the last the update of CXF to 2.7.11 which resolves CXF-5620 in master, the exception has gone.
> Cannot call getOutputStream(), getWriter() already called
> ---------------------------------------------------------
>
> Key: WFLY-3281
> URL: https://issues.jboss.org/browse/WFLY-3281
> Project: WildFly
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Web (Undertow)
> Affects Versions: 8.1.0.CR1
> Environment: linux
> Reporter: Jakob Munih
> Assignee: Stuart Douglas
> Priority: Minor
> Fix For: 8.1.0.Final
>
>
> Similar to WFL-1276 I got “UT005023: Exception handling request to /hsb/web-services/: java.lang.IllegalStateException: UT010005: Cannot call getOutputStream(), getWriter() already called” when accessing CXFNonSpringServlet servlet that shows all web services deployed with ApacheCamel 2.13.0. The exception is was not present in WF 8.0. Even with the exception the servlet renders all available service correctly.
> Servlet:
> {code}
> import com.parsek.hsb.commons.Hsb;
> import org.apache.cxf.Bus;
> import org.apache.cxf.transport.servlet.CXFNonSpringServlet;
> import javax.inject.Inject;
> import javax.servlet.ServletConfig;
> import javax.servlet.ServletException;
> import javax.servlet.annotation.WebServlet;
> // reuse camel bus
> @WebServlet(value = "/web-services/*", name = "HsbWebServices", asyncSupported = true, loadOnStartup = 1)
> public class ExposeCxf extends CXFNonSpringServlet {
> @Hsb
> @Inject
> private Bus bus;
> @Override
> public void init(ServletConfig sc) throws ServletException {
> setBus(bus);
> super.init(sc);
> }
> }
> {code}
> Exception
> {noformat}
> 11:12:05,900 ERROR [io.undertow.request] (default task-11) UT005023: Exception handling request to /hsb/web-services/: java.lang.IllegalStateException: UT010005: Cannot call getOutputStream(), getWriter() already called
> at io.undertow.servlet.spec.HttpServletResponseImpl.getOutputStream(HttpServletResponseImpl.java:283) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at org.apache.cxf.transport.servlet.servicelist.ServiceListGeneratorServlet.renderStyleSheet(ServiceListGeneratorServlet.java:174) [cxf-rt-transports-http-2.7.10.jar:2.7.10]
> at org.apache.cxf.transport.servlet.servicelist.ServiceListGeneratorServlet.service(ServiceListGeneratorServlet.java:89) [cxf-rt-transports-http-2.7.10.jar:2.7.10]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:170) [cxf-rt-transports-http-2.7.10.jar:2.7.10]
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) [cxf-rt-transports-http-2.7.10.jar:2.7.10]
> at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167) [cxf-rt-transports-http-2.7.10.jar:2.7.10]
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) [cxf-rt-transports-http-2.7.10.jar:2.7.10]
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:211) [cxf-rt-transports-http-2.7.10.jar:2.7.10]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) [cxf-rt-transports-http-2.7.10.jar:2.7.10]
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.5.Final.jar:1.0.5.Final]
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) [undertow-core-1.0.5.Final.jar:1.0.5.Final]
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.5.Final.jar:1.0.5.Final]
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0]
> at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
> {noformat}
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 5 months