500 Internal Server Error when clicking ANY Save/Create button #265

suhaylhallim · 2019-08-13T05:40:08Z

500 Internal Server Error

Description

When I attempt to create a user, an application or, just edit and save settings, I get the following errors:
"FusionAuth encountered an unexpected error. Please contact support for assistance." and "500 Internal Server Error An internal error occurred. FusionAuth should have captured a stack trace in the log. If you have a support contract, contact support using the form under the "Get Support" menu item. Otherwise, check your logs to see what the error might be."

Steps to reproduce

Steps to reproduce the behavior:

Try adding a user
Select the save button
Error will show

Same for Creating an Application and, making any changes to the settings, etc.

This is the error that is found in the fusionauth-app.log file

Aug 13, 2019 1:04:37.796 AM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: null
	at org.primeframework.mvc.security.UserLoginSecurityScheme.handle(UserLoginSecurityScheme.java:82)
	at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:80)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:45)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:89)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:57)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:91)
	at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
	at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
	at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:84)
	at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:59)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

Expected behavior

I've set up fusionauth a few months ago and have added multiple users and, applications during that time. I didn't check on fusionauth for a while and, now that I am configuring another application and, was ready to add SSO to it, I ran into this HUGE problem.

Screenshots

Screenshot of the error when trying to create a user:

Screenshot of the error when trying to create an application:

Screenshot of the error when trying to edit and save changes in settings:

Platform

FusionAuth Dedicated Installation

Device: XCP-NG on DELL PE R610
OS: UBUNTU 18.04.2 SERVER LTS VM, 4GB RAM, 2 vCPU @ 2.67GHz

Remote Windows Computer

Browser + version Chrome 76.0.3809.100

Additional context

I've created multiple users before
I've create multiple applications before
I've changed the settings
Now I cannot do any of the above because or the error above.

The text was updated successfully, but these errors were encountered:

voidmain · 2019-08-13T13:35:35Z

@suhaylhallim this error looks like it is in the CSRF code of FusionAuth. When a form is submitted, FusionAuth ensures that the Referer or Origin header is set and that it matches the URL of the form submission. This prevents malicious POST operations from outside of the FusionAuth admin.

There are only two cases that I can see where a NullPointerException could possibly be thrown:

If the current URL of the form submission is missing a scheme (i.e. https)
If the current URL of the form submission is missing a host name (i.e. sso.hallimsoft.com)

Your screenshots look fine and the only thing I can think of is that there might be an issue with a proxy. Do you have a proxy sitting in front of FusionAuth that is translating requests from sso.hallimsoft.com to an IP address or a private hostname?

suhaylhallim · 2019-08-13T15:04:27Z

Responce

@voidmain Yes I have FusionAuth behind a proxy. I didn't find much on how to set it up behind a proxy or, I wasn't looking hard enough. So I went ahead with a "trial & error" approach. When I initially set up FusionAuth I did remember a warning about my proxy configuration. It disappeared immediately after a following the instructions. I was able to create multiple users & applications without any warnings or issues. Before this response I attempted to search the docs for incite to your response and to recheck my config. Unfortunately I'm not sure what could possibly cause this newfound problem. As you will find below, my setup is super basic and, would definitly need your personal incite from here on out.

Reference to the CSRF Warning

When i first set up FusonAuth 2 months ago, this was the Proxy Warning I got

Fix to the CSRF Warning

I fixed this by adding the following line to my configuration
RequestHeader set "X-Forwarded-Proto" expr=https://%{REQUEST_URI}

Apache Config.

I was and still is using Apache as my reverse proxy and this is what it always looked like.

<VirtualHost *:80>

        ServerName sso.hallimsoft.com
        ServerAlias *.sso.hallimsoft.com
        ServerAdmin ceo@hallimsoft.com

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =sso.hallimsoft.com [OR]
        RewriteCond %{SERVER_NAME} =*.sso.hallimsoft.com
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>

        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
        RequestHeader set "X-Forwarded-Proto" expr=https://%{REQUEST_URI}

        ServerName sso.hallimsoft.com
        ServerAlias *.sso.hallimsoft.com
        ServerAdmin ceo@hallimsoft.com

        ProxyPreserveHost  On
        ProxyPass / http://192.168.1.171:9011/
        ProxyPassReverse / http://192.168.1.171:9011/

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/hallimsoft.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/hallimsoft.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Additional Info

The SSL Certs. used are wildcard certs. When I created it, I included the following domains:
hallimsoft.com
*.hallimsoft.com

This is the flow of my vm configs

suhaylhallim · 2019-08-13T15:40:39Z

Responce

@voidmain I fixed this problem. All thanks to you! After re-reading your response and, eventually stumbling across Issue #112 (which outright shows you've already... kinda dealt with this exact issue except, with HAProxy) i was able to google and, find Setting X-Forwarded-Proto under Apache 2.4.

Initial Apache Config with Issue

<VirtualHost *:80>

        ServerName sso.hallimsoft.com
        ServerAlias *.sso.hallimsoft.com
        ServerAdmin ceo@hallimsoft.com

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =sso.hallimsoft.com [OR]
        RewriteCond %{SERVER_NAME} =*.sso.hallimsoft.com
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>

        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
        RequestHeader set "X-Forwarded-Proto" expr=https://%{REQUEST_URI}

        ServerName sso.hallimsoft.com
        ServerAlias *.sso.hallimsoft.com
        ServerAdmin ceo@hallimsoft.com

        ProxyPreserveHost  On
        ProxyPass / http://192.168.1.171:9011/
        ProxyPassReverse / http://192.168.1.171:9011/

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/hallimsoft.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/hallimsoft.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Fixed Apache Config without Issue

<VirtualHost *:80>

        ServerName sso.hallimsoft.com
        ServerAlias *.sso.hallimsoft.com
        ServerAdmin ceo@hallimsoft.com

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =sso.hallimsoft.com [OR]
        RewriteCond %{SERVER_NAME} =*.sso.hallimsoft.com
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>

        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"        
        RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
        RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

        ServerName sso.hallimsoft.com
        ServerAlias *.sso.hallimsoft.com
        ServerAdmin ceo@hallimsoft.com

        ProxyPreserveHost  On
        ProxyPass / http://192.168.1.171:9011/
        ProxyPassReverse / http://192.168.1.171:9011/

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/hallimsoft.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/hallimsoft.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Results

Notice the difference with the RequestHeader
I can add a user, application, make changes to settings and, save.

Many Many Thanks for your time @voidmain

voidmain · 2019-08-13T16:02:10Z

My pleasure! I'm glad you got it working.

robotdan · 2019-08-13T16:02:45Z

Great! It looks like one thing we could have done to help debug this would be to show the proxy config warning if the value set in the X-Forwarded-Proto is anything other than https and http, we may look into adding this additional validation.

In your initial config, this probably would have helped narrow down the issue.

suhaylhallim · 2019-08-13T16:22:27Z

@robotdan Yes. However, I appreciate all the hard work you guys put into FusionAuth. Thank you again.

suhaylhallim · 2019-08-13T17:08:45Z

@voidmain & @robotdan Im just posting this here for those that might have the same proxy setup and have trouble setting it up. Most likely they will need the following also since I definitely did.

I believe it is necessary to add the following RequestHeader to the apache config in order to omit the port :80 that is seen suffixed to the URL's in the Application Details.

Addition to the Apache config

RequestHeader set "X-Forwarded-Port" "443"

Application Details before the addition

Application Details after the addition

Just to recap

These three RequestHeader are necessary if you are hosting FusionAuth behind Apache Proxy with SSL. (I'm not sure how "without SSL" would be configured so, I'm not going to speak on that behalf)

RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
RequestHeader set "X-Forwarded-Port" "443"

suhaylhallim closed this as completed Aug 13, 2019

robotdan mentioned this issue Oct 16, 2019

Issue migrating the Database host and FA version #334

Closed

robotdan mentioned this issue Mar 25, 2021

spurious text '[object Object]' on home page #1151

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

500 Internal Server Error when clicking ANY Save/Create button #265

500 Internal Server Error when clicking ANY Save/Create button #265

suhaylhallim commented Aug 13, 2019

voidmain commented Aug 13, 2019

suhaylhallim commented Aug 13, 2019 •

edited

Loading

suhaylhallim commented Aug 13, 2019

voidmain commented Aug 13, 2019

robotdan commented Aug 13, 2019

suhaylhallim commented Aug 13, 2019

suhaylhallim commented Aug 13, 2019

500 Internal Server Error when clicking ANY Save/Create button #265

500 Internal Server Error when clicking ANY Save/Create button #265

Comments

suhaylhallim commented Aug 13, 2019