Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ServletRequest.getContextPath() might return wrong value when OIDC app is in used. #6659

Closed
pmd1nh opened this issue Feb 25, 2019 · 2 comments
Closed

ServletRequest.getContextPath() might return wrong value when OIDC app is in used. #6659

pmd1nh opened this issue Feb 25, 2019 · 2 comments
Assignees
@pmd1nh
Labels
release bug This bug is present in a released version of Open Liberty release:19003 team:Sirius

Comments

@pmd1nh
Copy link
Member

pmd1nh commented Feb 25, 2019

No description provided.

@pmd1nh pmd1nh added release bug This bug is present in a released version of Open Liberty team:Sirius labels Feb 25, 2019
@pmd1nh pmd1nh self-assigned this Feb 25, 2019
@pmd1nh pmd1nh mentioned this issue Feb 25, 2019
Merged
@pmd1nh
Copy link
Member Author

pmd1nh commented Feb 25, 2019

#6661

@pmd1nh
Copy link
Member Author

pmd1nh commented Feb 25, 2019

Summary: This problem only happens when security OIDC_client is used to authenticate the user.

After the OIDC authentication, user's application landing page /SystemTest/ is served. It dispatches forward to a welcome file index.jsp.
During the service() of index.jsp, the servletRequest.getContextPath() switched from the customer's application /SystemTest/index.jsp to OIDC's app /oidcclient

With some debug traces showing the WebAppDispatcherContext and WebApp objects inside the index.jsp service()

//beginning of service()

[APP/PROC/WEB/0] OUT [2/15/19 17:04:26:761 UTC] 00000032 servlet > com.ibm.ws.webcontainer.servlet.ServletWrapper service ServletWrapper[/index.jsp:[]] ,req-->com.ibm.ws.webcontainer31.srt.SRTServletRequest31@59ecbc76 ,res-->com.ibm.ws.web
47053 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:761 UTC] 00000032 srt 1 com.ibm.ws.webcontainer.srt.SRTServletRequest getRequestURI uri --> /SystemTest/index.jsp
47054 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:761 UTC] 00000032 BNFHeadersImp 3 getHeader(s): x-dtRUM null
47055 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:761 UTC] 00000032 srt 1 com.ibm.ws.webcontainer.srt.SRTServletRequest getHeader this->com.ibm.ws.webcontainer31.srt.SRTServletRequest31@59ecbc76: name --> x-dtRUM header --> null
47056 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:761 UTC] 00000032 BNFHeadersImp 3 getHeader(s): Cookie [Cookie=s_fid=64022891BA82D5A5-1B2E8C8AF18320AB; mp_7f6635762e8341120437f17080936472_mixpanel=%7B%22distinct_id%22%3A%20%22168856e2d4689a-049c3f5218f
47057 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:761 UTC] 00000032 srt 1 com.ibm.ws.webcontainer.srt.SRTServletRequest getHeader this->com.ibm.ws.webcontainer31.srt.SRTServletRequest31@59ecbc76: name --> Cookie header --> s_fid=64022891BA82D5A5
47058 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:762 UTC] 00000032 srt 1 com.ibm.ws.webcontainer.srt.SRTServletRequest getAttribute this->com.ibm.ws.webcontainer31.srt.SRTServletRequest31@59ecbc76: name --> com.ruxit.sensors.uem
47059 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:762 UTC] 00000032 SystemOut O DEBUG, TS001811684, SRTThreadData.getDispatchContext -> com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705, this -> com.ibm.ws.webcontainer.srt.SRTServl
47060 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:762 UTC] 00000032 SystemOut O DEBUG, TS001811684, getDispatchContext from ThreadData dc ->com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705, this -> com.ibm.ws.webcontainer31.srt.SR
47061 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:762 UTC] 00000032 SystemOut O DEBUG, TS001811684, getDispatchContext, returns ->com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705, this -> com.ibm.ws.webcontainer31.srt.SRTServletRe
47062 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:762 UTC] 00000032 srt 1 com.ibm.ws.webcontainer.srt.SRTServletRequest setAttribute this->com.ibm.ws.webcontainer31.srt.SRTServletRequest31@59ecbc76: name --> [com.ruxit.sensors.uem], value --> [
47063 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:762 UTC] 00000032 srt 1 com.ibm.ws.webcontainer.srt.SRTServletRequest attributeAdded this->com.ibm.ws.webcontainer31.srt.SRTServletRequest31@59ecbc76: key --> com.ruxit.sensors.uem value --> com.
47064 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:762 UTC] 00000032 SystemOut O DEBUG, TS001811684, SRTThreadData.getDispatchContext -> com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705, this -> com.ibm.ws.webcontainer.srt.SRTServl
47065 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:763 UTC] 00000032 SystemOut O DEBUG, TS001811684, getDispatchContext from ThreadData dc ->com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705, this -> com.ibm.ws.webcontainer31.srt.SR
47066 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:763 UTC] 00000032 SystemOut O DEBUG, TS001811684, getDispatchContext, returns ->com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705, this -> com.ibm.ws.webcontainer31.srt.SRTServletRe
47067 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:763 UTC] 00000032 SystemOut O DEBUG, TS001811684, WebAppDispatchContext.getWebApp -> com.ibm.ws.webcontainer31.osgi.webapp.WebApp31@39ac29d1[SystemTestEAR#SystemTest.war], this -> com.ibm.ws.webcontai
47068
47069 //PMDINH at the start of service, we can see com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705
a>47070
47071 this WebAppDispatcherContext calls getWebApp() which returns the correct SystemTest app WebAppDispatchContext.getWebApp -> com.ibm.ws.webcontainer31.osgi.webapp.WebApp31@39ac29d1[SystemTestEAR#SystemTest.war]

//The WebAppDispatcherContext is used to retrieve the associated WebApp. In the middle of service, the same .WebAppDispatcherContext@e9461705 is used but the associated WebApp has changed
// from .WebApp31@39ac29d1[SystemTestEAR#SystemTest.war] to WebApp31@9857c904[com.ibm.ws.security.openidconnect.client

[APP/PROC/WEB/0] OUT [2/15/19 17:04:26:771 UTC] 00000032 SystemOut O DEBUG, TS001811684, getContextPath, this -> com.ibm.ws.webcontainer31.srt.SRTServletRequest31@59ecbc76
47462 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:771 UTC] 00000032 SystemOut O DEBUG, TS001811684, SRTThreadData.getDispatchContext -> com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705, this -> com.ibm.ws.webcontainer.srt.SRTServl
47463 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:772 UTC] 00000032 SystemOut O DEBUG, TS001811684, getDispatchContext from ThreadData dc ->com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705, this -> com.ibm.ws.webcontainer31.srt.SR
47464 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:772 UTC] 00000032 SystemOut O DEBUG, TS001811684, getDispatchContext, returns ->com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705, this -> com.ibm.ws.webcontainer31.srt.SRTServletRe
47465
47466 //PMDINH thebm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9461705 is still intact. However, the associated WebApp has changed to bm.ws.webcontainer31.osgi.webapp.WebApp31@9857c904 this is the OIDC app
47467 ?????????????
47468
47469 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:772 UTC] 00000032 SystemOut O DEBUG, TS001811684, WebAppDispatchContext.getWebApp -> com.ibm.ws.webcontainer31.osgi.webapp.WebApp31@9857c904[com.ibm.ws.security.openidconnect.client#com.ibm.ws.securit
47470 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:772 UTC] 00000032 SystemOut O DEBUG, TS001811684, WebApp.getContextPath, WebApp -> OpenID Connect Client Redirect Servlet, contextPath -> /oidcclient this -> com.ibm.ws.webcontainer31.osgi.webapp.WebA
47471 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:772 UTC] 00000032 webapp 1 com.ibm.ws.webcontainer.webapp.WebApp getContextPath contextPath->/oidcclient
47472 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:772 UTC] 00000032 SystemOut O DEBUG, TS001811684, WebAppDispatchContext.getContextPath 3, from getWebApp, contextPath/oidcclient, this -> com.ibm.ws.webcontainer.osgi.webapp.WebAppDispatcherContext@e9
47473 [APP/PROC/WEB/0] OUT [2/15/19 17:04:26:772 UTC] 00000032 srt 1 com.ibm.ws.webcontainer.srt.SRTServletRequest getContextPath path --> /oidcclient

There are only 3 ways to change the associated protected WebApp _webapp inside the WebAppDispatcherContext:

1) during the contruction of the new WebAppDispatcherContext()

2) setter setWebApp(WebApp)

3) any subClass of WebAppDispatcherContext can change this protected _webapp.

Even with the debug module, there is no log showing the setWebApp() was used to change the _webapp. Since the WebAppDispatcherContext is the same, there is no new constructor was called (i.e not via path #1)

One last possible path is #3 that someone has changed this protected _webapp directly from a subclass of WebAppDispatcherContext. However, we can find any other subClass of WebAppDispatcherContext from the security oidc code (Chunglong confirmed). Security team can also not be able to find any reflection from their code to change this _webapp.

So we still do NOT know the root cause of this.

Solution: After I changed from protected _webapp to private _webApp and force everything through the setWebApp(WebApp), it resolved the problem in the customer's env. They can not reproduce the problem in many other clients sides.
NOTE the name was changed to _webApp to prevent any possible java reflection which might have changed this field member. I don't know whether that helps but seems to work.

@pmd1nh pmd1nh closed this as completed Mar 1, 2019
@jhanders34 jhanders34 mentioned this issue Mar 1, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmd1nh pmd1nh

Labels
release bug This bug is present in a released version of Open Liberty release:19003 team:Sirius
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LibbyBot @pmd1nh