Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
1.9.5
-
None
-
Unknown
-
Description
I implemented a custom authenticator using the "Trusted authentication framework" with the CookieAuthenticationPersistenceStore option enabled.
The authenticator is not working anymore on tomcat 9. Note that it is working normally on tomcat 8 (8.0_171).
Here is the error from the logs :
com.xpn.xwiki.XWikiException: Error number 0 in 11: Uncaught exception at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:662) at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339) at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:108) at javax.servlet.http.HttpServlet.service(HttpServlet.java:623) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:642) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:416) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:348) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:285) at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:213) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:171) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:761) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:396) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:937) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) at java.base/java.lang.Thread.run(Thread.java:840) Caused by: java.lang.IllegalArgumentException: An invalid domain [.mydomain.com] was specified for this cookie at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:218) at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:150) at org.apache.catalina.connector.Response.generateCookieString(Response.java:906) at org.apache.catalina.connector.Response.addCookie(Response.java:859) at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:303) at javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:57) at javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:57) at javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:57) at org.xwiki.contrib.authentication.internal.CookieAuthenticationPersistenceStore.setAuthenticationCookie(CookieAuthenticationPersistenceStore.java:150) at org.xwiki.contrib.authentication.internal.CookieAuthenticationPersistenceStore.store(CookieAuthenticationPersistenceStore.java:128) at org.xwiki.contrib.authentication.internal.DefaultTrustedAuthenticator.authenticate(DefaultTrustedAuthenticator.java:219) at org.xwiki.contrib.authentication.internal.DefaultTrustedAuthenticator.authenticate(DefaultTrustedAuthenticator.java:186) at org.xwiki.contrib.authentication.internal.DefaultTrustedAuthenticator.authenticate(DefaultTrustedAuthenticator.java:153) at org.xwiki.contrib.authentication.internal.DefaultTrustedAuthenticator.authenticate(DefaultTrustedAuthenticator.java:127) at org.xwiki.contrib.authentication.XWikiTrustedAuthenticator.checkAuth(XWikiTrustedAuthenticator.java:65) at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4365) at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:238) at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:268) at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4388) at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5780) at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:548) ... 64 common frames omitted
Basically, the issue is caused by the fact that in tomcat 9 a new Cookie processing RFC has been introduced which considers invalid the domain that was specified in the authentication cookie. The problem is the prefix dot added before the domain by the CookieAuthenticationPersistenceStore, see https://github.com/xwiki-contrib/xwiki-authenticator-trusted/blob/master/xwiki-authenticator-trusted-api/src/main/java/org/xwiki/contrib/authentication/internal/CookieAuthenticationPersistenceStore.java#L247.
It seems that a workaround for the issue is to use the LegacyCookieProcessor, see
- https://stackoverflow.com/questions/42524002/an-invalid-domain-was-specified-for-this-cookie
- https://stackoverflow.com/questions/38696081/how-to-change-cookie-processor-to-legacycookieprocessor-in-tomcat-8