Add new maven profile for IBM Liberty Profile #263
Comments
|
The Liberty profile beta supports many Java EE 7 technologies with Servlet 3.1 and Websockets 1.0 being the most complete. At this time neither are 100% CTS compliant although we are making progress with each of our beta updates. The beta is updated roughly every 4 weeks. To get these features both need to be configured into the server. The default server template configures for servlet-3.0 and jsp-2.2 only. The Java Servlet 3.1, Concurrency Utilities for Java EE 1.0, Java Websocket API 1.0, and JSON Parsing 1.0 will be released on December 9th 2014. To get these capabilities the server.xml needs to be updated to add: We have run these samples against Liberty (although not using the maven plugin hence no contribution). @arun-gupta tried to run some of the samples on an earlier beta where the Liberty profile did not process the servlet 3.1 deployment descriptor schema. Liberty profile currently supports the servlet 3.1 deployment descriptor schema provided the servlet 3.1 feature is configured. At the time this was written based on the Liberty profile beta the following samples can run: Java Batch 1.0 Concurrency Utilities for Java EE 1.0 Enterprise JavaBeans 3.2 Java API for XML RESTful Services 2.0 Java Persistence Architecture 2.1 JSON Parsing 1.0 Java Servlet 3.1 Java Websocket 1.0 Anything not listed has either not been run by us, or it ran with errors. As noted by @aslakknutsen the WebSphere Application Server for Developers license doesn’t include use on a build server, but it does allow people to run these samples and associated tests on a developer desktop so I don’t think that restriction should preclude the creation of a profile for Liberty profile. |
|
@notatibm Thanks a lot for detailed summary! Will you be adding a profile ? |
@notatibm Didn't Arquillian work with Liberty or was there another issue? It looks like there IS an Arquillian container for Liberty available (see http://arquillian.org/modules/arquillian-wlp-managed-8.5-container-adapter) PS if/when Liberty is adding support for JASPIC and you have issues with the JASPIC tests, please let me know if I can help (you can contact me privately if needed). I executed a Java EE 6 variant of the tests against WebSphere and initially nothing passed. But when I added the user and groups that the JASPIC tests use to some internal repository of WebSphere many tests did pass (see http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentication.html for more details). |
|
@arun-gupta I'd love to do it, but I can't do it right now so if someone else chooses to pick it up in the meantime that is fine by me. @arjantijms There is an Arquillian plugin for Liberty profile I think what @arun-gupta is looking for is the maven updates to enable that for these samples. I'll do my best to remember to contact you about JASPIC. |
|
@notatibm @arun-gupta I just added a PR that adds the mentioned Arquillian container for Liberty to pom.xml. See #299 As discussed on SO the JASPIC samples had to be adjusted to wrap the war that's normally used for testing in a dummy EAR to satisfy the somewhat unfortunate requirement that Liberty has that a group to role mapping file can only be stored in an EAR. In order to run the JASPIC tests a cheat had to be added via a user repository that contains exactly the user and group that's used by the JASPIC tests. In reality Liberty fails 100% of the JASPIC tests, but with this cheat in place at least the tests are actually attempted. For real JASPIC usage a special noop user registry would have to be installed (one that simply validates every user and group). I have in fact created this, but I'm not entire sure how to reference such a feature from Maven (it's an .esa archive) and install it to Liberty from the tests. Unfortunately quite a few JASPIC tests fail, but of course Liberty is still in beta. The following tests failed:
Specifically the EJB, register session (new JASPIC 1.1 feature) and request/response wrapper tests completely failed (all tests in those sections failed). |
|
One thing to consider, as mentioned by @notatibm
Would it be an idea to ask special permission for this?
Alternatively, someone could run the tests for Liberty periodically on a desktop and publish the test results. What do you think? |
|
@arjantijms since I made that comment we updated the license of the version on WASdev.net that would allow use on a build server, provided the heap is under 2Gb. The actual limitation is no more than 2Gb per organization, so if you ran 2 builds at the same time it would need to be 1Gb each build. Also not sure in this case what the organization would be. I don't know if that helps. IANAL |
|
@notatibm right, I almost forgot about that. 2GB would be more than enough I guess and I don't think @arun-gupta does concurrent builds on the same server. IANAL either, but it sounds like it should not be an issue indeed ;) P.s. what do you think about the results from the JASPIC test? |
|
@arjantijms, We're looking into the JASPIC test failures you highlighted. |
|
@arjantijms have you implemented your own JASPIC provider and configured it as a Liberty product extension feature? We only provide the support to plug your own JASPIC provider and do not ship one. |
|
@arkarkala for the tests nothing was configured as a Liberty product extension feature, although I'm not 100% sure what you mean with a JASPIC provider. It sounds like there may be a confusion with a JACC provider, which is indeed something you don't seem to ship (I'm pretty sure this is a spec violation as well, but that's an entirely different story). For this case it's only about JASPIC. JACC is not involved. For the test run, Liberty was downloaded from the Liberty beta page, and server.xml configured as indicated here: https://github.com/javaee-samples/javaee7-samples/blob/master/README.md In order to by pass a spec violation in Liberty where the callback handler tries to validate users and groups with a user registry, a basicRegistry was configured in server.xml that contains exactly the users and groups used by the test. This itself should not be needed, but without it nothing at all runs. The exact details about the Server Auth Module (SAM) that was used is in the source code of the tests, but as a summary:
JASPIC itself basically works on Liberty using this spec defined method of installing a SAM. The installed SAM is called at the right moment before the Servlet/filter chain is invoked, but an amount of JASPIC features such as the ability to wrap a request and response apparently do not work. |
|
@arjantijms Yes, I did mean JASPIC (not JACC). But since you are registering your config provider in your code there should not be a need for an extension feature. Not all changes went into Beta - so you might be hitting these. We will investigate. Regarding the userRegistry (UR) issue, did you have to specify the same user/group (test/architect) or configure a UR with any (dummy) user only - the latter indicating that you need a UR but is not used for authentication? |
Okay, it's just that the term "JASPIC provider" did not ring a bell, while the term "JACC provider" is quite common.
True, there should not be a need for this. But to work around the spec violation where usernames/groups are being validated one is unfortunately needed for practical purposes. For the test however there was no extension feature used.
Well, given the following server.xml that was modified once with the following UR: <basicRegistry id="basic">
<user name="test" password="not needed"/>
<group name="architect"/>
</basicRegistry>If you would change the user name to say "test-does-not-exist", then every test fails immediately when the callback is being handled in the auth module. The log mentions something about an unknown user (I'd have to repeat the test to see what the exact exception is). When I do not provide a UR at all, the tests also fails, but instead of an unknown user exception a null pointer exception is logged. So my conclusion was that a UR needs to be present AND it actually needs to contain the user and group that the tests use. In private tests on my workstation I have executed a parallel test run where I did not add the basicRegistry, but instead installed my own custom user registry as an extension feature. Here I could see that Liberty actually calls a couple of validate methods (isValidUser, isValidGroup). When I return "false" from these methods handling the callback does not work, when I return "true" the callback works. I'm just about to finish a blog post with some details about this custom user registry. At any length, using either the basic registry with the test/architect username/group or the noop custom registry yields the same results; in both situations the tests that fail and succeed are the same. |
|
@arjantijms , are you seeing the isValid calls made in the latest Beta (April/May) too? |
Yes. The archive I downloaded was I just finished the article which contains some more details about the extra test with the custom user registry that I've been doing. See http://arjan-tijms.omnifaces.org/2015/04/testing-jaspic-11-on-ibm-liberty-ee-7.html |
|
@arjantijms Can you provide the following trace - com.ibm.ws.security.=all:com.ibm.ws.webcontainer.=all so we can see when these isValid calls are being made? Majority of our customers do use UR so we made it mandatory. Yes, there are few situations where it is not required (for eg, when one does not use the default authentication AND authorization) and having some dummy values in it would be sufficient - they should not be used. We might make the UR configuration optional to handle these cases sometime in future - you can also open Request For Feature (RFE) - https://www.ibm.com/developerworks/rfe/execute?use_case=changeRequestLanding There are also some scenarios where a custom authentication is performed (for eg using JASPIC), WAS can do the authorization without consulting the registry. For eg, when all valid (authenticated) users are assigned to the role(s) inside the application-bnd as shown below. |
I'm on a different computer now, but I'll provide these later today. It should also be easy for yourself to see this. This test repository is set up such that everything is fully reproducible. Nothing in the tests depends on anything that's specific to my environment. If you follow the instructions from https://github.com/javaee-samples/javaee7-samples/blob/master/README.md you should be able to easily get the exact same results.
The problem here is that the JASPIC specification doesn't allow this. Liberty is not fully Java EE 7 compatible as long as it mandates this. The spec lead, Ron Monzillo said the following about this:
Ultimately the TCK should have flagged this, but unfortunately it didn't. |
|
@arkarkala @notatibm Just wondering, any luck with the JASPIC issues yet? |
|
Hi Arjan, Thanks for your patience. On Mon, May 4, 2015 at 2:05 AM, Arjan Tijms notifications@github.com
|
|
Hi Arjan, I've been working on the JASPIC problems you reported on the WebSphere Liberty profile. I have all of the failures that you reported working in the new May beta. I've been using the github/maven test environment as documented here on github.com/javaee-samples/javaee7-samples, which does work as advertised, no problem. You will see one failure - async-authentication - that I didn't get fixed in the beta. I have fixed it. If you need that fix let me know. Here are the changes you'll need to make.
Thanks for your input. It is our intention to make the Liberty profile as easy for individual developers such as yourself to use as Glassfish, Tomcat, Widlfly, etc., while also scaling to the largest enterprise production workloads. We hear you and we appreciate it. Paul |
Sounds great, thanks for looking into this!
That's a peculiar one, I didn't see that one failing in the previous test run I did (the one from #263 (comment))
That's a great improvement, I noticed this in the release notes of the latest beta that was released last week.
I'm very sorry that I didn't mentioned this before. Indeed, I noticed the same thing right away. I glanced over the Servlet spec and if I'm not mistaken this may a bug in Liberty, but I wanted to double check to make sure first and then forgot about it. In my local test I changed this for Liberty just like you did.
I think this is not entirely correct. I remember talking with Ron Monzillo about this and it really has to be null. Only in EJB it's allowed (almost required really) to return something container specific (which incidentally is something I hope to be able to address in the security EG, but that's for Java EE 8) The fragment you mentioned is in the Javadoc of the CallerPrincipalCallback, which for convenience is also printed on page 93 of the JASPIC 1.1 spec:
So internally, there can be a server specific representation. Which means a specific Principal implementation (e.g. com.ibm.SomePrincipal) or an actual null. A JACC provider would get to see this, and would need to take this into account. However, for Servlets the HttpServletRequest#getUserPrincipal() method is very clear that a null must be returned if the user has not been authenticated:
See http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal() There's a similar requirement for getRemoteUser(), and the requirement is repeated in the description of methods such as isUserInRole() and login(). I do agree that the wording about "container’s representation of the unauthenticated caller principal" can be confusing.
Would be really great if something can be done here, thanks in advance!
You're welcome, thanks again for looking into this. |
|
Correct, the async-authentication failure was not there before. It was introduced by my changes to fix the failures you reported. I didn't catch it in time for the beta, but it is fixed now. We're investigating the getUserPrincipal issue. |
|
Yep, that's a bug in Liberty getUserPrincipal. I coded up a fix and the tests run clean without the UNAUTHENTICATED change. |
That's really great news! :) Thanks for your efforts. Btw, I'm working on a few more tests but those aren't ready yet. They concern the ability to include/forward to a resource from the SAM (new requirement in JASPIC 1.1) , setting a specific HTTP status code from a SAM and explicitly testing whether the response can still be written to when a SAM's |
|
Hi Arjan, The Servlet spec and the Javadoc for RequestDispatcher are very clear about the response being committed and closed on return from forward. It's looking to us like there is a conflict between the requirements of the JASPIC spec and the Servlet spec on this particular item. Also it seems to us that this usage - doing a forward while processing a request and then, on return from the forward, continuing processing the original request and ultimately invoking the original request target - is not the intended use for a forward. A forward is intended "replace" the original target, with the results of the forward returned to the user agent, which is consistent with the response being committed and closed. So...we would be interested to know what your experience is with the forward on other containers. Thanks, Paul |
|
Hi Paul,
It's been a while since I tested this, but originally (for JASPIC 1.0) it already worked in GlassFish and Geronimo, but failed on JBoss, WebLogic and WebsSphere.
Indeed, that's of course not the intended use for a forward. The main use case is to be able to implement Servlet's native FORM authentication using a portable JASPIC authentication module. Servlet's FORM asks for a forward to a login page and of course doesn't invoke the original target then. I personally did the proposal for this feature to be included in JASPIC 1.1 and discussed it with Ron Monzillo. See here: https://java.net/jira/browse/JASPIC_SPEC-7 The exact text that ended up in the spec indeed doesn't quite capture the full intend. You could argue though that the text "Under the constraints defined by RequestDispatcher" indirectly defines that JASPIC indeed does not ask for the possibility to also invoke the original request target after a forward. The constraints for dispatching via a forward (Servlet 3.1, section 9.4) simply do not allow this. You could perhaps interpret this in the same way as that a Servlet can not forward to two other Servlets either, even though I think the spec does not explicitly say this. It's implied by the specification that says a dispatcher MUST close the response before returning from a forward. There's a small (indirect) clarification in the JASPIC 1.1 spec about this. In C.7.3 it says:
My interpretation would be that after having called RequestDispatcher#forward an authentication module SHOULD NOT return SUCCESS, since this would cause the container to invoke the resource, which would then get to see a closed response object. It's debatable what should be returned in that case though. The original discussion mentioned "SEND_SUCCESS", but the JASPIC 1.1 spec has been adjusted such that a "SEND_CONTINUE" can be used after having used a forward. If Liberty's JASPIC implementation behaves the same as WebSphere's 8.5 one, then possibly all that's needed here might be the removal of the constraint where WebSphere enforced that only the "302, 303, 307 and 401" status codes are allowed when SEND_CONTINUE is returned. Hope this helps. |
|
Yes that helps thanks. Definitely agree that the intent (and the implied flows) are not at all clear from the spec. So just to summarize: the behavior on SEND_CONTINUE with status code other than 302, 303, 307 or 401 is to simply return the response object as is. Essentially the provider is not authenticating the request, it's just displaying a login form, and the user agent will then need to invoke the original target again somehow with the results of the login form submission. Can you let me know if that's correct? |
That's correct.
It doesn't necessarily need to be the original target. In Servlet FORM for instance the postback is a virtual URL named "j_security_check". There's no resource behind this URL, just a name the SAM is listening too. There the flow is thus:
Of course this is just a flow, but the above is roughly how the FORM authentication method is specified. |
|
Gotcha, totally clear now. Thanks. We can make that change easily enough. One concern is that it appears to be an incompatible change of behavior from the 1.0 spec - a SEND_CONTINUE that causes us to fail the request today would now return the response as is. So we want to carefully consider how to proceed as we want provider portability between our 1.0 and 1.1 impl's as much as possible. From your new feature request for forward/include (https://java.net/jira/browse/JASPIC_SPEC-7) Ron said this re our 1.0 impl: "I think the websphere implementation is probably most correct (in terms of what the spec currently requires, asthey are apparently enforcing the following for SEND_CONTINUE..." Also thinking what if the forward returns 302, 303, 307, or 401? That could be ambiguous to the container. I'm wondering if maybe a new AuthStatus value might be useful here? Something like SEND_RETURN which would tell the container to return the response as is, specifically do not try to set anything in the response as it may very well be committed. Then the container's SEND_CONTINUE processing could remain compatible with 1.0. Paul |
|
@arjantijms @notatibm @arkarkala @kwsutter Hi Arjan, dispatching-jsf-cd testCDIIncludeViaPublicResource That fix should be in the next beta. That leaves the 5 CDI failures in invoke-ejb-cdi, which we are still investigating, plus the 2 jsf that all containers fail. Yes we will investigate the JPA/JDBC issue, thanks for the heads up. Paul |
Sounds great, looking forward to test it and update the result table. Thanks for investigating the other issues. |
|
@paulben @notatibm @arkarkala @kwsutter Another test that doesn't pass on Liberty, closely related to JASPIC, is the JACC test at https://github.com/javaee-samples/javaee7-samples/tree/master/jacc This fails pretty early when just trying to obtain the Subject: The following exception is thrown: I'm about to add a test for JASPIC to see if the identity it sets is correctly propagated to JACC, but if JACC doesn't work at all on Liberty that new test will surely fail there. The problem seems to be that Liberty does not ship with a default JACC provider. This is mentioned in the description of the "jacc-1.5" feature: "you need to add the third party JACC provider which is not a part of the WebSphere Application Server Liberty profile." Almost as usual the spec and the TCK are not entirely clear on this, but the JACC spec lead (Ron Monzillo) clarified that a default JACC provider should be available (without needing any configuration). |
|
I finally got around to adding the test I mentioned last week. Sorry for the delay. It can be found here: https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/jacc-propagation As predicted, it indeed doesn't seem to run correctly on Liberty. The results are: |
|
We look forward to participating in that discussion with Ron during the next JACC spec revision. |
|
@notatibm Thanks a lot for being open to this. In theory though it's already required for Java EE 7, but I understand this may be a difficult to support at this point. For the Java EE security EG, which now possibly relies on this functionality being available, I started the discussion here: https://java.net/projects/javaee-security-spec/lists/jsr375-experts/archive/2015-12/message/0 Feel free to join that conversation. Thanks in advance ;) |
|
@paulben @notatibm I retested the latest Liberty 2016.1 beta, and includes now generally work, which is great news! Additionally one extra CDI case now works as well, but there are still 4 CDI related failures left. See http://arjan-tijms.omnifaces.org/2016/01/java-ee-7-server-liberty-9-beta-20161.html |
|
@paulben @notatibm I just discovered a new failure with Liberty and JASPIC. As it appears, when a SAM is installed and HttpServletRequest#authenticate is called, the SAM is not invoked at all. Section 3.9.3 of the spec contains the details about this. I've tested against the latest Liberty 16.0.0.2 as well as a somewhat older beta (2016.5) to check if it's a recent regression, but both failed. A new test for this has been added at https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/programmatic-authentication I also made it easier to test against Liberty by adding an "embedded-managed" profile that automatically downloads Liberty from maven. You can test for the above mentioned failure by doing the following from the top level of the EE 7 samples project:
This will print near the end of the test run: Running the test war manually in a browser reveals that Liberty responds to the |
|
@arjantijms @notatibm Thanks for the heads up Arjan. I'll take a look at it. Paul |
|
You're welcome, thank you too. If you need more information just let me know. |
|
Already made any progress with looking at the issue? Also, the return value of the |
|
Yep, that's a bug, which surprised me as we have a test for programmatic authenticate, but obviously the test has a hole in it. We'll try to have a fix in the next beta. I saw your comment in the servlet re GlassFish and JBoss authenticate. I'll keep that in mind for this fix. Paul |
|
Thanks, looking forward to the next beta ;) |
|
@notatibm @paulben I managed to make CDI work inside a SAM by activating the request scope early on Liberty beta 2016.8. In fact, currently CDI actually already does work from within a SAM, but only for the application scope and other scopes that do not depend on the current request. The code I used is this one: From within the validateRequest method of a SAM: Weld already has support for nested invocations to the weldInitialListener, so when Liberty calls the same method later on it's most likely silently ignored. Now clearly this is a hacky solution that I know you can't possibly support officially. Maybe the best solution until the (EE) spec clearly defines this situation is to provide a switch that Liberty users can use in ibm-application-bnd.xml, e.g. That would mean the request initialised event would be thrown as early as a request is available, which I guess is approximately just before you call a JACC provider for the first time in a request (in com.ibm.ws.security.authorization.jacc.web.impl.WebSecurityValidatorImpl#checkDataConstraints) What do you think? |
|
@arjantijms @notatibm Arjan, Sure we can look into doing something along those lines. ATM thinking we'd like to keep it JASPIC specific rather than a general servlet / ibm-application-bnd thing. Also I have the authenticate tests working, should be in the next beta. Paul |
|
@paulben @notatibm JASPIC specific should work I guess. If people need CDI in their security modules they can use JASPIC then, and if they don't need it they can use either JASPIC or the IBM specific artefacts at their choice. Only extra decision point would be whether to activate or not before the first JACC check (which is typically for the
Great, I'll be curious to see if you went with the "Jboss behavior" or the "GlassFish behavior" wrt the return value. Looking forward anyway to it. Thanks! |
|
@paulben @notatibm We've also included Liberty as a CI test target in the JSR 375 RI (Soteria). It does work against 16.0.2 and not the latest beta, since those latest betas do not seem to be available in Maven central (I asked on Twitter as well). The tests can be started as follows:
A lot of them pass already, but for the BASIC authentication mechanism there's an exception that I need to look into still: Looks like the JDK |
|
@arjantijms we don't put the betas in maven central, we would want to be able to remove them and maven doesn't really allow for removal. |
|
@notatibm That makes sense. Wouldn't there be another maven repo (e.g. IBM specific one) where it could be downloaded from? Or the sonatype snapshot repo? |
|
@arjantijms not that contains them. We used to release our maven artifacts into an IBM registry, but it was basically just an http website, rather than an actual repository, so didn't really work very well for people. I wouldn't want to reuse it since peoples expectations are that things from there do not go away. We could replicate, but we haven't had a lot of demand. Although you are the second person to ask recently so perhaps we should consider it. |
Okay, thanks for at least considering it then ;) |
Just to be sure, that next beta is not 2016.9, or is it? I tried that one as well as the stable 16.0.0.3, but Just asking in case it should be in there and I'm doing something wrong somehow. |
|
No, you're not doing anything wrong. Sorry for the confusion, I was thinking next in terms of our internal cutoff schedule. I should have said the beta after next. The fix was too late to make 2016.9, it will be in 2016.10. Paul |
|
Ah, ok. No worries, thanks for the clarification ;) |
|
I think I discovered another bug in Liberty and JASPIC. It concerns the request wrapping. I was investigating erratic behaviour in Liberty with seemingly random null pointer exceptions. As it turned out, Liberty is storing the request (and response) wrappers set by a SAM in the global application scope as servlet context attributes (using E.g. in a Servlet you can do the following: It seems that the wrapper stored here is automatically applied to each request, but this seems incorrect. The wrapper should only be applied to the request in which it was set. The result is that if a delegating wrapper is used (that delegates to the original Liberty request), things seem to be totally corrupted in those other requests. Even worse, since it's stored in the Servlet context it's already potentially seen by other requests while the request in which authentication took place is still running. |
|
Indeed, I wasn't thinking of different behavior per request. I'll look into request scoping it. Paul |
|
Okay, thanks for looking into making it request scoped. Btw, from the stack in a debugger it can be seen that a filter called What happens now is that if a user supplied Filter also wraps the request, What should happen I think is that the very first Filter in the chain sees the request that the SAM wrapped, so it gets a chance to wrap that, and other Filters down the chain can continue wrapping it until it arrives at the target Servlet. A complication here is that using the standard Servlet API it's not really possible AFAIK to absolutely guarantee a given Filter is the very first to be executed. All other servers therefor do something special (container specific) to set the wrapped request and response. |
|
Got the wrappers request scoped, will have to investigate a bit on the wrapping/filter order. Paul |
|
Hi Arjan, Paul |
|
Hi Paul, sounds good, thanks for the update! To help with the filtering issues, I extended the wrapping test here: https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/wrapping On all servers I tested this on (Tomcat, JBoss, Payara, ...) the result is: For Liberty however it's: Hope this test helps and thanks again for all your work on this. |
No description provided.
The text was updated successfully, but these errors were encountered: