Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11548

Improve Scope validator class loading error handling



    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 13.5.1, 14.1.1
    • 13.5.2, 6.0.0, 14.1.2, 5.5.2
    • oauth2
    • Tomcat 7 & 8.5.x
    • AM Sustaining Sprint 44, AM Sustaining Sprint 45
    • 3
    • Yes
    • No
    • No
    • Yes and I used the same an in the description


      Bug description

      Currently if the custom scope validator is added, when there is error the logging is not so good or sometimes missing.

      How to reproduce the issue

      1. Configure a custom scope validator
      2. Configure an OAuth2 client
      3. Test this is works and enable MESSAGE debug

      Now there is two case
      a) Class missing. Remove the class

      OAuth2Provider:08/14/2017 05:21:27:725 PM SGT: Thread[http-nio-8080-exec-6,5,main]: TransactionId[87f17755-76ed-4759-8541-c002cde8812e-72]
      ERROR: org.test.MyScopeValidator

      • The logs is not corrrect.

      Case b) Class is found but may not be accessible due to permission
      (possibly due to different user / provisioning issues etc)

      In this case there is no indication of any failure in the getScopeValidator()
      and the scope validator is not loaded (there is not even any class not found

      Tomcat classloader throws NPE!!!
              at org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2567)
              at org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:859)
              at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1302)
              at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1167)
              at java.lang.Class.forName0(Native Method)
              at java.lang.Class.forName(Class.java:264)
              at org.forgerock.oauth2.core.OAuth2ProviderSettings.getScopeValidator(OAuth2ProviderSettings.java:384)
              at org.forgerock.oauth2.core.OAuth2ProviderSettings.validateAccessTokenScope(OAuth2ProviderSettings.java:428)
              at org.forgerock.oauth2.core.PasswordCredentialsGrantTypeHandler.handle(PasswordCredentialsGrantTypeHandler.java:95)

      The improvement request is to print more details. Case (b) is very non-obvious when ScopeValidator
      fails to load due to the above permission issue. (PS: the above is not see in the logs but because of and explicitly debug is attached to trap why things fail)

      Expected behaviour

      Better error for failing to load the validators.

      Current behaviour
      Missing logs or ambiguous logs

      Code analysis

      getScopeValidator() does do Class.forName(...) but the code
      then catches ClassNotFoundException(e) and logs (e.getMessage()).
      The problem is that this only gives classname. So the case of this
      should be changed to log a more correct error

      Now there are other possible failure and those seeps out and
      caught up by later OAuth2 service routine (they are wrapped
      in ServerException) and sometime just do not provide reason why
      the Scope Validator is causing this (no error). In the case of the failure where scope validator classes is not readable, Tomcat throws NPE
      for Class.forName() . So maybe this needs to be trapped.




            lawrence.yarham Lawrence Yarham
            chee-weng.chea C-Weng C
            0 Vote for this issue
            2 Start watching this issue