Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11548

Improve Scope validator class loading error handling

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 13.5.1, 14.1.1
    • Fix Version/s: 13.5.2, 6.0.0, 14.1.2, 5.5.2
    • Component/s: oauth2
    • Labels:
    • Environment:
      Tomcat 7 & 8.5.x
    • Sprint:
      AM Sustaining Sprint 44, AM Sustaining Sprint 45
    • Story Points:
      3
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Currently if the custom scope validator is added, when there is error the logging is not so good or sometimes missing.

      How to reproduce the issue

      1. Configure a custom scope validator
      2. Configure an OAuth2 client
      3. Test this is works and enable MESSAGE debug

      Now there is two case
      a) Class missing. Remove the class

      OAuth2Provider:08/14/2017 05:21:27:725 PM SGT: Thread[http-nio-8080-exec-6,5,main]: TransactionId[87f17755-76ed-4759-8541-c002cde8812e-72]
      ERROR: org.test.MyScopeValidator

      • The logs is not corrrect.

      Case b) Class is found but may not be accessible due to permission
      (possibly due to different user / provisioning issues etc)

      In this case there is no indication of any failure in the getScopeValidator()
      and the scope validator is not loaded (there is not even any class not found
      exception)

      Tomcat classloader throws NPE!!!
      java.lang.NullPointerException
              at org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2567)
              at org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:859)
              at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1302)
              at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1167)
              at java.lang.Class.forName0(Native Method)
              at java.lang.Class.forName(Class.java:264)
              at org.forgerock.oauth2.core.OAuth2ProviderSettings.getScopeValidator(OAuth2ProviderSettings.java:384)
              at org.forgerock.oauth2.core.OAuth2ProviderSettings.validateAccessTokenScope(OAuth2ProviderSettings.java:428)
              at org.forgerock.oauth2.core.PasswordCredentialsGrantTypeHandler.handle(PasswordCredentialsGrantTypeHandler.java:95)
      

      The improvement request is to print more details. Case (b) is very non-obvious when ScopeValidator
      fails to load due to the above permission issue. (PS: the above is not see in the logs but because of and explicitly debug is attached to trap why things fail)

      Expected behaviour

      Better error for failing to load the validators.

      Current behaviour
      Missing logs or ambiguous logs
      

      Code analysis

      getScopeValidator() does do Class.forName(...) but the code
      then catches ClassNotFoundException(e) and logs (e.getMessage()).
      The problem is that this only gives classname. So the case of this
      should be changed to log a more correct error

      Now there are other possible failure and those seeps out and
      caught up by later OAuth2 service routine (they are wrapped
      in ServerException) and sometime just do not provide reason why
      the Scope Validator is causing this (no error). In the case of the failure where scope validator classes is not readable, Tomcat throws NPE
      for Class.forName() . So maybe this needs to be trapped.

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: