Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-2301

Wrong http status code when servlet ssl configuration is incorrect

    Details

    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.6.0
    • Fix Version/s: 2.6.0
    • Component/s: rest
    • Labels:
      None

      Description

      Found using Rest2Ldap Servlet Gateway 3.0.0.c8f8d63a589ddda509689e2d0257dccf4e6f1c4c

      Problem only with Tomcat 6 or 7.

      Scenario:
      ***********
      1. configure a DJ server with SSL enabled
      2. deploy the Rest2Ldap Servlet Gateway in Tomcat container
      3. enable ssl in the servlet configuration (set correct value for fileBasedTrustManagerType and fileBasedTrustManagerFile) but set an incorrect value for fileBasedTrustManagerPassword
      4. start the Tomcat container
      5. try to do a get on an existing resource

      As the keystore password is wrong we expected the http get to fail.
      But we expect to have a 404 (as in previous Rest2Ldap version) as http result code and we get 500.

      Using 3.0.0:
      *************

      -- http status --
      returned 500, expected 404
      -- content --
      <html><head><title>Apache Tomcat/7.0.62 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Failed to start HTTP Application</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Failed to start HTTP Application</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.servlet.ServletException: Failed to start HTTP Application
      	org.forgerock.http.servlet.HttpFrameworkServlet.init(HttpFrameworkServlet.java:138)
      	javax.servlet.GenericServlet.init(GenericServlet.java:158)
      	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
      	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)
      	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
      	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
      	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
      	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
      	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	java.lang.Thread.run(Thread.java:745)
      </pre></p><p><b>root cause</b> <pre>org.forgerock.http.HttpApplicationException: Unable to start Rest2Ldap Http Application
      	org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication.start(Rest2LDAPHttpApplication.java:151)
      	org.forgerock.http.servlet.HttpFrameworkServlet.init(HttpFrameworkServlet.java:136)
      	javax.servlet.GenericServlet.init(GenericServlet.java:158)
      	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
      	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)
      	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
      	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
      	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
      	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
      	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	java.lang.Thread.run(Thread.java:745)
      </pre></p><p><b>root cause</b> <pre>java.lang.IllegalArgumentException: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
      	org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:1040)
      	org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:867)
      	org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:885)
      	org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication$HttpHandler.createLdapConnectionFactory(Rest2LDAPHttpApplication.java:93)
      	org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication$HttpHandler.&lt;init&gt;(Rest2LDAPHttpApplication.java:58)
      	org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication.start(Rest2LDAPHttpApplication.java:143)
      	org.forgerock.http.servlet.HttpFrameworkServlet.init(HttpFrameworkServlet.java:136)
      	javax.servlet.GenericServlet.init(GenericServlet.java:158)
      	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
      	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)
      	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
      	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
      	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
      	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
      	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	java.lang.Thread.run(Thread.java:745)
      </pre></p><p><b>root cause</b> <pre>java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
      	sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1317)
      	java.security.KeyStore.load(KeyStore.java:1214)
      	org.forgerock.opendj.ldap.TrustManagers.checkUsingTrustStore(TrustManagers.java:333)
      	org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:1031)
      	org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:867)
      	org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:885)
      	org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication$HttpHandler.createLdapConnectionFactory(Rest2LDAPHttpApplication.java:93)
      	org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication$HttpHandler.&lt;init&gt;(Rest2LDAPHttpApplication.java:58)
      	org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication.start(Rest2LDAPHttpApplication.java:143)
      	org.forgerock.http.servlet.HttpFrameworkServlet.init(HttpFrameworkServlet.java:136)
      	javax.servlet.GenericServlet.init(GenericServlet.java:158)
      	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
      	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)
      	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
      	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
      	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
      	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
      	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	java.lang.Thread.run(Thread.java:745)
      </pre></p><p><b>root cause</b> <pre>javax.crypto.BadPaddingException: Given final block not properly padded
      	com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811)
      	com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676)
      	com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:355)
      	com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40.engineDoFinal(PKCS12PBECipherCore.java:462)
      	javax.crypto.Cipher.doFinal(Cipher.java:2087)
      	sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1308)
      	java.security.KeyStore.load(KeyStore.java:1214)
      	org.forgerock.opendj.ldap.TrustManagers.checkUsingTrustStore(TrustManagers.java:333)
      	org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:1031)
      	org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:867)
      	org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:885)
      	org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication$HttpHandler.createLdapConnectionFactory(Rest2LDAPHttpApplication.java:93)
      	org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication$HttpHandler.&lt;init&gt;(Rest2LDAPHttpApplication.java:58)
      	org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication.start(Rest2LDAPHttpApplication.java:143)
      	org.forgerock.http.servlet.HttpFrameworkServlet.init(HttpFrameworkServlet.java:136)
      	javax.servlet.GenericServlet.init(GenericServlet.java:158)
      	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
      	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)
      	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
      	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
      	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
      	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
      	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	java.lang.Thread.run(Thread.java:745)
      </pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.62 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.62</h3></body></html>
      

      Here are the traces in the 'catalina.out' file:

      SEVERE: Allocate exception for servlet OpenDJ REST LDAP Gateway
      javax.crypto.BadPaddingException: Given final block not properly padded
      	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811)
      	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676)
      	at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:355)
      	at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40.engineDoFinal(PKCS12PBECipherCore.java:462)
      	at javax.crypto.Cipher.doFinal(Cipher.java:2087)
      	at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1308)
      	at java.security.KeyStore.load(KeyStore.java:1214)
      	at org.forgerock.opendj.ldap.TrustManagers.checkUsingTrustStore(TrustManagers.java:333)
      	at org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:1031)
      	at org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:867)
      	at org.forgerock.opendj.rest2ldap.Rest2LDAP.configureConnectionFactory(Rest2LDAP.java:885)
      	at org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication$HttpHandler.createLdapConnectionFactory(Rest2LDAPHttpApplication.java:93)
      	at org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication$HttpHandler.<init>(Rest2LDAPHttpApplication.java:58)
      	at org.forgerock.opendj.rest2ldap.Rest2LDAPHttpApplication.start(Rest2LDAPHttpApplication.java:143)
      	at org.forgerock.http.servlet.HttpFrameworkServlet.init(HttpFrameworkServlet.java:136)
      	at javax.servlet.GenericServlet.init(GenericServlet.java:158)
      	at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1284)
      	at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
      	at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
      	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      

      Using 2.6.x
      *************

      -- http status --
      returned 404, expected 404
      -- content --
      <html><head><title>Apache Tomcat/7.0.62 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#5
      25D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;col
      or:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - /rest2lda
      p/read/user.1</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/rest2ldap/read/user.1</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><HR size="1" noshade="noshade"><h
      3>Apache Tomcat/7.0.62</h3></body></html>
      

      Here are the traces in the 'catalina.out' file:

      Sep 22, 2015 3:06:08 PM org.apache.catalina.core.StandardContext filterStart
      SEVERE: Exception starting filter OpenDJ Commons REST LDAP Authentication Filter
      javax.servlet.ServletException: Servlet filter configuration file '/opendj-rest2ldap-servlet.json' could not be read: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
      	at org.forgerock.opendj.rest2ldap.servlet.Rest2LDAPAuthnFilter.init(Rest2LDAPAuthnFilter.java:386)
      	at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:279)
      	at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:260)
      	at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:105)
      	at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4854)
      	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5546)
      	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
      	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
      	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
      	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
      	at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1263)
      	at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1948)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      
      Sep 22, 2015 3:06:08 PM org.apache.catalina.core.StandardContext startInternal
      SEVERE: One or more Filters failed to start. Full details will be found in the appropriate container log file
      Sep 22, 2015 3:06:08 PM org.apache.catalina.core.StandardContext startInternal
      SEVERE: Context [/rest2ldap] startup failed due to previous errors
      

      NOTE:
      I logged the issue on 3.0.0 as the http status as changed compared to 2.6.x version.
      If this new http status code/behavior (http status 500) is more accurate, I will change the "Affect version" to 2.6.3.

        Attachments

          Activity

            People

            • Assignee:
              matthew Matthew Swift
              Reporter:
              csovant Christophe Sovant
              Dev Assignee:
              Matthew Swift
              QA Assignee:
              Christophe Sovant
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: