After Patching to GlassFish 2.1.1 Patch 7 or later, OpenSSO Single-Sign On Fails Affecting Remote Authentication. (Doc ID 1309733.1)

Last updated on NOVEMBER 05, 2016

Applies to:

Oracle GlassFish Server - Version 2.1.1 to 2.1.1 [Release 2.1]
Information in this document applies to any platform.

Symptoms

Single sign on access using the OpenSSO client SDK from another GlassFish server works fine on GF 2.1.1 p06 and earlier.  However, after updating the GlassFish installation used by the OpenSSO server to GF 2.1.1 p07 or later (until patch 13), the single sign on functionality of OpenSSO fails to work.  Updating the remote client SDK or the remote GlassFish server does not provide relief.

When the problem is encountered there is no exception or error visible at the OpenSSO server/GlassFish server end, however some exceptions can be seen on the client OpenSSO end.

For example, with the OpenSSO remote client used by the Sun Convergence application (/iwc), the following exception is seen in the iwc log file /var/opt/sun/comms/iwc/logs/iwc.log:

AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-80-1 at 2010-12-27 18:57:32,525 -
com.sun.comms.client.security.sso.SingleSignOnException: Message:New Generic Exception
at com.sun.comms.client.security.sso.impl.SunBaseIdentitySSOProvider.SingleSignOn(Unknown Source)
at com.sun.comms.client.web.sso.SSOFilter.doFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
... trimmed ....
at com.sun.comms.client.web.SetCharacterEncodingFilter.doFilter(Unknown Source)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:291)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:672)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:291)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:672)
at com.sun.enterprise.web.connector.grizzly.comet.CometEngine.executeServlet(CometEngine.java:619)
at com.sun.enterprise.web.connector.grizzly.comet.CometEngine.handle(CometEngine.java:363)
at com.sun.enterprise.web.connector.grizzly.comet.CometAsyncFilter.doFilter(CometAsyncFilter.java:84)
at com.sun.enterprise.web.connector.grizzly.async.DefaultAsyncExecutor.invokeFilters(DefaultAsyncExecutor.java:189)
at com.sun.enterprise.web.connector.grizzly.async.DefaultAsyncExecutor.interrupt(DefaultAsyncExecutor.java:164)
at com.sun.enterprise.web.connector.grizzly.async.AsyncProcessorTask.doTask(AsyncProcessorTask.java:92)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:264)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Caused by: Message:New Generic Exception
at com.sun.identity.idm.remote.IdRemoteServicesImpl.processException(IdRemoteServicesImpl.java:160)
at com.sun.identity.idm.remote.IdRemoteServicesImpl.getAttributes(IdRemoteServicesImpl.java:243)
at com.sun.identity.idm.remote.IdRemoteCachedServicesImpl.getAttributes(IdRemoteCachedServicesImpl.java:350)
at com.sun.identity.idm.AMIdentity.getAttribute(AMIdentity.java:407)
... 40 more


The key symptom in the client log if the problem is encountered is that it's failing on "IdRemoteServicesImpl.getAttributes()" method call:

Caused by: Message:New Generic Exception
at com.sun.identity.idm.remote.IdRemoteServicesImpl.processException(IdRemoteServicesImpl.java:160)
at com.sun.identity.idm.remote.IdRemoteServicesImpl.getAttributes(IdRemoteServicesImpl.java:243)
at com.sun.identity.idm.remote.IdRemoteCachedServicesImpl.getAttributes(IdRemoteCachedServicesImpl.java:350)
at com.sun.identity.idm.AMIdentity.getAttribute(AMIdentity.java:407)


Some remote clients like "ssoadm list-agents"  may provide a more detailed exception, for example (in the debug logs):

ERROR: IdRemoteServicesImpl.processException(): caught remote/un-known exception -
java.lang.NullPointerException
at com.sun.identity.shared.jaxrpc.SOAPClient$SOAPContentHandler.endElement(SOAPClient.java:709)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:601)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1782)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2938)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
at com.sun.identity.shared.jaxrpc.SOAPClient.send(SOAPClient.java:342)
at com.sun.identity.shared.jaxrpc.SOAPClient.send(SOAPClient.java:310)

Changes

Upgrading the GlassFish installation used by the OpenSSO server from 2.1.1 p06 or lower, to 2.1.1 p07 through to 2.1.1 p12.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms