This issue has been created
There is 1 update.
 
 
OpenId Connect / cid:jira-generated-image-avatar-e64ff74d-7a2c-4f21-b656-2a6094a55e55 OIDC-201 Open

It's possible to end up with a broken token authenticator fallback when uninstalled an extension
 
View issue   ยท   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-42492cd0-1274-4e39-85b5-60a9019015aa Thomas Mortagne created this issue on 15/Nov/24 14:22
 
Summary: It's possible to end up with a broken token authenticator fallback when uninstalled an extension
Issue Type: cid:jira-generated-image-avatar-e64ff74d-7a2c-4f21-b656-2a6094a55e55 Bug
Affects Versions: 1.15
Assignee: Unassigned
Components: Provider
Created: 15/Nov/24 14:22
Priority: cid:jira-generated-image-static-major-46e2997f-0300-410c-957a-97976b5775b0 Major
Reporter: Thomas Mortagne
Description:

In some condition, it's possible for the authenticator to be triggered while it's being reloaded, but the authenticator is supposed to fallback on is not yet available in the classloader which will produce an error like:

2024-11-15 00:50:57,539 [http-nio-8080-exec-8 - https://bmc-docs-qa.cloud.xwiki.com/xwiki/bin/get/XWiki/Extensions] WARN  o.x.c.o.p.OIDCBridgeAuth       - Failed to initialize AuthService org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl using Reflection, trying default implementations using 'new'. 
java.lang.ClassNotFoundException: org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
        at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:445)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:592)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:467)
        at org.xwiki.contrib.oidc.provider.OIDCBridgeAuth.createAuthService(OIDCBridgeAuth.java:80)
        at org.xwiki.contrib.oidc.provider.OIDCBridgeAuth.<init>(OIDCBridgeAuth.java:61)
        at org.xwiki.contrib.oidc.provider.internal.OIDCBridgeAuthService.<init>(OIDCBridgeAuthService.java:51)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
        at java.base/java.lang.reflect.ReflectAccess.newInstance(ReflectAccess.java:128)
        at java.base/jdk.internal.reflect.ReflectionFactory.newInstance(ReflectionFactory.java:347)
        at java.base/java.lang.Class.newInstance(Class.java:645)
        at org.xwiki.component.embed.EmbeddableComponentManager.createInstance(EmbeddableComponentManager.java:532)
        at org.xwiki.component.embed.EmbeddableComponentManager.getComponentInstance(EmbeddableComponentManager.java:636)
        at org.xwiki.component.embed.EmbeddableComponentManager.getInstance(EmbeddableComponentManager.java:329)
        at org.xwiki.component.embed.EmbeddableComponentManager.getInstance(EmbeddableComponentManager.java:320)
        at org.xwiki.component.embed.EmbeddableComponentManager.getInstance(EmbeddableComponentManager.java:302)
        at org.xwiki.component.internal.multi.DelegateComponentManager.getInstance(DelegateComponentManager.java:83)
        at org.xwiki.component.internal.multi.DelegateComponentManager.getInstance(DelegateComponentManager.java:83)
        at org.xwiki.component.internal.multi.DelegateComponentManager.getInstance(DelegateComponentManager.java:83)
        at org.xwiki.component.internal.multi.DelegateComponentManager.getInstance(DelegateComponentManager.java:83)
        at org.xwiki.component.internal.multi.DelegateComponentManager.getInstance(DelegateComponentManager.java:83)
        at org.xwiki.security.authservice.internal.AuthServiceManager.getAuthService(AuthServiceManager.java:77)
        at com.xpn.xwiki.XWiki.getAuthService(XWiki.java:6000)
        at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4365)
        at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:238)
        at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:268)
        at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4388)
        at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5780)
        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:548)
        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339)
        at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:108)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:354)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1684)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:840)

When this happens, the authenticator is broken for good.

There are two ways to get back to a stable situation:

  • the simplest is to restart
  • if the authentication is configured in the admin UI and you can still access the admin UI:
    • change the authenticator in the admin UI
    • uninstall an extension "on farm"
    • put back the token authentificator
 
 

1 update

 
cid:jira-generated-image-avatar-42492cd0-1274-4e39-85b5-60a9019015aa Changes by Thomas Mortagne on 15/Nov/24 14:23
 
Description: In some condition, it's possible for the authenticator to be triggered while it's being reloaded (when uninstalling another extension "from farm") , but the authenticator is on which it's supposed to fallback on is not yet available in the classloader which . This will produce an error like:

{noformat}
2024-11-15 00:50:57,539 [http-nio-8080-exec-8 - https://bmc-docs-qa.cloud.xwiki.com/xwiki/bin/get/XWiki/Extensions] WARN  o.x.c.o.p.OIDCBridgeAuth       - Failed to initialize AuthService org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl using Reflection, trying default implementations using 'new'.
java.lang.ClassNotFoundException: org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
        at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:445)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:592)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Class.java:467)
        at org.xwiki.contrib.oidc.provider.OIDCBridgeAuth.createAuthService(OIDCBridgeAuth.java:80)
        at org.xwiki.contrib.oidc.provider.OIDCBridgeAuth.<init>(OIDCBridgeAuth.java:61)
        at org.xwiki.contrib.oidc.provider.internal.OIDCBridgeAuthService.<init>(OIDCBridgeAuthService.java:51)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
        at java.base/java.lang.reflect.ReflectAccess.newInstance(ReflectAccess.java:128)
        at java.base/jdk.internal.reflect.ReflectionFactory.newInstance(ReflectionFactory.java:347)
        at java.base/java.lang.Class.newInstance(Class.java:645)
        at org.xwiki.component.embed.EmbeddableComponentManager.createInstance(EmbeddableComponentManager.java:532)
        at org.xwiki.component.embed.EmbeddableComponentManager.getComponentInstance(EmbeddableComponentManager.java:636)
        at org.xwiki.component.embed.EmbeddableComponentManager.getInstance(EmbeddableComponentManager.java:329)
        at org.xwiki.component.embed.EmbeddableComponentManager.getInstance(EmbeddableComponentManager.java:320)
        at org.xwiki.component.embed.EmbeddableComponentManager.getInstance(EmbeddableComponentManager.java:302)
        at org.xwiki.component.internal.multi.DelegateComponentManager.getInstance(DelegateComponentManager.java:83)
        at org.xwiki.component.internal.multi.DelegateComponentManager.getInstance(DelegateComponentManager.java:83)
        at org.xwiki.component.internal.multi.DelegateComponentManager.getInstance(DelegateComponentManager.java:83)
        at org.xwiki.component.internal.multi.DelegateComponentManager.getInstance(DelegateComponentManager.java:83)
        at org.xwiki.component.internal.multi.DelegateComponentManager.getInstance(DelegateComponentManager.java:83)
        at org.xwiki.security.authservice.internal.AuthServiceManager.getAuthService(AuthServiceManager.java:77)
        at com.xpn.xwiki.XWiki.getAuthService(XWiki.java:6000)
        at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4365)
        at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:238)
        at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:268)
        at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4388)
        at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5780)
        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:548)
        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339)
        at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:108)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:354)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1684)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:840)
{noformat}

When this happens, the authenticator is broken for good.

There are two ways to get back to a stable situation:
* the simplest is to restart
* if the authentication is configured in the admin UI and you can still access the admin UI:
** change the authenticator in the admin UI
** uninstall an extension "on farm"
** put back the token authentificator
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.