Geronimo
  1. Geronimo
  2. GERONIMO-6440

unlock keystore action appears to be broken when running server against Oracle JDK 1.7

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.1.8, 2.2.1, 3.0-beta-1
    • Fix Version/s: 3.0.1
    • Component/s: JVM-compatibility
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      To reproduce the issue, you can follow the steps below.
      1.Start geronimo 3.0 server.
      2.Use keytool command to create a keystore with a key. For example,
      keytool -genkeypair -keystore test.jks -alias testkey -keyalg RSA -keysize 2048 -dname "cn=test.apache.org,c=US" -validity 365 -storepass welcome1
      3.Copy the keystore to <geronimo-home>\var\security\keystores
      4.use deploy encrypt to encrypt the password "welcome",go the encrypt string:

      {Simple}rO0ABXNyABlqYXZheC5jcnlwdG8uU2VhbGVkT2JqZWN0PjY9psO3VHACAARbAA1lbmNvZGVkUGFyYW1zdAACW0JbABBlbmNyeXB0ZWRDb250ZW50cQB+AAFMAAlwYXJhbXNBbGd0ABJMamF2YS9sYW5nL1N0cmluZztMAAdzZWFsQWxncQB+AAJ4cHB1cgACW0Ks8xf4BghU4AIAAHhwAAAAEKvo5tkjHVqHlsBtDNRytadwdAADQUVT

      add the string into config-substitution.properties like this:

      test.jks = {Simple}

      rO0ABXNyABlqYXZheC5jcnlwdG8uU2VhbGVkT2JqZWN0PjY9psO3VHACAARbAA1lbmNvZGVkUGFyYW1zdAACW0JbABBlbmNyeXB0ZWRDb250ZW50cQB+AAFMAAlwYXJhbXNBbGd0ABJMamF2YS9sYW5nL1N0cmluZztMAAdzZWFsQWxncQB+AAJ4cHB1cgACW0Ks8xf4BghU4AIAAHhwAAAAEKvo5tkjHVqHlsBtDNRytadwdAADQUVT
      testkey =

      {Simple}

      rO0ABXNyABlqYXZheC5jcnlwdG8uU2VhbGVkT2JqZWN0PjY9psO3VHACAARbAA1lbmNvZGVkUGFyYW1zdAACW0JbABBlbmNyeXB0ZWRDb250ZW50cQB+AAFMAAlwYXJhbXNBbGd0ABJMamF2YS9sYW5nL1N0cmluZztMAAdzZWFsQWxncQB+AAJ4cHB1cgACW0Ks8xf4BghU4AIAAHhwAAAAEKvo5tkjHVqHlsBtDNRytadwdAADQUVT

      5. restart the server.
      6. use deploy unlock-keystore command to unlock test.jks. For example,
      deploy -u system -p manager unlock-keystore test.jks

      The result is the unlock action seems to success. But you can find an ERROR below in admin console. It will generate a incomplete j2ee-security module in config.xml. When you restart the server, you will fail on it.

      2013-02-27 11:41:06,564 WARN [FileKeystoreManager] keystoreType for new keystore "test.jks" set to "jks" based on file extension.

      2013-02-27 11:41:06,660 ERROR [LocalAttributeManager] Unable to format attribute of type java.net.URI; no editor found
      2013-02-27 11:41:06,660 WARN [BasicProxyManager] Could not load interface org.apache.geronimo.security.keystore.FileKeystoreInsta
      nce in provided ClassLoader for org.apache.geronimo.framework/j2ee-security/3.0.0/car?ServiceModule=org.apache.geronimo.framework/
      j2ee-security/3.0.0/car,j2eeType=Keystore,name=test.jks

        Activity

        Hide
        xiezhi added a comment -

        The root cause is Oracle JDk has done some change from JDK 1.6 to 1.7.
        A java source named java.beans.PropertyEditorManager.java has changed it's method findEditor(Class<?> targetType). The change makes findEditor couldn't return a valuable result(Actually it is null). Then server will throw a InvalidAttributeException with the message "Unable to format attribute of type java.net.URI; no editor found."

        Show
        xiezhi added a comment - The root cause is Oracle JDk has done some change from JDK 1.6 to 1.7. A java source named java.beans.PropertyEditorManager.java has changed it's method findEditor(Class<?> targetType). The change makes findEditor couldn't return a valuable result(Actually it is null). Then server will throw a InvalidAttributeException with the message "Unable to format attribute of type java.net.URI; no editor found."
        Hide
        xiezhi added a comment -

        The root cause is there is no action in Oracle JDK1.7 when ThreadGroupContext.getContext().getPropertyEditorFinder().find(targetType) couldn't find a PropertyEditor.

        In Oracle JDK1.6 the PropertyEditorManager uses three techniques for locating an editor for a give type.
        1. It provides a registerEditor method to allow an editor to be specifically registered for a given type.
        2. It tries to locate a suitable class by adding "Editor" to the full qualified classname of the given type (e.g. "foo.bah.FozEditor").
        3. It takes the simple classname (without the package name) adds "Editor" to it and looks in a search-path of packages for a matching class
        Obviously, it misses the last 2 techniques in 1.7.

        So I think we should add the missed techniques in org.apache.geronimo.common.propertyeditor.findEditor(Class).

        Show
        xiezhi added a comment - The root cause is there is no action in Oracle JDK1.7 when ThreadGroupContext.getContext().getPropertyEditorFinder().find(targetType) couldn't find a PropertyEditor. In Oracle JDK1.6 the PropertyEditorManager uses three techniques for locating an editor for a give type. 1. It provides a registerEditor method to allow an editor to be specifically registered for a given type. 2. It tries to locate a suitable class by adding "Editor" to the full qualified classname of the given type (e.g. "foo.bah.FozEditor"). 3. It takes the simple classname (without the package name) adds "Editor" to it and looks in a search-path of packages for a matching class Obviously, it misses the last 2 techniques in 1.7. So I think we should add the missed techniques in org.apache.geronimo.common.propertyeditor.findEditor(Class).
        Hide
        xiezhi added a comment -

        I missed before. The root cause I guess is geronimo propertyeditor package couldn't be saved. So before call PropertyEditorManager to find an editor, verify the searchPath list, if miss geronimo propertyeditor package, add it.

        Show
        xiezhi added a comment - I missed before. The root cause I guess is geronimo propertyeditor package couldn't be saved. So before call PropertyEditorManager to find an editor, verify the searchPath list, if miss geronimo propertyeditor package, add it.
        Hide
        xiezhi added a comment -

        upload a patch. Please check it.

        Show
        xiezhi added a comment - upload a patch. Please check it.
        Hide
        xiezhi added a comment -

        update the patch.

        Show
        xiezhi added a comment - update the patch.
        Hide
        xiezhi added a comment -

        Got some advice, updated the patch.

        Show
        xiezhi added a comment - Got some advice, updated the patch.
        Hide
        Jarek Gawor added a comment -

        I applied slightly modified patch (to make it a bit more efficient) in revision 1458076. Please verify.

        Show
        Jarek Gawor added a comment - I applied slightly modified patch (to make it a bit more efficient) in revision 1458076. Please verify.
        Hide
        xiezhi added a comment -

        Jarek,totally agree. More efficient and nicer.

        Show
        xiezhi added a comment - Jarek,totally agree. More efficient and nicer.

          People

          • Assignee:
            Jarek Gawor
            Reporter:
            xiezhi
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development