POST to 'lockouts' on user service plugin causes internal server error

Gary13 · April 2, 2015, 3:19am

I’m trying to call:

POST https://myserver.com:9091/plugins/userService/lockouts/userid

Using version 2.0.2 of the “User Service” administration plugin on version 3.9.3 of Openfire but am getting (I think) the following exception in the logs:

2015.04.02 03:04:58 org.jivesoftware.openfire.container.PluginServlet - No thread local value in scope for proxy of class com.sun.proxy.$Proxy5 java.lang.IllegalStateException: No thread local value in scope for proxy of class com.sun.proxy.$Proxy5 at com.sun.jersey.server.impl.ThreadLocalInvoker.invoke(ThreadLocalInvoker.java:93 ) at com.sun.proxy.$Proxy5.getHeader(Unknown Source) at org.jivesoftware.openfire.plugin.AuthFilter.filter(AuthFilter.java:51) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApp licationImpl.java:1527) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApp licationImpl.java:1473) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebAppl icationImpl.java:1419) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebAppl icationImpl.java:1409) at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409 ) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer. java:540) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer. java:715) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.jivesoftware.openfire.container.PluginServlet.handleServlet(PluginServlet.j ava:316) at org.jivesoftware.openfire.container.PluginServlet.service(PluginServlet.java:11 1) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:547) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1359) at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:78) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:164) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8) at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:478) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:520) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:22 7) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:94 1) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186 ) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:875 ) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandler Collection.java:250) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.jav a:149) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110) at org.eclipse.jetty.server.Server.handle(Server.java:349) at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:441) at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConne ction.java:919) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:582) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:218) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:51 ) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.jav a:586) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java :44) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:598 ) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:533) at java.lang.Thread.run(Thread.java:745)

I am doing this to lockout a freshly created user which was created by calling:

POST https://myserver.com:9091/plugins/userService/users

with the relevant payload.

Anyone any idea what is going wrong? Is the exception even relevant, it’s difficult to track down the exact error.

Redeyes · April 2, 2015, 7:54am

Could you provide me your full HTTP request (with headers). And which response do you get from userService plugin?

POST https://myserver.com:9091/plugins/userService/lockouts/userid

I guess the userid is the username?

Contains your userId some special characters? (/_?) etc.?

Gary13 · April 2, 2015, 9:15am

The only header that is being set is the Authorization header via HttpURLConnection.setRequestProperty.

I can’t actually see the full request (is there a way to see the full request at the Openfire end?). It is using the same code for both requests which is weird why the first one for creating works and the second fails.

The username is an email address, I’ve tried escaping it using XmppStringUtils.escapeLocalpart, I’ve tried not escaping. I’ve tried url encoding it and I’ve tried url encoding it with escaping and without. I still get the same error.

Redeyes · April 2, 2015, 9:35am

Ok, the email is the problem. Because the email contains the @ which will be chopped by openfire filter.

This issue is already fixed in the latest version of openfire 3.10.0.

Solution 1) you use openfire 3.10.0

Solution 2) username should be not the email. (If you create a new user you have also the possibility to save the email)

Example:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user>
    <username>testuser</username>
    <password>p4ssword</password>
    <name>Test User</name>
    <email>test@localhost.de</email>
</user>

Gary13 · April 2, 2015, 10:02am

Thanks. So how do I get hold of version 3.10.0? Is there an eta for its release?

Redeyes · April 2, 2015, 11:31am

I don’t know the ETA but you could use the nightly version: Ignite Realtime: Openfire Nightly Builds

Gary13 · April 23, 2015, 12:53am

I’ve just upgraded to version 3.10.0 and I’m still getting the problem even when not using an email address, so if I have the url:

https://myhost.com/plugins/userService/lockouts/12345-12345-abcde

and am doing a POST.

I still get the error:

2015.04.23 00:48:36 org.jivesoftware.openfire.container.PluginServlet - No thread local value in scope for proxy of class com.sun.proxy.$Proxy58

java.lang.IllegalStateException: No thread local value in scope for proxy of class com.sun.proxy.$Proxy58

at com.sun.jersey.server.impl.ThreadLocalInvoker.invoke(ThreadLocalInvoker.java:93 )

at com.sun.proxy.$Proxy58.getHeader(Unknown Source)

at org.jivesoftware.openfire.plugin.AuthFilter.filter(AuthFilter.java:51)

at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApp licationImpl.java:1527)

Redeyes · April 23, 2015, 8:05am

It seems that you set IP restriction for the REST API. And something there went wrong.

Try at first without any IP restriction.

Gary13 · April 23, 2015, 10:02am

That worked but it’s hardly a solution. The ip restriction is very important to have. Also just prior to making the lockouts call I am creating a new user. So the ip restriction isn’t really the source of the problem. I’d prefer not to have to rely just on the secret key.

Redeyes · April 23, 2015, 11:02am

I could check that and fix the problem.

Does the problem appears since the 3.10? Or did you had already problems with 3.9.3 and IP restriction?

Gary13 · April 23, 2015, 12:25pm

I discovered the problem originally in 3.9.3 and ip restriction was present (as reported in the original post). I never tested with the ip restriction removed in 3.9.3 but I got the same error in both 3.9.3 and 3.10 when ip restriction was present.

Switch off ip restriction in 3.10 and the lockout works.

Redeyes · April 23, 2015, 1:17pm

Thy for your feedback. I will investigate to fix the issue.

Redeyes · April 23, 2015, 9:13pm

Try to use the REST API Plugin. It have all the feature which userService have and many more. In the REST API Plugin should the bug already be fixed.

The only thing to change is the URL.

From: plugins/userService/lockouts/

To: plugins/restapi/v1/lockouts/

Gary13 · April 24, 2015, 3:10am

Using that url returns me the html for the admin login page, the start of which looks like:

44

45

46

47

48 Openfire Admin Console

49

68

69

70

The line numbers are added by the “less” command when I look at the file.

I assume the url isn’t mapped in the web.xml file (or however the plugin is being handled). My http call code isn’t following redirects so I assume that’s the actual text being returned by the call.

Redeyes · April 24, 2015, 8:02am

Did you installed, enabled and set the authentication way by REST API Plugin?

Gary13 · April 24, 2015, 9:43am

Sorry I misread your previous comment. I’ve now installed the REST api plugin, configured it as per the user service plugin and both creating users and the lockouts works correctly with ip restriction in place.

Thanks for the help.