Friday, April 15, 2011

Sun Java System Web Server 7 Policy Agent Issue

I spent almost 1.5 weeks trying to resolve a Policy Agent issue in one of my customers' environment.


Even though they have Sun Java System Web Server 7, their configuration is "ancient" type. We know that there is a modern in-built Reverse Proxy plugin in Web Server 7. But the customer is still using the legacy Glassfish Load-Balancer plugin.

Cross-Domain Single Sign-On

There is this scenario where the Web Server is residing in a different domain from OpenSSO Server.

In CDSSO mode, the agent for SJSWS does not reset the protocol version to the one from POST-request [HTTP/1.1] (received from the CDCServlet), but to a HTTP-Request version 0.9 [HTTP]. This scenario only happens in CDSSO mode due to the handling of the assertion the agent got from the CDCServlet.

Step-by-Step

1. Policy Agent intercept "GET /hello/ HTTP/1.1"
2. Since this is CDSSO, Policy Agent attempts to reset protocol version ( from HTTP/1.1 to HTTP )
3. Policy Agent then allow the request to pass to the plugin

Note: A HTTP without any version should be interpreted as HTTP 0.9, according to W3C.



This is what W3C has to say with regard to HTTP Protocol Version:

The Protocol/Version field defines the format of the rest of the request.. At the moment only HTRQ is defined. If the protocol version is not specified, the server assumes that the browser uses HTTP version 0.9.




So, what's the issue then?


Load Balancer Plugin (Web Server Access Log)

192.168.1.47 - - [13/Apr/2011:17:30:55 +0800] "GET /hello/ HTTP/1.1" 302 0
192.168.1.47 - admin [13/Apr/2011:17:31:02 +0800] "GET /hello/
HTTP" 505 0





Reverse Proxy Plugin (Web Server Access Log)

192.168.1.47 - - [14/Apr/2011:10:28:48 +0800] "GET /hello/ HTTP/1.1" 302 0
192.168.1.47 - admin [14/Apr/2011:10:28:55 +0800] "GET /hello/
HTTP" 200 327



The issue is:
a. LB-plugin: Not able to respect HTTP version 1.0 and below ("HTTP Error 505 HTTP version not supported' error)
b. RP-plugin: Able to respect HTTP version 1.0 and below


Clearly, there is something wrong with the Load-Balancer plugin. According to W3C, it has to honor HTTP and let the request to pass-through.


And, although it is fairly rare that any software/application will send a HTTP with protocol version lower than 1.0 these days, it is totally "legal" to do so.

In this case, the Policy Agent chooses to swallow a request with HTTP/1.1, but passes a request HTTP to the plugin. Rightfully, it would be ideal to swallow HTTP/1.1, and passes the same HTTP/1.1 to the plugin.




PS: Btw, I need to thank Bernhard for helping me with this issue. Thanks, Bernhard!
.

No comments:

Post a Comment