Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    mdagit
    @mdagit
    and the client sees a 500 http status instead of a 403 status
    not sure what to do about that -- what kind of jax-rs runtime can't serialize a Map<String,String> ?
    Andy McCright
    @andymc12

    @mdagit you may need to specify the content type in your response - something like:
    requestContext.abortWith(Response.status(Status.FORBIDDEN).entity(Entity.entity(Map.of("error", err), MediaType.APPLICATION_JSON)).build());
    or
    requestContext.abortWith(Response.status(Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_XML).entity(Map.of("error", err)).build());

    I'm just randomly guessing at the content type you want - but ultimately, that's the issue - the runtime doesn't know what to serialize the map to.

    mdagit
    @mdagit
    @andymc12 oh good idea let me try that. For some reason i had it in my head that text/plain was a default implicit content type but maybe i just made that up.
    Andy McCright
    @andymc12
    yeah, I can't find any mention of a default MediaType - but I did find that there is a type(...) method on the ResponseBuilder class that might be cleaner than the snippets I first suggested. ex:
    requestContext.abortWith(Response.status(Status.FORBIDDEN).type("text/plain").entity(Map.of("error", err)).build());
    mdagit
    @mdagit
    @andymc12 - you were right! Things working swimmingly now. Getting a real 403 back. I don't really understand how the server determines its providers; I think what happened is my maven build used to pull in jackson, and i removed that from my war build, and now OL is using apache CXF? Is that a possible explanation of why this used to work? But I thought there is all this class loader separation and whatnot to prevent that sort of side-effect?
    Andy McCright
    @andymc12
    I'm not sure. Did you switch from jaxrs-2.0 to jaxrs-2.1? You would get different behavior in that case.
    actually, now that you mention it, I think the Jackson provider would match any object type and any content type, so removing Jackson might've broken this.
    I'm logging out. I'm glad things are working for you now. Have a good weekend!
    mdagit
    @mdagit
    @andymc12 thanks again!
    Scott Kurz
    @scottkurz
    @mdagit, just wanted to follow-up (as promised) by pointing to the publication of our "security hardening" doc describing best practices regarding configuration, etc. Check it out here: https://openliberty.io/docs/20.0.0.10/security-hardening.html
    We also released the ACME support so you can move beyond the simple self-signed certificate in development: https://openliberty.io/blog/2020/09/25/signed-certificate-with-acme-200010.html
    Benjamin Marwell
    @bmarwell
    @scottkurz do you think disabling file serving will do any good (for security)?
    Scott Kurz
    @scottkurz
    Hi @bmhm .... I don't have much of an expert opinion there. Perhaps someone else will chime in (though it's the end of the week, so maybe not today)
    mdagit
    @mdagit
    @scottkurz very timely because i actually have a question regarding self signed certs. Right now my server.xml has <httpEndpoint host="*" ... but it seems that as a consequence of that, if I don't don't override the default self-signed cert, it is generated for "localhost". If i do want multiple hosts bound, I'm guessing it choose the first to get the cert. So would I do something space separated like host="${env.HOSTNAME} localhost" to get it to bind both ips, but generate a cert for HOSTNAME from env?
    mdagit
    @mdagit
    @scottkurz regarding the security-hardening.html doc my main feedback would be that the discussion of password management should be deeper. There is discussion there of one approach of using AES symmetric encrypted secrets with encryption key kept in a separate file. This fails the test of having no secrets in data-at-rest because of the bootstrapping key. And to really make it work, one would have to go through and find everything like java keystores too. AFAIK (Open)Liberty has no builtin support for credentials stores such as vaultproject or kurbernetes credentials. Also, the bootstrapping key might be something kept in a startup environment variable, or ready from stdin (if doing a manual start). There are also more sophisticated approaches to avoiding a permanent secret on disk, such as temporary use access tokens (tickets) that will expire if not used. Suffice to say it is a much bigger topic.
    @scottkurz regarding ACME - great that you've added it but as i'm sure you are aware there several ways in which domain administration can be verified, and port 80 is just one of them. I'm right now in the odd situation at one client where i have DNS control but am not allowed to bind port 80. Also, the docs will need to say something about how/whether the 90 day refresh is taken care of by OL.
    Scott Kurz
    @scottkurz
    Thanks @mdagit for that feedback. I will pass it along to our security development team.
    mdagit
    @mdagit
    regarding httpEndpoint host in server.xml is there a way to give a list of names? I like the convenience of the "*" wildcard but it seems to have the consequence of using "localhost" for the self-signed certificate. So i'd like to give a list where presumably the first would be used for the self-signed certificate. Unless there is another config for that.
    Spas Poptchev
    @spoptchev
    Hi, we have an issue when activating the wsSecurity-1.1 feature: Unable to load class net.sf.ehcache.store.DefaultElementValueComparator. Initial cause was net.sf.ehcache.store.DefaultElementValueComparator.<init>(net.sf.ehcache.config.CacheConfiguration). We also tried to disable the cache with <wsSecurityProvider id="default" ws-security.enable.nonce.cache="false">. But the error still appears. Did anyone one of you had the same issue and can help us out?
    1 reply
    John Redwood
    @VeenarM_gitlab
    Hi All, quick one as I havne't been able to find anything in the docs / notes... In migrating from tWAS to OpenLiberty we used to have IBM MQ JMS failovers configured at the tWAS level. Does OpenLiberty support this feature somehow as well? or do we need to configure two MQ's and do it manually in code as a fallback?
    4 replies
    mdagit
    @mdagit
    it seems my ticket OpenLiberty/open-liberty#12915 has been moved to the "Icebox" which seems ominous and i'm guessing means that it'll never be addressed. Which is too bad, because it is a very real use case. I mean, there is even a rfc for it now: https://tools.ietf.org/html/rfc8693 . But the openliberty JWT implementation seems to basically make it impossible to do.
    2 replies
    Benjamin Marwell
    @bmarwell
    Hi, hope this is the right place to ask. The JDK's readme from (Open)Liberty points to
    https://www.ibm.com/support/pages/java-sdk-fixes-version-80. But that page does not exist anymore. Oliver already asked in the slack channel but just got the answer that those pages and links are outdated.
    10 replies
    mdagit
    @mdagit
    is there a list of what packages i can and should be shift from "javax." to "jakarta."? I just converted a bunch of code pretty blindly so now i have jakarta.ws.rs.core.Application and jakarta.annotation.PreDestroy and so on. It all compiles but doesn't work at all, at least in openliberty. Doesn't find my Application or my resources. just get 404 on everything. This is on latest openliberty 21.
    mdagit
    @mdagit
    Maybe 21.0.0.2 is still just j2ee 8? Maybe i'm blind but i guess I thought that openliberty 21.* was jakarta 9? I see some docs about the runtimeArtifact in maven plugin but which versions is that for? and what about use of assemblyArtifact?
    2 replies
    mdagit
    @mdagit
    @andymc12 That github page of rewrites is perfect thanks. Sorry for my ignorance, all the articles i've found focus mostly on the politics of the renaming not the nitty grittys. Suppose i don't use a byte code tool. Will I be able to run an app that has a mixture of libraries using javax and jakarta packages with jakarta ee9? That is, is there backward compatibility where the container will look for both things in cdi and jax-rs and so on? Or is it scorched earth, and the entire app has to be one or the other?
    1 reply
    Also i'm unclear on what i need to do if anything with the pom.xml and liberty maven plugin. Anything? Or just activate the feature in server.xml?
    1 reply
    mdagit
    @mdagit
    Thanks @andymc12 . Last question for today (I hope).... I'm unclear how to interpret the beta vs non-beta releases.... I assumed that 21.0.0.2 would be better than 21.0.0.2-beta (or 21.0.0.3-beta) but maybe 21.0.0.2 is not actually a better version of 21.0.0.2-beta and doesn't have any EE9 support at all?
    3 replies
    Scott Kurz
    @scottkurz
    @mdagit one more thing.. I'm not sure if you do need to use the beta for the particular feature + version you're using but if you do, you'd install the beta through this liberty-maven-plugin config like:
        <plugin>
            <groupId>io.openliberty.tools</groupId>
            <artifactId>liberty-maven-plugin</artifactId>
            <configuration>
                <assemblyArtifact>
                    <groupId>io.openliberty.beta</groupId>
                    <artifactId>openliberty-runtime</artifactId>
                    <version>21.0.0.3-beta</version>
                    <type>zip</type>
                </assemblyArtifact>
            </configuration>
        </plugin>
    Thorsten Hake
    @thake
    Hey, I'm just trying to debug a configuration issue. Is there any way to print out the values of all variables at runtime after open liberty processed all configuration files? I can't find anything in the official documentation.
    2 replies
    Benjamin Marwell
    @bmarwell
    Hey! I have an idea for a liberty plugin (an activateable feature). Is there any documentation I could browse to get started?
    9 replies
    mdagit
    @mdagit
    hi all - if i have a .tar of static content that i want available at context root "/" what is easiest way to shove that into an openliberty install? There will be other apps with non empty context root; this would be the only thing in "/". In the old tomcat world i would just untar in webapps/ROOT/ and bobs-your-uncle.
    6 replies
    mdagit
    @mdagit
    @andymc12 I just ran into your personalized exception:
    [INFO] [err] java.lang.Throwable: ANDY
    [INFO] [err] at org.apache.cxf.jaxrs.utils.JAXRSUtils.logMessageHandlerProblem(JAXRSUtils.java:2055)
    inner exception is:
    [INFO] Caused by: javax.json.bind.JsonbException: JsonbTransient annotation cannot be used with other jsonb annotations on the same property.
    But i'm not doing that, unless for some reason this isn't allowed:
    @JsonbTransient int somevar;
    @JsonbProperty("somevar") int getSomeVar() {return somevar;}
    mdagit
    @mdagit
    but of course it isn't telling the name of the property and i can't actually see any right now that are like that.
    mdagit
    @mdagit
    beats me why it considers these to be the same properties but after some painful binary search through commenting, discovered this is what it doesn't like:
    @JsonbTransient ActionMenu menu;
    @JsonbProperty("is_menu")
    public boolean isMenu() {return pam == null;}
    mdagit
    @mdagit
    i renamed the menu variable to _menu and that got it to work. but still.
    Andy McCright
    @andymc12

    sigh I fear I will never be rid of that error message. :)

    the issue makes sense - it really sounds like JSON-B can't disambiguate the two properties - and in this case, they are definitely two different properties (one an ActionMenu and the other a boolean). But it does seem like the exception message could be more clear. I'll see what we can do to improve that. Thanks for bringing this up - and I'm glad to hear you got it resolved.

    mdagit
    @mdagit
    @andymc12 thanks. it seems like what it is doing is mapping "isMenu()" to property "menu" via automatic name mapping -- but IMHO it should look at my @JsonbProperty("is_menu") and use "is_menu" before it accuses me of duplicate property annotations. Instead it takes the automatically mapped "menu" property name and sees the duplicate with the instance variable "menu".
    Andy McCright
    @andymc12
    yeah, that makes sense. so maybe there's a functional issue as well as an error info issue
    mdagit
    @mdagit
    is there an easy way to get openliberty to log more details for reasons why it is rejecting a request with a 401 when using mp-jwt? Right now I'm seeing nothing at all in messages.log, not even "you didn't sink my battleship" or "go fish"
    5 replies
    Benjamin Marwell
    @bmarwell

    Hi, can someone explain this message?

    $ featureManager install feature-1.0
    This featureManager action is stabilized. Use installUtility install instead. This command is recommended for installation and repository-related actions.

    So if it is stabilized, why not use it?

    22 replies
    SowmithYatam
    @SowmithYatam
    Hello Guys,
    Hello Guys, I am using sessionDatabase feature to enable session persistance between liberty instances. I have configured both liberty instances to use the same database and the session data is getting stored into the DB. But my issue is, the two liberty instances are not sharing the session data. When i tried to fetch session data from other server, i couldnt get. Both the servers are in different computers.
    SowmithYatam
    @SowmithYatam
    Could anyone please help me out? I actually tried both the servers to point to same httpSessionPersistence, but no use.
    In the DB, i can see that all the created sessions(each session has unique entry in the db). Is it how its supposed to work or if there is any session available in the DB, then the other liberty instance should use it ?
    9 replies
    msudan21
    @msudan21

    @msudan21
    Team, Is it possible to use springBootUtility with OpenLiberty kernel-slim UBI images (e.g. - kernel-slim-java8-openj9-ubi) ?
    https://openliberty.io/docs/21.0.0.7/reference/command/springbootUtility-thin.html

    Because, it's giving an error as
    Step 3/11 : RUN springBootUtility thin --sourceAppPath=/staging/fat-order-0.0.1-SNAPSHOT.jar --targetThinAppPath=/staging/thin-order-0.0.1-SNAPSHOT.jar --targetLibCachePath=/staging/lib.index.cache
    ---> Running in 3023c669c4d7
    /bin/sh: springBootUtility: command not found
    The springBootUtility is only working with OpenLiberty full UBI images

    10 replies
    msudan21
    @msudan21

    Team, I am trying to deploy Springboot apps using open-liberty kernel-slim UBI image on OpenShift (OCP) platform using "oc new-app java~<github-url> --strategy=docker" command. but build was failing with below error message:

    STEP 18: RUN features.sh
    time="2021-08-10T11:26:46Z" level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
    time="2021-08-10T11:26:46Z" level=warning msg="Path \"/run/secrets/redhat.repo\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
    /bin/sh: features.sh: command not found
    error: build error: error building at STEP "RUN features.sh": error while running runtime: exit status 127

    If i manually deploy apps in Openshift (OCP), then there is no error and i can access the apps (same Dockerfile + deployment.yml + services.yml)

    10 replies
    Benjamin Marwell
    @bmarwell

    Hello (HELO/EHLO) everyone. I have a question about the mailsession feature :)
    => https://openliberty.io/docs/21.0.0.8/reference/config/mailSession.html

    Is it possible to use the configuration of the default SSL settings? We are using
    <ssl sslRef="ourdefaultSSLSettings" />
    Will they also be used for mailing if I do not configure mail.smtp.ssl.protocol and mail.smtp.ssl.ciphersuites?

    5 replies
    dannemano
    @dannemano
    Hi everyone! Looking for info on distributedMap and webCache features in OL. I have only found the config reference but not any usage examples on for instance adding a cache provider etc. I have read the HTTP session replication guides, but my use case is a general distributed cache using standard APIs or build-in APIs in Open Liberty. I want to avoid relying on for instance Hazelcast APIs directly in code.