apache - Exception while dispatching incoming RPC call : encodedRequest cannot be empty -
my gwt application deployed in servlet container apache tomcat 6.0.37, linked apache http server using connectors coyote/jk2 (native module mod_jk/1.2.37). in addition, use module mod_auth_sspi/1.0.4 sso.
found problem - when send request server ie 8 (requests firefox, example, successful) page not displayed , in tomcat logs following -
severe: exception while dispatching incoming rpc call java.lang.illegalargumentexception: encodedrequest cannot empty @ com.google.gwt.user.server.rpc.rpc.decoderequest(rpc.java:232) @ org.spring4gwt.server.springgwtremoteserviceservlet.processcall(springgwtremoteserviceservlet.java:32) @ com.google.gwt.user.server.rpc.remoteserviceservlet.processpost(remoteserviceservlet.java:248) @ com.google.gwt.user.server.rpc.abstractremoteserviceservlet.dopost(abstractremoteserviceservlet.java:62) @ javax.servlet.http.httpservlet.service(httpservlet.java:643) @ javax.servlet.http.httpservlet.service(httpservlet.java:723) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:290) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ gov.department.it.server.requestinterceptorfilter.dofilter(requestinterceptorfilter.java:90) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:235) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ org.apache.catalina.core.standardwrappervalve.invoke(standardwrappervalve.java:233) @ org.apache.catalina.core.standardcontextvalve.invoke(standardcontextvalve.java:191) @ org.apache.catalina.core.standardhostvalve.invoke(standardhostvalve.java:127) @ org.apache.catalina.valves.errorreportvalve.invoke(errorreportvalve.java:103) @ org.apache.catalina.core.standardenginevalve.invoke(standardenginevalve.java:109) @ org.apache.catalina.connector.coyoteadapter.service(coyoteadapter.java:293) @ org.apache.jk.server.jkcoyotehandler.invoke(jkcoyotehandler.java:190) @ org.apache.jk.common.handlerrequest.invoke(handlerrequest.java:311) @ org.apache.jk.common.channelsocket.invoke(channelsocket.java:776) @ org.apache.jk.common.channelsocket.processconnection(channelsocket.java:705) @ org.apache.jk.common.channelsocket$socketconnection.runit(channelsocket.java:898) @ org.apache.tomcat.util.threads.threadpool$controlrunnable.run(threadpool.java:690) @ java.lang.thread.run(thread.java:619) i've found topic, describes similar problem - gwt illegalargumentexception: encodedrequest cannot empty
however, not find registry key disablentlmpreauth, although not solution if lot of people ie 8. have installed , configured native windows authentication framework waffle
web.xml -
... <filter> <filter-name>negotiatesecurityfilter</filter-name> <filter-class>waffle.servlet.negotiatesecurityfilter</filter-class> <init-param> <param-name>waffle.servlet.spi.negotiatesecurityfilterprovider/protocols</param-name> <param-value>ntlm</param-value> </init-param> </filter> ... <filter-mapping> <filter-name>negotiatesecurityfilter</filter-name> <url-pattern>/my-app/*</url-pattern> </filter-mapping> ... but did not help.
in worker.properties set socket_keepalive=0, did not -
worker.properties -
worker.ajp13.type=ajp13 worker.ajp13.host=localhost worker.ajp13.port=8009 worker.ajp13.lbfactor=50 worker.ajp13.cachesize=10 worker.ajp13.cache_timeout=600 worker.ajp13.socket_keepalive=0 worker.ajp13.socket_timeout=300 what else can try do? thank all.
you have rediscovered 7 year old bug #1 in mod_auth_sspi has affected numerous projects, frustrated numerous developers, , caused uncountable wasted man-hours on years. yet still stands unresolved because maintainer doesn't consider bug. nor has been addressed microsoft older browsers, because indications ie9 doesn't have problem.
cause
it caused ie trying 'smart' , sending 0 content-length post (i named 0post try making indexable term benefit rediscover in next 7 years.) ntlm auth header in anticipation of being challenged server. ie when has been authenticated before in protection space. knows challenged again. sadly mod_auth_sspi not smart ie, bad things happen on server side when 0post arrives , let through apps without being challenged. except can happen unprotected areas, if under area requires authentication. other browsers don't pretend smart ie , don't try save few bytes on first round trip "performance", don't run problem. here microsoft's explanation of behavior.
horrible workaround
in apache httpd.conf set
sspiperrequestauth on this equivalent disablentlmpreauth ie client-side fix mentioned, impractical large user group. plus amounts crippling non-apache apps also, may capable of handling 0post. there literally no examples of setting being discussed or side effects explained on web, including only link found sheds light on it. anyway, making 1 server side change seems lesser of 2 evils. although now, changing server config, have crippled other innocent browsers visiting site well.
the problem workaround forces every request perform sspi handshake results in lot of 401 traffic , can affect performance. performance, ntlm authentication treated 'session-based' not 'request-based' means handshake occurs @ start of session. when using setting, should set filters prevent log filling 401s. note requires keepalive turned on.
i not sure setup same 1 described in waffle fix; using apache you? think waffle applies tomcat, whereas have apache in front, apache handling authentication. might consider using setup instead of apache. if can use setup, may better option workaround because waffle has explicitly accounted 0post , can handle it. author had also discovered this gem while working gwt you.
interestingly, jcifs, a fix issue posted 9 years ago. author provided excellent explanation later:
the code in filter examines http post requests , determines if contain ntlm type 1 message. if request contains ntlm type 1 message, the filter responds dummy type 2 message entertain ie's desire re-negotiate ntlm prior submitting post data. browser should respond ntlm type 3 message along post data filter should allow chain rest of web application.
a simple patch created mod_auth_sspi 5 years ago, if interested. see diff in author's own repo. not sure if agree approach though. tries detect ie/0post, whereas think right fix should detect if client requesting auth ntlm type 1 header, in jcifs filter. (type 1 means first message of handshake)
i wonder if has used alternatives mod_auth_sspi mod_auth_ntlm_winbind , if don't exhibit behavior. if have, please leave comment. know waffle works, not mod_auth_sspi replacement.
one alternative forget ntlm , use kerberos, (mod_auth_kerb) many people find complicated setup. ie behave way on challenge-response scheme, odds kerb auth run same problem, since similar 401 sequence happens in both cases. being different module, possible capable of handling this.
lastly, should mention there yet issue per-request auth workaround doesn't seem fix. haven't seen discussed anywhere, have found after 0post, server waits long time before responds final 200 response results of (proper) post. long delay happens in end though, not in response 0post. goes fine, , handshake completes, server doesn't respond until after long wait have noticed suspiciously close 90 seconds, sort of timeout. practical result of when users log in, ie8 hang 90sec waiting server response. thought keepalive might causing it, not explicitly defined in config, assume @ 15sec apache default. sure related 0post, because happens right after successful 0post auth handshake. our server in separate (2-way) trusted domain across firewall, maybe has it.
diverse examples of issue
- https://confluence.atlassian.com/display/jirakb/nullpointerexception+when+authenticating+from+ie
- http://trac.edgewall.org/ticket/2696
- http://trac.edgewall.org/ticket/4560
- https://drupal.org/node/82530
- http://www.webmasterworld.com/apache/3087425.htm
- why "content-length: 0" in post requests?
- https://jira.springsource.org/browse/sec-1087
the hilarious example how ie's smartness affected microsoft's own products! couldn't understand how deal ie's behavior, causing bug in isa server 2006.
Comments
Post a Comment