Skip to content

Fix Java 2 Security issue in SessionCachePrefixTest (#34655 re-land)#35197

Open
riyaaroraa wants to merge 11 commits into
OpenLiberty:integrationfrom
riyaaroraa:fix-prefix-java2sec-remove-listener
Open

Fix Java 2 Security issue in SessionCachePrefixTest (#34655 re-land)#35197
riyaaroraa wants to merge 11 commits into
OpenLiberty:integrationfrom
riyaaroraa:fix-prefix-java2sec-remove-listener

Conversation

@riyaaroraa

Copy link
Copy Markdown
Contributor

Re-lands #34655 with fix for Java 2 Security failures that caused
the revert in #35183.

Root cause: The session.cache.web.listener1 app was causing SRVE8059E
(NPE on session context) during server shutdown under Java 2 Security,
which prevented clean server stop and left zombie processes between
repeat runs (EE9/EE10), causing cascade failures.

Fix: Remove session.cache.web.listener1 from SessionCacheApp
initialization - it is not needed for testing the cacheNamePrefix
feature.

Fixes: RTC 310836
Reverts revert: #35183
Original PR: #34655

@riyaaroraa

riyaaroraa commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

!build (view Open Liberty Personal Build - ✅ completed successfully!)

Note: Target locations of links might be accessible only to IBM employees.

@riyaaroraa

Copy link
Copy Markdown
Contributor Author

!java2sec

@LibbyBot

Copy link
Copy Markdown
Member

Code analysis and actions

DO NOT DELETE THIS COMMENT.
  • 24 FAT files were changed, added, or removed.

  • Check that the build did not break the affected FAT suite(s).

  • 4 product code files were changed.

  • Please describe in a separate comment how you tested your changes.

  • 1 NLS files were changed and need an ID review.

  • @OpenLiberty/message-reviewer Please review.

    • dev/com.ibm.ws.session.cache/resources/OSGI-INF/l10n/metatype.properties

@helyarp helyarp left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested changes

Comment thread dev/com.ibm.ws.session.cache/resources/OSGI-INF/l10n/metatype.properties Outdated
Comment thread dev/com.ibm.ws.session.cache/resources/OSGI-INF/l10n/metatype.properties Outdated
riyaaroraa added 11 commits July 6, 2026 13:48
- Created SessionCachePrefixTest with 4 P1 test scenarios:
  * testDefaultCacheNames: Verify backward compatibility (no prefix)
  * testCustomPrefix: Verify custom prefix 'testPrefix_' works
  * testMultiPodDifferentPrefixes: Verify pod1_ and pod2_ coexist
  * testFailoverWithPrefix: Verify session failover with custom prefix

- Added 4 new server configurations:
  * prefix.default: No cacheNamePrefix (backward compatibility)
  * prefix.custom: cacheNamePrefix='testPrefix_'
  * prefix.pod1: cacheNamePrefix='pod1_'
  * prefix.pod2: cacheNamePrefix='pod2_'

- Updated FATSuite to include SessionCachePrefixTest

Tests validate that the cacheNamePrefix attribute allows multiple
Liberty instances to use distinct cache names in a shared Infinispan
cluster, addressing customer issue from MUTUA MADRILEÑA (Sev 2).

Related: #36500, #36502 (FTS)
This PR adds Functional Acceptance Tests (FAT) for the new cacheNamePrefix
configuration attribute in WebSphere Liberty's session cache functionality.

Feature Overview:
The cacheNamePrefix attribute allows customers to customize Liberty-generated
cache names when multiple Liberty instances share the same JCache provider
(Infinispan/Hazelcast). This prevents cache name conflicts in distributed
environments where multiple pods or clusters use a common cache store.

Test Coverage:

Hazelcast Tests (SessionCachePrefixTest):
- testCustomPrefix: Validates custom prefix 'testPrefix_' works correctly
- testEmptyStringPrefix: Verifies empty prefix maintains backward compatibility
- testSpecialCharactersInPrefix: Tests special characters (dash, dot, underscore, colon)

Infinispan Tests (SessionCachePrefixTest):
- testDefaultCacheNames: Validates backward compatibility (no prefix configured)
- testCustomPrefix: Verifies custom prefix functionality
- testMultiPodDifferentPrefixes: Tests multiple Liberty instances with different prefixes
- testEmptyStringPrefix: Confirms empty string behaves like default
- testSpecialCharactersInPrefix: Validates special character support
- testPrefixWithAppNameAndSeparator: Tests interaction with appInCacheName and cacheSeparator
- testDynamicConfigChanges: Documents that prefix changes require server restart
- testNegativeTesting: Validates handling of problematic characters

Test Infrastructure:
- Created 3 Hazelcast server configurations with dynamic port allocation
  * sessionCachePrefixServer: HTTP_default (8010)
  * sessionCachePrefixServer_empty: HTTP_secondary (8020)
  * sessionCachePrefixServer_special: HTTP_tertiary (8050)
- Created 9 Infinispan server configurations for comprehensive test scenarios
- Added bootstrap.properties to all servers for proper cache provider configuration
- Configured CWWKO0221E error suppression for clean test execution
- Integrated tests into FATSuite for both Hazelcast and Infinispan test buckets

Technical Implementation:
- Tests validate cache name patterns using waitForStringInTrace with regex
- Proper server lifecycle management with try-finally blocks
- Session data verification through SessionCacheApp helper methods
- All tests passing with proper error handling and cleanup

This feature addresses customer requirements for multi-instance Liberty
deployments sharing a common cache infrastructure, enabling cache name
disambiguation without conflicts.

Related: #36500 (Epic), #36502 (FTS), OpenLiberty#34543 (Implementation PR)
Remove fatTestPorts.xml include from sessionCachePrefixServer_empty and
sessionCachePrefixServer_special to prevent port conflicts.

Issue: fatTestPorts.xml defines defaultHttpEndpoint with HTTP_default (8010).
When servers include this file AND define their own httpEndpoint with the same
ID, Liberty's config merge causes the include to override explicit port settings,
resulting in all servers trying to use port 8010 simultaneously.

Solution: Remove the fatTestPorts.xml include. Port variables still resolve via
bootstrap.include=../testports.properties in bootstrap.properties files.

Result:
- sessionCachePrefixServer → 8010 (via fatTestPorts.xml)
- sessionCachePrefixServer_empty → 8030 (explicit HTTP_secondary)
- sessionCachePrefixServer_special → 8050 (explicit HTTP_tertiary)

Fixes: #36500
Related: OpenLiberty#34655
Fix 1: Change SessionCacheApp deployment from apps/ to dropins/
- Changed false to true in SessionCachePrefixTest setUp() for all 3 servers
- ShrinkHelper.defaultApp() deploys to apps/ directory (not monitored)
- ShrinkHelper.defaultDropinApp() deploys to dropins/ (monitored by server)
- Fixes testCustomPrefix timeout - app now deploys correctly

Fix 2: Add timedexit-1.0 feature to _empty and _special servers
- Added <include location="../fatTestCommon.xml"/> after httpEndpoint
- Provides timedexit-1.0 feature required by test framework
- Fixes testEmptyStringPrefix and testSpecialCharactersInPrefix
- Resolves CWWKE1102W quiesce operation warnings

Root causes identified from CI logs:
- testCustomPrefix: Server started but app never deployed (CWWKZ0058I only)
- _empty/_special: Missing timedexit-1.0 caused framework timeouts

Fixes: #36500
Related: OpenLiberty#34655
…ctersInPrefix

- Added serverEmpty.useSecondaryHTTPPort() for server using HTTP_secondary (8030)
- Added serverSpecial.setBvtPortPropertyName() to configure HTTP_tertiary port (8050)
  since useTertiaryHTTPPort() method doesn't exist in LibertyServer
- Uses proper LibertyServer API methods instead of manual port parsing
- Fixes 'Connection refused' errors where tests were connecting to default port 8010
  instead of the configured ports in server.xml
- Changed to hardcoded ports: 8050 (HTTP) and 8060 (HTTPS)
- Values confirmed from testports.properties
- Avoids system property lookup issues that caused previous failures
- Should resolve Connection refused errors in testSpecialCharactersInPrefix
Simplify test structure based on review feedback:

Hazelcast changes:
- Reduce from 3 servers to 1 server (sessionCachePrefixServer)
- Use setServerConfigurationFile() to switch configs between tests
- Create 3 config files in configs/ directory
- Delete 2 unused server directories and 3 server_noprefix.xml files

Infinispan changes:
- Reduce from 9 servers to 3 servers (default, pod1, pod2)
- Use setServerConfigurationFile() on default server for single-server tests
- Keep pod1 and pod2 for multi-pod clustering tests
- Create 7 config files in default/configs/ directory
- Delete 6 unused server directories

Benefits:
- Cleaner, more maintainable code
- No port conflicts
- Follows existing Liberty FAT test patterns
- All test coverage maintained
- Move config files from publish/servers/.../configs/ to publish/files/
- Update test code to remove 'configs/' prefix from setServerConfigurationFile() calls
- Files in publish/files/ map to lib/LibertyFATTestFiles/ at runtime
- setServerConfigurationFile() automatically prepends lib/LibertyFATTestFiles/ to the path

This fixes the CI build failures where the framework was looking for files at
lib/LibertyFATTestFiles/configs/server_*.xml which didn't exist.
…xTest

The session.cache.web.listener1 app was causing SRVE8059E NPE failures
under Java 2 Security when the server stopped. The listener app couldn't
properly access the session context during shutdown, causing:
- NullPointerException in session context
- Zombie server processes between test repeats
- Cascade failures in subsequent tests

Fix: Remove the listener app parameter from SessionCacheApp initialization.
The main session.cache.web app is sufficient for testing the cacheNamePrefix
feature.

Fixes: RTC 310836
Related: PR OpenLiberty#35183 (revert), PR OpenLiberty#34655 (original)
The Hazelcast CachingProvider static initializer needs to read
hazelcast.* system properties. Under Java 2 Security, this requires
explicit PropertyPermission scoped to the Hazelcast library codebase.

Without this permission, tests fail with:
java.security.AccessControlException: Access denied
(java.util.PropertyPermission hazelcast.logging.class read)

Added javaPermission for hazelcast.* properties to all server configs
that use the HazelcastLib library.
- Change 'generated using' to 'generated by using'
- Change 'this can cause conflicts' to 'conflicts can occur'
- Remove redundant 'same' in both descriptions
@riyaaroraa riyaaroraa force-pushed the fix-prefix-java2sec-remove-listener branch from 146260c to 4936a49 Compare July 6, 2026 17:52
@riyaaroraa

riyaaroraa commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

!build (view Open Liberty Personal Build - ❌ completed with errors/failures.)

Note: Target locations of links might be accessible only to IBM employees.

@LibbyBot

LibbyBot commented Jul 6, 2026

Copy link
Copy Markdown
Member

Code analysis and actions

DO NOT DELETE THIS COMMENT.
  • 24 FAT files were changed, added, or removed.

  • Check that the build did not break the affected FAT suite(s).

  • 4 product code files were changed.

  • Please describe in a separate comment how you tested your changes.

  • 1 NLS files were changed and need an ID review.

  • @OpenLiberty/message-reviewer Please review.

    • dev/com.ibm.ws.session.cache/resources/OSGI-INF/l10n/metatype.properties

@helyarp helyarp left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@riyaaroraa

riyaaroraa commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

!build (view Open Liberty Personal Build - ✅ completed successfully!)

Note: Target locations of links might be accessible only to IBM employees.

@LibbyBot

LibbyBot commented Jul 6, 2026

Copy link
Copy Markdown
Member

Code analysis and actions

DO NOT DELETE THIS COMMENT.
  • 24 FAT files were changed, added, or removed.

  • Check that the build did not break the affected FAT suite(s).

  • 4 product code files were changed.

  • Please describe in a separate comment how you tested your changes.

  • 1 NLS files were changed and need an ID review.

  • @OpenLiberty/message-reviewer Please review.

    • dev/com.ibm.ws.session.cache/resources/OSGI-INF/l10n/metatype.properties

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants