Fix Java 2 Security issue in SessionCachePrefixTest (#34655 re-land)#35197
Fix Java 2 Security issue in SessionCachePrefixTest (#34655 re-land)#35197riyaaroraa wants to merge 11 commits into
Conversation
|
!build (view Open Liberty Personal Build - ✅ completed successfully!) Note: Target locations of links might be accessible only to IBM employees. |
|
!java2sec |
Code analysis and actionsDO NOT DELETE THIS COMMENT.
|
- Created SessionCachePrefixTest with 4 P1 test scenarios: * testDefaultCacheNames: Verify backward compatibility (no prefix) * testCustomPrefix: Verify custom prefix 'testPrefix_' works * testMultiPodDifferentPrefixes: Verify pod1_ and pod2_ coexist * testFailoverWithPrefix: Verify session failover with custom prefix - Added 4 new server configurations: * prefix.default: No cacheNamePrefix (backward compatibility) * prefix.custom: cacheNamePrefix='testPrefix_' * prefix.pod1: cacheNamePrefix='pod1_' * prefix.pod2: cacheNamePrefix='pod2_' - Updated FATSuite to include SessionCachePrefixTest Tests validate that the cacheNamePrefix attribute allows multiple Liberty instances to use distinct cache names in a shared Infinispan cluster, addressing customer issue from MUTUA MADRILEÑA (Sev 2). Related: #36500, #36502 (FTS)
This PR adds Functional Acceptance Tests (FAT) for the new cacheNamePrefix configuration attribute in WebSphere Liberty's session cache functionality. Feature Overview: The cacheNamePrefix attribute allows customers to customize Liberty-generated cache names when multiple Liberty instances share the same JCache provider (Infinispan/Hazelcast). This prevents cache name conflicts in distributed environments where multiple pods or clusters use a common cache store. Test Coverage: Hazelcast Tests (SessionCachePrefixTest): - testCustomPrefix: Validates custom prefix 'testPrefix_' works correctly - testEmptyStringPrefix: Verifies empty prefix maintains backward compatibility - testSpecialCharactersInPrefix: Tests special characters (dash, dot, underscore, colon) Infinispan Tests (SessionCachePrefixTest): - testDefaultCacheNames: Validates backward compatibility (no prefix configured) - testCustomPrefix: Verifies custom prefix functionality - testMultiPodDifferentPrefixes: Tests multiple Liberty instances with different prefixes - testEmptyStringPrefix: Confirms empty string behaves like default - testSpecialCharactersInPrefix: Validates special character support - testPrefixWithAppNameAndSeparator: Tests interaction with appInCacheName and cacheSeparator - testDynamicConfigChanges: Documents that prefix changes require server restart - testNegativeTesting: Validates handling of problematic characters Test Infrastructure: - Created 3 Hazelcast server configurations with dynamic port allocation * sessionCachePrefixServer: HTTP_default (8010) * sessionCachePrefixServer_empty: HTTP_secondary (8020) * sessionCachePrefixServer_special: HTTP_tertiary (8050) - Created 9 Infinispan server configurations for comprehensive test scenarios - Added bootstrap.properties to all servers for proper cache provider configuration - Configured CWWKO0221E error suppression for clean test execution - Integrated tests into FATSuite for both Hazelcast and Infinispan test buckets Technical Implementation: - Tests validate cache name patterns using waitForStringInTrace with regex - Proper server lifecycle management with try-finally blocks - Session data verification through SessionCacheApp helper methods - All tests passing with proper error handling and cleanup This feature addresses customer requirements for multi-instance Liberty deployments sharing a common cache infrastructure, enabling cache name disambiguation without conflicts. Related: #36500 (Epic), #36502 (FTS), OpenLiberty#34543 (Implementation PR)
Remove fatTestPorts.xml include from sessionCachePrefixServer_empty and sessionCachePrefixServer_special to prevent port conflicts. Issue: fatTestPorts.xml defines defaultHttpEndpoint with HTTP_default (8010). When servers include this file AND define their own httpEndpoint with the same ID, Liberty's config merge causes the include to override explicit port settings, resulting in all servers trying to use port 8010 simultaneously. Solution: Remove the fatTestPorts.xml include. Port variables still resolve via bootstrap.include=../testports.properties in bootstrap.properties files. Result: - sessionCachePrefixServer → 8010 (via fatTestPorts.xml) - sessionCachePrefixServer_empty → 8030 (explicit HTTP_secondary) - sessionCachePrefixServer_special → 8050 (explicit HTTP_tertiary) Fixes: #36500 Related: OpenLiberty#34655
Fix 1: Change SessionCacheApp deployment from apps/ to dropins/ - Changed false to true in SessionCachePrefixTest setUp() for all 3 servers - ShrinkHelper.defaultApp() deploys to apps/ directory (not monitored) - ShrinkHelper.defaultDropinApp() deploys to dropins/ (monitored by server) - Fixes testCustomPrefix timeout - app now deploys correctly Fix 2: Add timedexit-1.0 feature to _empty and _special servers - Added <include location="../fatTestCommon.xml"/> after httpEndpoint - Provides timedexit-1.0 feature required by test framework - Fixes testEmptyStringPrefix and testSpecialCharactersInPrefix - Resolves CWWKE1102W quiesce operation warnings Root causes identified from CI logs: - testCustomPrefix: Server started but app never deployed (CWWKZ0058I only) - _empty/_special: Missing timedexit-1.0 caused framework timeouts Fixes: #36500 Related: OpenLiberty#34655
…ctersInPrefix - Added serverEmpty.useSecondaryHTTPPort() for server using HTTP_secondary (8030) - Added serverSpecial.setBvtPortPropertyName() to configure HTTP_tertiary port (8050) since useTertiaryHTTPPort() method doesn't exist in LibertyServer - Uses proper LibertyServer API methods instead of manual port parsing - Fixes 'Connection refused' errors where tests were connecting to default port 8010 instead of the configured ports in server.xml
- Changed to hardcoded ports: 8050 (HTTP) and 8060 (HTTPS) - Values confirmed from testports.properties - Avoids system property lookup issues that caused previous failures - Should resolve Connection refused errors in testSpecialCharactersInPrefix
Simplify test structure based on review feedback: Hazelcast changes: - Reduce from 3 servers to 1 server (sessionCachePrefixServer) - Use setServerConfigurationFile() to switch configs between tests - Create 3 config files in configs/ directory - Delete 2 unused server directories and 3 server_noprefix.xml files Infinispan changes: - Reduce from 9 servers to 3 servers (default, pod1, pod2) - Use setServerConfigurationFile() on default server for single-server tests - Keep pod1 and pod2 for multi-pod clustering tests - Create 7 config files in default/configs/ directory - Delete 6 unused server directories Benefits: - Cleaner, more maintainable code - No port conflicts - Follows existing Liberty FAT test patterns - All test coverage maintained
- Move config files from publish/servers/.../configs/ to publish/files/ - Update test code to remove 'configs/' prefix from setServerConfigurationFile() calls - Files in publish/files/ map to lib/LibertyFATTestFiles/ at runtime - setServerConfigurationFile() automatically prepends lib/LibertyFATTestFiles/ to the path This fixes the CI build failures where the framework was looking for files at lib/LibertyFATTestFiles/configs/server_*.xml which didn't exist.
…xTest The session.cache.web.listener1 app was causing SRVE8059E NPE failures under Java 2 Security when the server stopped. The listener app couldn't properly access the session context during shutdown, causing: - NullPointerException in session context - Zombie server processes between test repeats - Cascade failures in subsequent tests Fix: Remove the listener app parameter from SessionCacheApp initialization. The main session.cache.web app is sufficient for testing the cacheNamePrefix feature. Fixes: RTC 310836 Related: PR OpenLiberty#35183 (revert), PR OpenLiberty#34655 (original)
The Hazelcast CachingProvider static initializer needs to read hazelcast.* system properties. Under Java 2 Security, this requires explicit PropertyPermission scoped to the Hazelcast library codebase. Without this permission, tests fail with: java.security.AccessControlException: Access denied (java.util.PropertyPermission hazelcast.logging.class read) Added javaPermission for hazelcast.* properties to all server configs that use the HazelcastLib library.
- Change 'generated using' to 'generated by using' - Change 'this can cause conflicts' to 'conflicts can occur' - Remove redundant 'same' in both descriptions
146260c to
4936a49
Compare
|
!build (view Open Liberty Personal Build - ❌ completed with errors/failures.) Note: Target locations of links might be accessible only to IBM employees. |
Code analysis and actionsDO NOT DELETE THIS COMMENT.
|
|
!build (view Open Liberty Personal Build - ✅ completed successfully!) Note: Target locations of links might be accessible only to IBM employees. |
Code analysis and actionsDO NOT DELETE THIS COMMENT.
|
Re-lands #34655 with fix for Java 2 Security failures that caused
the revert in #35183.
Root cause: The session.cache.web.listener1 app was causing SRVE8059E
(NPE on session context) during server shutdown under Java 2 Security,
which prevented clean server stop and left zombie processes between
repeat runs (EE9/EE10), causing cascade failures.
Fix: Remove session.cache.web.listener1 from SessionCacheApp
initialization - it is not needed for testing the cacheNamePrefix
feature.
Fixes: RTC 310836
Reverts revert: #35183
Original PR: #34655