API Auth token through Nginx is not working due to cookie
Article ID: 261274
Updated On: 10-10-2023
Products
Issue/Introduction
Layer7 gateway deployed in APP subnet ( internal/private) exposed to internet via DMZ layer where we have nginx webserver deployed , so flow from internet is as follows:-
URL( https/443) --> nginx ---on https(443) --> layer7 (https/443 )
Calling /oauth/v2/token via nginx flow gets no token back a blank response.
In reviewing the logs we see stack:
{"exception":"java.lang.IllegalArgumentException: Cookie name \"Path\" is a reserved token\n\tat javax.servlet.http.Cookie.\u003cinit\u003e(Cookie.java:151)\n\tat com.l7tech.common.http.CookieUtils.toServletCookie(Unknown Source)\n\tat com.l7tech.server.policy.assertion.ServerCustomAssertionHolder.a(Unknown Source)\n\tat com.l7tech.server.policy.assertion.m.\u003cinit\u003e(Unknown Source)\n\tat com.l7tech.server.policy.assertion.h.run(Unknown Source)\n\tat java.base/java.security.AccessController.doPrivileged(Native Method)\n\tat java.base/javax.security.auth.Subject.doAs(Unknown Source)\n\tat com.l7tech.server.policy.assertion.ServerCustomAssertionHolder.checkRequest(Unknown Source)\n\tat com.l7tech.server.policy.assertion.composite.ServerCompositeAssertion.iterateChildren(Unknown Source)\n\tat com.l7tech.server.policy.assertion.composite.ServerOneOrMoreAssertion.checkRequest(Unknown Source)\n\tat com.l7tech.server.policy.assertion.composite.ServerCompositeAssertion.iterateChildren(Unknown Source)\n\tat com.l7tech.server.policy.assertion.composite.ServerAllAssertion.checkRequest(Unknown Source)\n\tat com.l7tech.server.policy.assertion.composite.ServerCompositeAssertion.iterateChildren(Unknown Source)\n\tat com.l7tech.server.policy.assertion.composite.ServerOneOrMoreAssertion.checkRequest(Unknown Source)\n\tat com.l7tech.server.policy.assertion.composite.ServerCompositeAssertion.iterateChildren(Unknown Source)\n\tat com.l7tech.server.policy.assertion.composite.ServerAllAssertion.checkRequest(Unknown Source)\n\tat com.l7tech.server.policy.ServerPolicy.checkRequest(Unknown Source)\n\tat com.l7tech.server.policy.ao.call(Unknown Source)\n\tat com.l7tech.server.policy.ao.call(Unknown Source)\n\tat com.l7tech.common.log.HybridDiagnosticContext.doInContext(Unknown Source)\n\tat com.l7tech.server.policy.ServerPolicyHandle.checkRequest(Unknown Source)\n\tat com.l7tech.server.ar.b(Unknown Source)\n\tat com.l7tech.server.ar.a(Unknown Source)\n\tat com.l7tech.server.MessageProcessor.a(Unknown Source)\n\tat com.l7tech.server.MessageProcessor.processMessageNoAudit(Unknown Source)\n\tat com.l7tech.server.SoapMessageProcessingServlet.serviceNoAudit(Unknown Source)\n\tat com.l7tech.server.a4.call(Unknown Source)\n\tat com.l7tech.server.audit.AuditContextFactory.doWithNewAuditContext(Unknown Source)\n\tat com.l7tech.server.SoapMessageProcessingServlet.service(Unknown Source)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:750)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:711)\n\tat org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:459)\n\tat org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:353)\n\tat org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:313)\n\tat com.l7tech.server.transport.http.HttpNamespaceFilter.doFilter(Unknown Source)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat com.l7tech.server.WsdlFilter.doFilter(Unknown Source)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat com.l7tech.server.transport.http.ConnectionIdFilter.doFilter(Unknown Source)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat com.l7tech.server.transport.http.InputTimeoutFilter.doFilter(Unknown Source)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat com.l7tech.server.log.HybridDiagnosticContextServletFilter.doFilter(Unknown Source)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\tat com.l7tech.server.tomcat.ResponseKillerValve.invoke(Unknown Source)\n\tat com.l7tech.server.tomcat.ConnectionIdValve.invoke(Unknown Source)\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)\n\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:400)\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:900)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)\n\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)\n\tat
Environment
Release : 10.1
Resolution
If possible you can remove the cookie attribute from Nginx as a proxy.
You can work around this by doing the following in the /oauth/v2/token with the below additional logic:
At least one assertion
Manage cookies assertion
Remove=Path
Continue Processing
Feedback
