Avatar Mike Noordermeer Authentication woes: Waffle deadlocks, OpenSSO 500s

Mike Noordermeer | Published October 28, 2013 |

Our product MyTimetable supports multiple authentication backends, all thanks to Spring Security. Over the last years, we experienced some issues with certain authenticators. To help anyone experiencing the same issues, we summed up the issues we had with Waffle and OpenSSO/OpenAM below.

Waffle deadlocks

If you are using Java and want to use Windows authentication, using NTLM or Kerberos, Waffle is the library to use. However, after upgrading to Waffle 1.5, we were experiencing performance issues under moderate to high load. A thread dump of the Tomcat JVM showed most of the catalina-http-exec threads being in the BLOCKED state, like this one:

More users have experienced this issue, and created mail threads and issues about it. While I’m no expert in the usage of JNA, and it does not seem like an actual bug, some changes were made to the caching of these calls in JNA 4.0. We upgraded the Waffle JNA dependency to 4.0 - which seems to work fine with Waffle 1.5 - and our issues disappeared instantly. So if you’re experiencing the same issues, try upgrading your JNA dependency.

OpenSSO HTTP 500s

A while ago, one of our customers was experiencing HTTP 500 errors when trying to authenticate using OpenSSO. Looking at the OpenSSO agent logs, only an AgentServerErrorException: No URL is available at this time error was visible, something like this:

Further investigation revealed the customer recently changed their SSL certificates. The new certificate did not include the full certificate chain, and because of that OpenSSO was rejecting the login server. The issue was quickly fixed by importing the server certificate in the jre\lib\security\cacerts using the keytool command:

keytool -import -trustcacerts -alias your_cert -file your_cert.crt -keystore cacers

Later on, the certificate chain of the server was fixed, after which it was no longer necessary to include the certificate in the cacerts file.

comments powered by Disqus