investigate SRVE8115W warning when using jax-rs with OpenIdAuthenticationMechanismDefinition

[jimmy1wu]

the following warning message is logged when using jax-rs with OpenIdAuthenticationMechanismDefinition (appSecurity-5.0): [WARNING ] SRVE8115W: WARNING: Cannot set status. Response already committed.

the warning message is logged after a redirect happens. e.g., after redirect the browser to the op's login page.

this method might be a good starting point to begin investigating further (more specifically the last line): https://github.com/OpenLiberty/open-liberty/blob/7e0db08687847952649d33a5bea24a0586663fc0/dev/io.openliberty.restfulWS30.appSecurity/src/io/openliberty/restfulWS30/appSecurity/LibertyAuthFilter.java#L66-L85

example jax-rs resource secured using OpenIdAuthenticationMechanismDefinition:

@Path("/system/properties")
@OpenIdAuthenticationMechanismDefinition(
        providerURI = "http://localhost:8080/realms/openliberty/.well-known/openid-configuration",
        clientId = "sample-openliberty-keycloak",
        clientSecret = "x4fRVAhk49TKDqVlzIt4q9oh8DSWfePt",
        redirectToOriginalResource = true,
        logout = @LogoutDefinition(notifyProvider = true))
@DeclareRoles({ "admin", "user" })
public class SystemResource {

    @GET
    @Path("/username")
    @RolesAllowed({ "admin" })
    public String getUsername() {
        return System.getProperty("user.name");
    }

    @GET
    @Path("/os")
    @RolesAllowed({ "admin", "user" })
    public String getOS() {
        return System.getProperty("os.name");
    }

}

[ayoho]

Might be something the JAX-RS team needs to take a look at first. We might need to collaborate on a fix for this.

[jim-krueger]

At this point I'd suggest collecting trace. For JAXRS that would be:
com.ibm.ws.jaxrs*=all:com.ibm.websphere.jaxrs*=all:org.apache.cxf.*=all:RESTfulWS=all:org.jboss.resteasy.*=all:io.openliberty.org.jboss.*=all:io.openliberty.restfulWS.*=all

Not sure what additional security tracing would be appropriate.