search

eclipse-ee4j / krazo

Apache License 2.0
50 stars 19 forks source link

Liberty test suite fails when checking for the CSRF header #289

Open jesse-gallagher opened 2 years ago

jesse-gallagher commented 2 years ago

After applying the changes in https://github.com/eclipse-ee4j/krazo/pull/288 and using a Liberty 21.0.0.12 JEE 9 beta, there is one test failure: org.eclipse.krazo.test.CsrfIT.testFormHeaderOk.

Specifically, the failure is that the header it's looking for (X-CSRF-TOKEN) is not present in the response. Judging from the output, it looks like possibly it's another case of "Cannot set header", though this time actually causing trouble. Unfortunately, the stack trace for that isn't any more specific than the previous similar issues:

[WARNING ] SRVE8094W: WARNING: Cannot set header. Response already committed.  Stack trace of errant attempt to set header: 
        at com.ibm.ws.webcontainer.srt.SRTServletResponse.setHeader(SRTServletResponse.java:1764)
        at [internal classes].(Unknown Source)
        at org.eclipse.krazo.core.ViewableWriter$DelegatingServletOutputStream.write(ViewableWriter.java:196)
        at java.base/java.io.OutputStream.write(OutputStream.java:157)
        at java.base/sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:233)
        at java.base/sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:312)
        at java.base/sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:316)
        at java.base/sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:153)
        at java.base/java.io.OutputStreamWriter.flush(OutputStreamWriter.java:251)
        at java.base/java.io.PrintWriter.flush(PrintWriter.java:396)
        at org.eclipse.krazo.core.ViewableWriter.writeTo(ViewableWriter.java:169)
        at org.eclipse.krazo.core.ViewableWriter.writeTo(ViewableWriter.java:1)
        at org.jboss.resteasy.core.interception.jaxrs.ServerWriterInterceptorContext.lambda$writeTo$1(ServerWriterInterceptorContext.java:79)
        at [internal classes].(Unknown Source)
erdlet commented 2 years ago

Thanks for opening the ticket. I remember we had this stacktrace before some time ago.I'll check the old issues later.

chkal commented 2 years ago

Such an exception basically means, that some component did commit the response BEFORE the ViewableWriter was invoked. Committing a response is typically caused by calling HttpServletResponse.getWriter() or HttpServletResponse.getOutputStream().

Unfortunately, this is really hard to debug. One way would be to use a Servlet filter to replace the HttpServletResponse which a custom implementation which logs calls to getWriter() or getOutputStream(). Or maybe increasing the log level of Liberty could help!?