1 2 Previous Next 20 Replies Latest reply on Oct 11, 2007 9:43 AM by 807573

    Policy Agent 2.2 on Glassfish 2: Invalid application password specified

    807573
      Hello

      I have successfully installed, configured and started:

      Access Manager 7.1 on
      Glassfish 2 using
      Policy Agent 2.2 for JavaEE 9.1
      and some simple web application for testing with the name 'amtest'

      I keep getting the following error (stack trace extract) when I browse to that webapplication. The browser is also not redirected to the login page of Access Manager. Instead I see a white page in the browse and the follwoing error in server.log (some lines removed and replaced with ...)
      Unexpected error forwarding to login page
      javax.servlet.ServletException: PWC1243: Filter execution threw an exception
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:254)
      ...
      Caused by: java.lang.ExceptionInInitializerError
              at com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:622)
      ...
      Caused by: java.lang.RuntimeException: Invalid application password specified
              at com.sun.identity.agents.arch.AgentConfiguration.setApplicationPassword(AgentConfiguration.java:719)
      ...
      Exception in thread "AgentConfigMonitor" 
      java.lang.NoClassDefFoundError: Could not initialize class com.sun.identity.agents.arch.AgentConfiguration
              at com.sun.identity.agents.arch.AgentConfiguration.getDebug(AgentConfiguration.java:1072)
      ...
      ApplicationDispatcher[/amtest] PWC1231: Servlet.service() for servlet default threw exception
      java.lang.NoClassDefFoundError: Could not initialize class com.sun.identity.agents.filter.AmFilterManager
              at com.sun.identity.agents.filter.AmAgentBaseFilter.initializeFilter(AmAgentBaseFilter.java:217)
      ...
      This error clearly comes from a password problem. I double and triple checked the agent's passowrd in Access Manager and in the AMAgent.properties, even by recalculating it using "agentadmin --encrypt".

      Has somebody had the same problem?
      Thank you
      Koen
        • 1. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
          807573
          Hello again

          I have just completed a test with the sample application that is distributed with the Policy Agent 2.2 for SJSAS 9.1 (from opensso.dev.java.net) and encountered exactly the same problem.

          Koen
          • 2. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
            807573
            You seem to be missing some jar files in the classpath.
            Are all the agent's class files there in the app server's classpath?

            Ankush
            • 3. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
              807573
              Thank you for replying.

              I think it is not a classpath problem. I had indeed classpath problems but was able to solve them.

              There is indeed a class problem, but it is an initialization problem that happens because of the missing password problem.

              I think, in other words, that Glassfish says: sorry, I cannot load that class because I miss information.

              Koen
              • 4. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                807573
                Hi Koen,

                You'll get a "java.lang.NoClassDefFoundError" error when a class file cannot be found in the classpath.

                If some information is missing, you tend to get a null pointer exception somewhere down the line.

                Cheers,

                Ankush
                • 5. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                  807573
                  I am perfectly aware of that. It is exactly the source of my confusion, because the "missing" class IS in the classpath! All these classes reside in agent.jar, which is deployed in <glassfish>/domains/domain1/lib. When looking at the full stack trace, you see
                  java.lang.ExceptionInInitializerError
                          at com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:622)
                  ...
                  Caused by: java.lang.RuntimeException: Invalid application password specified
                          at com.sun.identity.agents.arch.AgentConfiguration.setApplicationPassword(AgentConfiguration.java:719)
                  ...
                  Caused by: java.lang.ExceptionInInitializerError
                          at com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:622)
                  ...
                  Caused by: java.lang.RuntimeException: Invalid application password specified
                          at com.sun.identity.agents.arch.AgentConfiguration.setApplicationPassword(AgentConfiguration.java:719)
                  ...
                  Exception in thread "AgentConfigMonitor" 
                  java.lang.NoClassDefFoundError: Could not initialize class com.sun.identity.agents.arch.AgentConfiguration
                          at com.sun.identity.agents.arch.AgentConfiguration.getDebug(AgentConfiguration.java:1072)
                  ...
                  which proofs that the classes com.sun.identity.agents.arch.Manager and com.sun.identity.agents.arch.AgentConfiguration are indeed loaded. I think they cannot be initialized because of a password problem.

                  To me it seems that the Policy Agent sends the wrong password to Access Manager, or that there is a communication problem. See a former post of mine regarding a similar problem when using Policy Agent for Tomcat, where a SOAP-problem seems to be the reason for similar problems.

                  Thank you
                  Koen
                  • 6. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                    807573
                    In the AMAgent.properties can you turn up the log level to message and see what is in the agent log files? If it is a password issue you may want to look in the amAuthApplication log file on the server and see if there are any invalid login attempts.
                    • 7. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                      807573
                      Thank you, Aaron.

                      I had indeed already discovered those conf and log files, set the message level to 'error' and afterwards found some error messages in it.

                      But I have had no time yet to look deeper into it, but will soon. I will post a message if I find something useful.

                      Thanks
                      Koen
                      • 8. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                        807573
                        Hello Koen, did you find anything interesting about this problem?

                        Thanks
                        • 9. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                          807573
                          Hello again,

                          Unfortunately I have had no time for further tests.

                          A working and tested sample program demonstrating the use of J2EE_POLICY would be valuable. But I think that Sun doesn't provide such a sample.

                          Koen
                          • 10. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                            807573
                            I tried to install the Application Server Policy Agent 2.2, but the modification of the domain.xml fails each time, on two different machines and OS (Solaris and Windows)... I added manually some entries like the jars in the classpath and the AMAgent.properties, but it seems not to be sufficient. I guess it is also necessary to at least add the dedicated Realm, activate the Security, and perhaps also a lifecycle-module.
                            Could you tell me which entries are inserted into the domain.xml with a -successfull- agent install?

                            Thanks,
                            Yann
                            • 11. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                              807573
                              Hi,

                              the J2EE agents come with a sample application that is set up to use many of the features. Just look inside j2ee_agents\appserver_v9_agent\sampleapp\ of you agent unzip.

                              hth,
                              Sean
                              • 12. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                                807573
                                Hello again

                                I believe that the sample application application uses URL_POLICY and not J2EE_POLICY in the configuration of the agent.

                                In my opinion, the real beauty of the whole Sun Identity architecture is the use of J2EE_POLICY.

                                Therefore, in my opinion, a better sample application should be provided.

                                Koen
                                • 13. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                                  807573
                                  Hi Yann,

                                  You should rely on the agent installer. Manually editting domain.xml etc is likely to be tricky. Instead, can we figure out why your installation was not successful?

                                  I can help you install the agent on GlassFish. I install all the time on windows and the installer works correctly. What version of GlassFish do you have? Did you download it from glassfish.dev.java.net?

                                  Did you also install the Access Manager server? Did you then install the agent on the same domain? Trying to install an agent on the same domain that you have already installed the Access Manager am server war often causes many problems. Both the agent and the am server installations modify the application server's domain.xml including classpath settings, and often this results in conflicts. Hence you may see class not found or other classpath related issues and messages in logs etc.

                                  It is highly recommended to always install the agent on a separate domain from the domain where you have installed the Access Manager am server. It is easy to create another domain on Sun 9.x (GlassFish) app server. Each domain is independent and can be modified with affecting other domains. This gives nice isolation when configuring both the agent and the Access Manager am server. You can easily create a new domain on the Sun 9.x (GlassFish) app server running a command such as this from the app servers bin/ directory "asadmin create-domain --portbase 6868 --user admin domain2" with your own choices for 6868,admin, domain2.

                                  If you want to use the agent and the am server on the same application server installation, then create a new separate application server domain for the agent and install the agent on your new domain.

                                  Can you please try to create a new domain on GlassFish, then unzip agent download again, then run "agent --install" again? I suggest doing a copy/paste of the command line installation output and pasting it into a text document so you have a record of your installation questons and answers.

                                  I am trying to capture any of these troublshooting issues on wiki so we can help other people get the agent installed and running successfully
                                  http://wikis.sun.com/display/OpenSSO/GlassFishAgentTrouble

                                  hth,
                                  Sean
                                  • 14. Re: Policy Agent 2.2 on Glassfish 2: Invalid application password specified
                                    807573
                                    Hi Koen,

                                    It sets com.sun.identity.agents.config.filter.mode = ALL
                                    and in the sample app it uses
                                    J2EE_POLICY and URL policy. This way it showcases all of them. Some resources are protected by J2EE deployment decsriptor roles and have a matching policy on am server, and some resoources are protected by URL policy (so nothing specified in sample app deloymnet decsriptors) and have a policy on am server for that url. Right now it does not use SSO since it would require another web app, but that would be a good addition fo rthe future.

                                    If you are interested to try it out, I would be glad to help? It takes a little work because you have to set up some policies on am server, but this is also goo because you learn some of the basics of am server console UI features.

                                    hth,
                                    Sean
                                    1 2 Previous Next