Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SVT: Enabling ARG SEC_SSO_PROVIDERS in Dockerfile causes conflicts with jakarta ee10 features #389

Open
rumanaHaque opened this issue Mar 22, 2023 · 7 comments · May be fixed by #408
Open

SVT: Enabling ARG SEC_SSO_PROVIDERS in Dockerfile causes conflicts with jakarta ee10 features #389

rumanaHaque opened this issue Mar 22, 2023 · 7 comments · May be fixed by #408
Assignees
@kabicin
Labels
bug SVT Tests/Defectsby SVT zenhub-dev

Comments

@rumanaHaque
Copy link

I am testing the OIDC in WebSphere Liberty Operator using this test case:

SVT: Test SSO with OIDC provider with WLO 1.1.0 using RH-SSO and new Jakarta-ee10 features
#276

As part of this test case, I have enabled these features in my server.xml

<featureManager>
	<!-- <feature>jakartaee-10.0</feature>
	<feature>jakartaee-9.1</feature>
	<feature>microProfile-5.0</feature> -->
	<feature>appClientSupport-2.0</feature>
        <feature>appSecurity-5.0</feature>
        <feature>cdi-4.0</feature>
        <feature>enterpriseBeans-4.0</feature>
        <feature>ldapRegistry-3.0</feature>
        <feature>localConnector-1.0</feature>
        <feature>mdb-4.0</feature>
        <feature>messaging-3.1</feature>
        <feature>messagingClient-3.0</feature>
        <feature>messagingSecurity-3.0</feature>
        <feature>messagingServer-3.0</feature>
        <feature>pages-3.1</feature>
        <feature>persistence-3.1</feature>
        <feature>restfulWS-3.1</feature>
        <feature>xmlWS-4.0</feature>	
		<!-- <feature>socialLogin-1.0</feature> -->
    </featureManager>

Also - I have these settings in my Dockerfile:

# Optional functionality
ARG TLS=true
#ARG SEC_SSO_PROVIDERS="oauth oidc facebook google github twitter linkedin"
# Optional functionality
ARG TLS=true
#ARG SEC_SSO_PROVIDERS="oauth oidc facebook google github twitter linkedin"
ARG SEC_SSO_PROVIDERS="oidc"
#ARG OPENJ9_SCC=false
ARG VERBOSE=true

# trust certificates from well known CA's
ENV SEC_TLS_TRUSTDEFAULTCERTS=true

# trust certificates from within the cluster, such as Red Hat SSO.
ENV SEC_IMPORT_K8S_CERTS=true

Having the ARG SEC_SSO_PROVIDERS="oidc" in my Dockerfile is causing conflicts when I start my server - with the following error:

product = Open Liberty 23.0.0.2-beta (wlp-1.0.73.cl230120230123-2118)
wlp.install.dir = /opt/ol/wlp/
server.output.dir = /opt/ol/wlp/output/defaultServer/
java.home = /opt/java/openjdk
java.version = 17.0.5
java.runtime = IBM Semeru Runtime Open Edition (17.0.5+8)
os = Linux (5.4.0-144-generic; amd64) (en_US)
process = 1@012c31d435e1
Classpath = /opt/ol/wlp/bin/tools/ws-server.jar:/opt/ol/wlp/bin/tools/ws-javaagent.jar
Java Library path = /opt/java/openjdk/lib/default:/opt/java/openjdk/lib:/usr/lib64:/usr/lib
********************************************************************************
[3/20/23, 20:03:21:930 UTC] 00000001 com.ibm.ws.kernel.launch.internal.FrameworkManager      A CWWKE0001I: The server defaultServer has been launched.
[3/20/23, 20:03:22:309 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/keystore.xml
[3/20/23, 20:03:22:356 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/open-default
-port.xml
[3/20/23, 20:03:22:357 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/sso-features
.xml
[3/20/23, 20:03:22:359 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/sso-oidc.xml
[3/20/23, 20:03:22:364 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/overrides/tls.xml
[3/20/23, 20:03:22:365 UTC] 00000021 com.ibm.ws.config.xml.internal.ServerXMLConfiguration    A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/overrides/trustDefaul
t.xml
[3/20/23, 20:03:22:502 UTC] 00000001 com.ibm.ws.kernel.launch.internal.FrameworkManager      I CWWKE0002I: The kernel started after 0.772 seconds
[3/20/23, 20:03:22:582 UTC] 0000002a com.ibm.ws.kernel.feature.internal.FeatureManager      I CWWKF0007I: Feature update started.
[3/20/23, 20:03:24:120 UTC] 0000002a com.ibm.ws.kernel.feature.internal.FeatureManager      E CWWKF0044E: The persistence-3.1 and appSecurity-2.0 features cannot be loaded at the same time. The persistence-3.1 feature of Ja
karta EE 10 is incompatible with the appSecurity-2.0 feature of Java EE 6. The persistence-3.1 and appSecurity-2.0 configured features include an incompatible combination of features. Your configuration is not supported. Update t
he configuration to use features that support either the Jakarta EE or Java EE programming models, but not both.
[3/20/23, 20:03:24:126 UTC] 0000002a com.ibm.ws.logging.internal.impl.IncidentImpl        I FFDC1015I: An FFDC Incident has been created: "java.lang.IllegalArgumentException: Unable to load conflicting versions of feature
s "com.ibm.websphere.appserver.eeCompatible-10.0" and "com.ibm.websphere.appserver.eeCompatible-6.0". The feature dependency chains that led to the conflict are: io.openliberty.persistence-3.1 -> io.openliberty.persistenceContai
ner-3.1 -> io.openliberty.xmlBinding.internal-4.0 -> io.openliberty.jakarta.xmlBinding-4.0 -> com.ibm.websphere.appserver.eeCompatible-10.0 and com.ibm.websphere.appserver.appSecurity-2.0 -> com.ibm.websphere.appserver.eeCompatib
le-6.0 com.ibm.ws.kernel.feature.internal.FeatureManager reportErrors" at ffdc_23.03.20_20.03.24.0.log
[3/20/23, 20:03:24:128 UTC] 0000002a com.ibm.ws.kernel.feature.internal.FeatureManager      E CWWKF0033E: The singleton features servlet-6.0 and servlet-3.1 cannot be loaded at the same time. The configured features pages-
3.1 and socialLogin-1.0 include one or more features that cause the conflict. Your configuration is not supported; update server.xml to remove incompatible features.
[3/20/23, 20:03:24:136 UTC] 0000002a com.ibm.ws.logging.internal.impl.IncidentImpl        I FFDC1015I: An FFDC Incident has been created: "java.lang.IllegalArgumentException: Unable to load conflicting versions of feature
s "com.ibm.websphere.appserver.servlet-6.0" and "com.ibm.websphere.appserver.servlet-3.1". The feature dependency chains that led to the conflict are: io.openliberty.pages-3.1 -> com.ibm.websphere.appserver.servlet-6.0 and com.i
bm.websphere.appserver.socialLogin-1.0 -> io.openliberty.socialLogin1.0.internal.ee-6.0 -> com.ibm.websphere.appserver.servlet-3.1 com.ibm.ws.kernel.feature.internal.FeatureManager reportErrors" at ffdc_23.03.20_20.03.24.1.log
[3/20/23, 20:03:24:136 UTC] 0000002a com.ibm.ws.kernel.feature.internal.FeatureManager      E CWWKF0033E: The singleton features com.ibm.websphere.appserver.transaction-2.0 and com.ibm.websphere.appserver.transaction-1.1 ca
nnot be loaded at the same time. The configured features persistence-3.1 and persistence-3.1 include one or more features that cause the conflict.
@rumanaHaque rumanaHaque added bug SVT Tests/Defectsby SVT labels Mar 22, 2023
@rumanaHaque
Copy link
Author

If I comment out the ARG SEC_SSO_PROVIDERS="oidc" line in my Dockerfile - and rebuild the image - then there are no conflicts at server startup.

@leochr
Copy link
Member

leochr commented Mar 23, 2023

Setting SEC_SSO_PROVIDERS also enables the following features: appSecurity-2.0, socialLogin-1.0

This is added to the container at /config/configDropins/defaults/sso-features.xml by features.sh

appSecurity-2.0 is causing conflict with the Jakarta EE10 features.

So a workaround would be to add an empty file to replace it. Make sure to add the features, including socialLogin-1.0, to your server.xml.

  1. Create an empty server config file :
    empty-config.xml:
<server/>
  1. Add it to application's Dockerfile after RUN features.sh
COPY --chown=1001:0  empty-config.xml /config/configDropins/defaults/sso-features.xml

FYI @rumanaHaque

@rumanaHaque
Copy link
Author

Thanks @leochr I was able to use this workaround, and successfully start my server without any conflicts.

@rumanaHaque
Copy link
Author

@leochr Do you know if this has already been fixed in the current Liberty builds?

@leochr
Copy link
Member

leochr commented Jun 6, 2023

@rumanaHaque not yet, but we plan to add a flag to skip adding the SSO features. Let you know when it's added

@kabicin kabicin linked a pull request Jun 12, 2023 that will close this issue
Open
@rumanaHaque
Copy link
Author

@leochr - Do you know if this defect has been fixed yet in the current Liberty builds? I am writing an Open Liberty blog which uses the same configuration, and was hoping I don't have to use the workaround as mentioned in this defect. Please let me know. Thanks.

@kabicin kabicin mentioned this issue Sep 14, 2023
Open
@leochr
Copy link
Member

leochr commented Sep 18, 2023

@rumanaHaque It's not in a release yet. We'll target 4Q to address this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kabicin kabicin

Labels
bug SVT Tests/Defectsby SVT zenhub-dev
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add the EXCLUDE_CONFIG_SSO_FEATURES flag OpenLiberty/ci.docker
3 participants
@leochr @rumanaHaque @kabicin