I’ve been working lately with the Packaged Work Product (PWP) Integration for CA SSO with Tomcat v2.7.3.  The User Guide says this about the CookieDomain and CookieDomainScope parameters:

 

Important Note: In later versions of Tomcat 7 and 8, Tomcat no longer supports adding an HTTP Cookie with a leading “.”. If a Cookie is set with a leading “.”, Tomcat will not allow it to be added to the browser session. When configuring the Agent Configuration Object in the Policy Server use one of the following:

  • CookieDomain – Set without a leading “.” (recommended)
  • Do not set CookieDomain nor CookieDomainScope

 

The Tomcat agent works as advertised when I set CookieDomain to “demo.com” and CookieDomainScope is undefined.  However, I get the error below when I try the second option and do not set CookieDomain nor CookieDomainScope: 

 

05-Oct-2018 11:00:48.113 SEVERE [http-nio-8080-exec-3] org.apache.coyote.http11.Http11Processor.service Error processing request
java.lang.IllegalArgumentException: An invalid domain [.demo.com] was specified for this cookie
at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:203)
at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:145)
at org.apache.catalina.connector.Response.generateCookieString(Response.java:1019)
at org.apache.catalina.connector.Response.addCookie(Response.java:967)
at com.ca.gse.agent.core.HttpRequestContext.applyResponseCookies(HttpRequestContext.java:195)
at com.ca.gse.agent.core.AppServerAgent.invoke(AppServerAgent.java:244)
at com.ca.gse.agent.valve.tomcat.v70.AgentValve.invoke(AgentValve.java:72)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

 

Other environment details:

  • CentOS 6.10 x86_64 (a VMware Workstation Pro 14 VM)
  • Tomcat 8.5.32
  • JDK 1.8.0_162

Tomcat is launched with this command:

cd $CATALINA_HOME
./bin/jsvc
-classpath $CATALINA_HOME/bin/bootstrap.jar:$CATALINA_HOME/bin/tomcat-juli.jar
-outfile $CATALINA_BASE/logs/catalina.out
-errfile $CATALINA_BASE/logs/catalina.err
-Dcatalina.home=$CATALINA_HOME
-Dcatalina.base=$CATALINA_BASE
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties
org.apache.catalina.startup.Bootstrap; sleep 3; tail -100f $CATALINA_BASE/logs/catalina.err

 

I feel confident the implementation is correct given it works fine with CookieDomain = demo.com.  Why is the cookie domain interpreted as having a leading period when CookieDomain and CookieDomainScope are not defined?  Is the documentation in error, or have I overlooked some configuration step?  Anyone else have experience with this?  


Source: New feed
{pubDate}

Leave a Reply

Your email address will not be published. Required fields are marked *