Java Agents

Limitations

The following limitations are inherent to the design, not bugs to be fixed.

Java Agent on Jetty 12

For installation on Jetty 12, you can use Javax EE8, Jakarta EE9, or Jakarta EE10. However, Java Agent can protect applications in only one EE environment at a time.

Java Agent on Jetty 12 runs on Java 17.

Learn more from Eclipse Jetty: Operations Guide.

CDSSO domain list restrictions

WildFly and JBoss

Cookie support in WildFly and JBoss has been implemented so that only one cookie can be set with a certain name. This prevents setting the same cookie for multiple domains.

Configuring the JWT Cookie Domain List with more than one cookie domain may result in redirection loops.

To work around this issue, perform the following steps:

  1. Go to Realms > Realm Name > Applications > Agents > Java > Agent Name > SSO.

  2. Remove all cookie domains from the JWT Cookie Domain List.

  3. Go to Realms > Realm Name > Applications > Agents > Java > Agent Name > Global.

  4. Configure any required entries in the Agent Root URL for CDSSO. The agent sets the cookie domain based on the requested resource.

Tomcat

Tomcat 8.0.x introduced a new cookie processor, org.apache.tomcat.util.http.Rfc6265CookieProcessor, that became the default cookie processor on Tomcat 8.5.x.

Due to the new cookie processor’s cookie validation checks, configuring domains with leading dots (.) in the JWT Cookie Domain List can result in the following issues:

  • Java Agent returning HTTP 403 errors.

  • Tomcat server logging messages similar to the following:

    ERROR: AmFilter: Error while delegating to inbound handler: CDSSO Result Task Handler, access will be denied
java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie
at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:183)
at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:125)
at org.apache.catalina.connector.Response.generateCookieString(Response.java:989)
at org.apache.catalina.connector.Response.addCookie(Response.java:937)
at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386)
at com.sun.identity.shared.encode.CookieUtils.addCookieToResponse(CookieUtils.java:412)
...

To work around this issue, perform one of the following actions:

  • Configure the legacy cookie processor implementation, org.apache.tomcat.util.http.LegacyCookieProcessor, in your Tomcat server. Refer to the documentation for your version of Tomcat for more information.

  • Ensure the domains entered in JWT Cookie Domain List start with a number or a letter. For example:

    Valid configuration

    org.forgerock.agents.jwt.cookie.domain.list[0]=example.com
org.forgerock.agents.jwt.cookie.domain.list[1]=123company.com

    Invalid configuration

    org.forgerock.agents.jwt.cookie.domain.list[0]=.example.com
org.forgerock.agents.jwt.cookie.domain.list[1]=.mycompany.com

The agentadmin command shows warning messages

The agentadmin command may show warning messages similar to the following:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1 ...
WARNING: Please consider reporting this to the maintainers of org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

You can safely ignore these messages.