--- title: Limitations description: The following limitations are inherent to the design, not bugs to be fixed. component: java-agents version: release-notes page_id: java-agents::limitations canonical_url: https://docs.pingidentity.com/java-agents/release-notes/limitations.html section_ids: java_agent_on_jetty_12: Java Agent on Jetty 12 cdsso_domain_list_restrictions: CDSSO domain list restrictions wildfly_and_jboss: WildFly and JBoss tomcat: Tomcat the_agentadmin_command_shows_warning_messages: The agentadmin command shows warning messages --- # Limitations The following limitations are inherent to the design, not bugs to be fixed. ## Java Agent on Jetty 12 For installation on Jetty 12, you can use Javax EE8, Jakarta EE9, or Jakarta EE10. However, Java Agent can protect applications in only one EE environment at a time. Java Agent on Jetty 12 runs on Java 17. Learn more from [Eclipse Jetty: Operations Guide](https://eclipse.dev/jetty/documentation/jetty-12/operations-guide/index.html#og-begin). ## CDSSO domain list restrictions ### WildFly and JBoss Cookie support in WildFly and JBoss has been implemented so that only one cookie can be set with a certain name. This prevents setting the same cookie for multiple domains. Configuring the `JWT Cookie Domain List` with more than one cookie domain may result in redirection loops. To work around this issue, perform the following steps: 1. Go to Realms > *Realm Name* > Applications > Agents > Java > *Agent Name* > SSO. 2. Remove all cookie domains from the `JWT Cookie Domain List`. 3. Go to Realms > *Realm Name* > Applications > Agents > Java > *Agent Name* > Global. 4. Configure any required entries in the Agent Root URL for CDSSO. The agent sets the cookie domain based on the requested resource. ### Tomcat Tomcat 8.0.x introduced a new cookie processor, `org.apache.tomcat.util.http.Rfc6265CookieProcessor`, that became the default cookie processor on Tomcat 8.5.x. Due to the new cookie processor's cookie validation checks, configuring domains with leading dots (`.`) in the `JWT Cookie Domain List` can result in the following issues: * Java Agent returning HTTP 403 errors. * Tomcat server logging messages similar to the following: ```bash ERROR: AmFilter: Error while delegating to inbound handler: CDSSO Result Task Handler, access will be denied java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:183) at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:125) at org.apache.catalina.connector.Response.generateCookieString(Response.java:989) at org.apache.catalina.connector.Response.addCookie(Response.java:937) at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386) at com.sun.identity.shared.encode.CookieUtils.addCookieToResponse(CookieUtils.java:412) ... ``` To work around this issue, perform one of the following actions: * Configure the legacy cookie processor implementation, `org.apache.tomcat.util.http.LegacyCookieProcessor`, in your Tomcat server. Refer to the documentation for your version of Tomcat for more information. * Ensure the domains entered in `JWT Cookie Domain List` start with a number or a letter. For example: Valid configuration ```none org.forgerock.agents.jwt.cookie.domain.list[0]=example.com org.forgerock.agents.jwt.cookie.domain.list[1]=123company.com ``` Invalid configuration ```none org.forgerock.agents.jwt.cookie.domain.list[0]=.example.com org.forgerock.agents.jwt.cookie.domain.list[1]=.mycompany.com ``` ## The agentadmin command shows warning messages The `agentadmin` command may show warning messages similar to the following: ```bash WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1 ... WARNING: Please consider reporting this to the maintainers of org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1 WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release ``` You can safely ignore these messages.