Problem:
The exception “org.omg.CORBA.NO_PERMISSION: No Context” is thrown from VisiSecure-enabled Java server.
This article uses the following deployment scenario
This article uses the following deployment scenario
Resolution:
By default, the context of the Target Security Context (TSS) is stateful or re-usable. Please refer to section 24.3.1.1. Context Validation of the OMG CORBA Specifications version 3.0.
This exception is thrown when the vbroker.security.TSS.authenticationTimeToLive has expired. This property by default is set to 600 seconds (10 minutes). It is recommended to retain the default value. If the GIOP requests are coming at a time interval more than the default, user can adjust this value to suit their environment.
When the Client Security Service (CSS) successfully establishes a Security Attribute Service (SAS) context, the TSS will store the SAS context within a specified time to live period. Each GIOP request will carry this SAS context. If the succeeding GIOP request arrives at TSS after the TTL of the context has expired, the “org.omg.CORBA.NO_PERMISSION: No Context” exception is thrown by the TSS and the CSS re-establishes the context.
Important note: From the user application layer, the end-to-end request and response are successful. The underlying ORB layers of TSS, G/K, and CSS are taking care of the re-establishment. There will however be an overhead of re-establishment.
The following is a sample stack trace from TSS with GIOP reply of NO_PERMISSION with a Major Code = 4:
|
03:48:58,884 [VBJ ThreadPool Worker id=0 se=iiop_tp scm=ssl orb=17fa65e] Debug VBJ-Application.orb_com.inprise.vbroker.orb.ORB@17fa65e.vbroker.log.default.filter.secure - xxx.xxx.xxx.xxx,00004816,No Permission ec_major = 4 ()
org.omg.CORBA.NO_PERMISSION: No Context vmcid: 0x56422000 minor code: 771 completed: No
at com.borland.security.csiv2.ServerConnectionContext.getConnectionPrincipal(ServerConnectionContext.java:243)
at com.borland.security.csiv2.CSIV2ServerRequestInterceptor.receive_request_service_contexts(CSIV2ServerRequestInterceptor.java:442)
at com.inprise.vbroker.interceptor.ServerPIAdapterImpl.preinvoke(Unknown Source)
at com.inprise.vbroker.interceptor.ChainServerInterceptorAdapter.preinvoke(Unknown Source)
at com.inprise.vbroker.poa.ServerInterceptorManager$ARWrapper.preinvoke_interceptor(Unknown Source)
at com.inprise.vbroker.poa.POAImpl.preinvoke(Unknown Source)
at com.inprise.vbroker.ProtocolEngine.ServerEngineImpl.preinvoke(Unknown Source)
at com.inprise.vbroker.GIOP.GiopProtocolAdapter.doRequest(Unknown Source)
at com.inprise.vbroker.IIOP.ServerProtocolAdapter.doRequest(Unknown Source)
at com.inprise.vbroker.GIOP.GiopProtocolAdapter.dispatchMessage(Unknown Source)
at com.inprise.vbroker.orb.TPDispatcherImpl$TPDispatcher.run(Unknown Source)
at com.inprise.vbroker.orb.ThreadPool$PoolWorker.run(Unknown Source)
:::
03:48:58,890 [VBJ ThreadPool Worker id=0 se=iiop_tp scm=ssl orb=17fa65e] Debug VBJ-Application.orb_com.inprise.vbroker.orb.ORB@17fa65e.vbroker.log.default.filter.cdr - xxx.xxx.xxx.xxx,00004816,
****** Sending Message *****
47 49 4F 50 01 02 00 01 00 00 00 00 00 00 00 0C GIOP............
00 00 00 02 00 00 00 01 00 00 00 0F 00 00 00 1C ................
00 00 00 04 00 00 00 00 00 00 01 29 4C 9A F6 C6 ...........)L...
00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 ................
00 00 00 24 49 44 4C 3A 6F 6D 67 2E 6F 72 67 2F ...$IDL:omg.org/
43 4F 52 42 41 2F 4E 4F 5F 50 45 52 4D 49 53 53 CORBA/NO_PERMISS
49 4F 4E 3A 31 2E 30 00 56 42 23 03 00 00 00 01 ION:1.0.VB#.....
|
When G/K receives the exception with Major Code = 4, G/K translates the exception to a COMM_FAILURE exception and re-throws to CSS, to allow the re-establishment of the context.
The following is the sample stack trace when G/K receives the exception from TSS:
|
03:48:58,897 [VBJ ThreadSession worker id=28 se=exterior scm=ex-hiops orb=a9ae05] Debug VBJ-Application.orb_com.inprise.vbroker.orb.ORB@a9ae05.vbroker.log.default.filter.cdr - xxx.xxx.xxx.xxx,00006036,
****** Received Message *****
47 49 4F 50 01 02 00 01 00 00 00 64 00 00 00 0C GIOP.......d....
00 00 00 02 00 00 00 01 00 00 00 0F 00 00 00 1C ................
00 00 00 04 00 00 00 00 00 00 01 29 4C 9A F6 C6 ...........)L...
00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 ................
00 00 00 24 49 44 4C 3A 6F 6D 67 2E 6F 72 67 2F ...$IDL:omg.org/
43 4F 52 42 41 2F 4E 4F 5F 50 45 52 4D 49 53 53 CORBA/NO_PERMISS
49 4F 4E 3A 31 2E 30 00 56 42 23 03 00 00 00 01 ION:1.0.VB#.....
:::
03:48:58,903 [VBJ ThreadSession worker id=28 se=exterior scm=ex-hiops orb=a9ae05] Debug VBJ-Application.orb_com.inprise.vbroker.orb.ORB@a9ae05.vbroker.log.default.filter.secure - xxx.xxx.xxx.xxx,00006036,Processed SAS Context, throwing exception ()
org.omg.CORBA.TRANSIENT: Message not in context, reestablish vmcid: 0x56422000 minor code: 771 completed: No
at com.borland.security.csiv2.CSIV2ClientRequestInterceptor.processContextError(CSIV2ClientRequestInterceptor.java:564)
at com.borland.security.csiv2.CSIV2ClientRequestInterceptor.processSAS(CSIV2ClientRequestInterceptor.java:521)
at com.borland.security.csiv2.CSIV2ClientRequestInterceptor.receive_exception(CSIV2ClientRequestInterceptor.java:402)
at com.inprise.vbroker.interceptor.ClientPIAdapterImpl.receive_exception_or_other(Unknown Source)
at com.inprise.vbroker.interceptor.ChainClientInterceptorAdapter.receive_exception_or_other(Unknown Source)
at com.inprise.vbroker.interceptor.ChainClientInterceptorAdapter.invoke(Unknown Source)
at com.inprise.vbroker.gatekeeper.orb.StubDelegate.invoke(Unknown Source)
at com.inprise.vbroker.gatekeeper.ForwardRecord.invoke(Unknown Source)
at com.inprise.vbroker.gatekeeper.Forwarder._invoke(Unknown Source)
at com.inprise.vbroker.poa.POAImpl.invoke(Unknown Source)
at com.inprise.vbroker.poa.ActivationRecord.invoke(Unknown Source)
at com.inprise.vbroker.poa.ServerInterceptorManager$ARWrapper.invoke(Unknown Source)
at com.inprise.vbroker.GIOP.GiopProtocolAdapter.doRequest(Unknown Source)
at com.inprise.vbroker.GIOP.GiopProtocolAdapter.dispatchMessage(Unknown Source)
at com.inprise.vbroker.HIOP.ProtocolAdapterImpl.dispatchHIOP(Unknown Source)
at com.inprise.vbroker.HIOP.ProtocolAdapterImpl.dispatchMessage(Unknown Source)
at com.inprise.vbroker.orb.TSDispatcherImpl$TSDispatchThread.run(Unknown Source)
|
The following is the sample stack trace when G/K re-throws as COMM_FAILURE exception to CSS:
|
03:48:58,905 [VBJ ThreadSession worker id=28 se=exterior scm=ex-hiops orb=a9ae05] Debug VBJ-Application.orb_com.inprise.vbroker.orb.ORB@a9ae05.vbroker.log.default.filter.cdr - xxx.xxx.xxx.xxx,00006036,Sending exception to client: ()
org.omg.CORBA.COMM_FAILURE: vmcid: 0x56420000 minor code: 3 completed: No
at com.inprise.vbroker.gatekeeper.orb.StubDelegate.throw_exception(Unknown Source)
at com.inprise.vbroker.gatekeeper.orb.StubDelegate.invoke(Unknown Source)
at com.inprise.vbroker.gatekeeper.ForwardRecord.invoke(Unknown Source)
at com.inprise.vbroker.gatekeeper.Forwarder._invoke(Unknown Source)
at com.inprise.vbroker.poa.POAImpl.invoke(Unknown Source)
at com.inprise.vbroker.poa.ActivationRecord.invoke(Unknown Source)
at com.inprise.vbroker.poa.ServerInterceptorManager$ARWrapper.invoke(Unknown Source)
at com.inprise.vbroker.GIOP.GiopProtocolAdapter.doRequest(Unknown Source)
at com.inprise.vbroker.GIOP.GiopProtocolAdapter.dispatchMessage(Unknown Source)
at com.inprise.vbroker.HIOP.ProtocolAdapterImpl.dispatchHIOP(Unknown Source)
at com.inprise.vbroker.HIOP.ProtocolAdapterImpl.dispatchMessage(Unknown Source)
at com.inprise.vbroker.orb.TSDispatcherImpl$TSDispatchThread.run(Unknown Source)
|
Finally, CSS receives the COMM_FAILURE exception, re-binds, and re-issues the request:
|
****** Received Message *****
47 49 4F 50 01 02 00 01 00 00 00 3C 00 00 00 0A GIOP.......<....
00 00 00 02 00 00 00 00 00 00 00 23 49 44 4C 3A ...........#IDL:
6F 6D 67 2E 6F 72 67 2F 43 4F 52 42 41 2F 43 4F omg.org/CORBA/CO
4D 4D 5F 46 41 49 4C 55 52 45 3A 31 2E 30 00 6B MM_FAILURE:1.0.k
56 42 00 03 00 00 00 01 VB......
()
17:08:37,746 [AWT-EventQueue-2] Debug VBJ-Application.orb_com.inprise.vbroker.orb.ORB@1094ac2.vbroker.log.default.filter.cdr - xxx.xxx.xxx.xxx,00000000,Read: com.inprise.vbroker.GIOP.ReplyMessage[version=1.2, message_size=60, request_id=10, moreFragments=false, service_contexts={}, reply_status=SYSTEM_EXCEPTION] ()
17:08:37,754 [AWT-EventQueue-2] Debug VBJ-Application.orb_com.inprise.vbroker.orb.ORB@1094ac2.vbroker.log.default.filter.secure - xxx.xxx.xxx.xxx,00000000,CSIV2 in receive_exception (open) ()
17:08:37,755 [AWT-EventQueue-2] Info VBJ-Application.orb_com.inprise.vbroker.orb.ORB@1094ac2.vbroker.log.default.filter.orb - Received Remote COMM_FAILURE with minor VBVMCID1.value | 3 ()
17:08:37,755 [AWT-EventQueue-2] Info VBJ-Application.orb_com.inprise.vbroker.orb.ORB@1094ac2.vbroker.log.default.filter.orb - Current rebind mode=-1235 ()
:::
17:08:37,783 [AWT-EventQueue-2] Info VBJ-Application.orb_com.inprise.vbroker.orb.ORB@1094ac2.vbroker.log.default.filter.orb - Re-issuing the request ()
|
Note that when the policy is explicitly set to NO_RECONNECT, NO_REBIND, VB_NOTIFY_REBIND, and VB_NO_REBIND, the re-establishment will not take effect and the org.omg.CORBA.REBIND exception will be received by the CSS after the org.omg.COMM_FAILURE has been received.
Attached is the test case to show the case:
1. Extract the zip file
2. Create the keystore for the gatekeeper and server:
$ keytool -genkey -alias GK -keypass password -storepass password -keystore keystore_gk -dname "CN=us, OU=aaa, O=bbb, L=bbb"
$ keytool -genkey -alias Server -keypass password -storepass password -keystore keystore_server -dname "CN=us, OU=aaa, O=bbb, L=bbb"
3. Start the osagent
4. startGK.bat
5. startServer.bat
6. Open the URL on IE: https://localhost:7777/ClientApplet.html
7. Select the rebind mode. Try first the VB_TRANSPARENT.
The current setting of vbroker.security.TSS.authenticationTimeToLive=10 (seconds) and vbroker.security.TSS.sweepPeriod=5 (seconds). With these two properties, VisiBroker will check every 5 seconds for expired contexts with TTL of 10 seconds.
Attachments
#VisiBroker
#Security
#authenticationTimeToLive
#NO_PERMISSION
