I am building a Trust Association Interceptor (TAI) for a Websphere Liberty server that implements OAuth2. It is working well, except that when I encounter an error and throw WebTrustAssociationFailedException, I get an error like the following in the server log:
[4/17/15 15:26:55:523 CDT] 000000b1 com.ibm.ws.webcontainer.security.internal.TAIAuthenticator E CWWKS9107E: Trust Association Init is unable to load Trust Association class com.ibm.websphere.security.WebTrustAssociationFailedException: called with invalid state param
at com.ibm.tivoli.monitoring.OAuthTai.OAuthTAI.getBearerToken(OAuthTAI.java:299)
at com.ibm.tivoli.monitoring.OAuthTai.OAuthTAI.negotiateValidateandEstablishTrust(OAuthTAI.java:420)
at com.ibm.ws.webcontainer.security.internal.TAIAuthenticator.authenticate(TAIAuthenticator.java:102)
at com.ibm.ws.webcontainer.security.WebAuthenticatorProxy.handleTAI(WebAuthenticatorProxy.java:163)
at com.ibm.ws.webcontainer.security.WebAuthenticatorProxy.authenticate(WebAuthenticatorProxy.java:84)
at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.authenticateRequest(WebAppSecurityCollaboratorImpl.java:724)
at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.determineWebReply(WebAppSecurityCollaboratorImpl.java:567)
at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.performSecurityChecks(WebAppSecurityCollaboratorImpl.java:438)
at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:389)
at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:443)
at com.ibm.ws.webcontainer.osgi.collaborator.CollaboratorHelperImpl.preInvokeCollaborators(CollaboratorHelperImpl.java:267)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1026)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4499)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:282)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:954)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:252)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:584)
at com.ibm.ws.threading.internal.Worker.executeWork(Worker.java:439)
at com.ibm.ws.threading.internal.Worker.run(Worker.java:421)
at java.lang.Thread.run(Thread.java:795)
The message "called with invalid state param" seen in the error above is the message that I provided when throwing the exception.
I'm not understanding why this class is not found. During build I get this class from com.ibm.ws.webcontainer_1.0.1.jar. I would have thought the server would already have this built in. My server.xml is enabled for it with:
<feature>appSecurity-2.0</feature>
But given that it didn't find it, I added this jar to my library on the server so it could get it from there, but this makes no difference. I still get the above error when throwing this exception. Since it's part of the defined TAI interface, and other classes in the interface like TAIResult cause no problem, I'm confused.
This turns out to be a simple case of a bad error message. It appears to be saying that the WebTrustAssociationFailedException class was not found, but this is not the case. It actually is just reporting that the exception was thrown. The Websphere team has an internal defect to correct the message, and it will be fixed in a future release. For now it can safely be ignored.