Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zowe APIML v3 bad error response compared to APIML v2 on Websocket connection attempt #3995

Open
cumarav opened this issue Feb 18, 2025 · 3 comments
Open

Zowe APIML v3 bad error response compared to APIML v2 on Websocket connection attempt #3995

cumarav opened this issue Feb 18, 2025 · 3 comments
Labels
bug Verified defect in functionality Priority: High size/S

Comments

@cumarav
Copy link
Contributor

cumarav commented Feb 18, 2025
edited
Loading

Describe the bug
If I am trying to connect to websocket in APIML V2 with invalid JWT token and see clear error message:

 The close message is Some(CloseData { status_code: 1003, reason: "org.eclipse.jetty.websocket.api.UpgradeException: Failed to upgrade to websocket: Unexpected HTTP Response Status Code: Invalid login credentials" }

If I do the same with APIML V3 reply:

 The close message is Some(CloseData { status_code: 1011, reason: null}

Steps to Reproduce

  1. Try to connect with valid token - connection established.
  2. Try to open websocket connection using invalid JWT Token - error message is not clear...

Expected behavior
I want to see the same 1003 error code and error message if websocket fails to open connection due to invalid JWT token in APIML V3.

Screenshots

Image

Ass you see above - V3 always respond with 1011, empty reason whereas V2 gives specific code and correct reason for every case.

Impact
We have Integration Tests in CICD pipeline which verify invalid login behavior and consequently we not able to use APIML V3 in CICD pipeline because of this V2- V3 discrepancy

Logs

DEBUG websocat::ws_peer] The close message is Some(CloseData { status_code: 1011, reason: "" })

Willingness to help
If management approve....
@cumarav cumarav added bug Verified defect in functionality new New issue that has not been worked on yet labels Feb 18, 2025
@EvaJavornicka EvaJavornicka added Priority: High size/S and removed new New issue that has not been worked on yet labels Feb 26, 2025
@EvaJavornicka EvaJavornicka moved this from New to Unplanned Bugs in API Mediation Layer Backlog Management Feb 26, 2025
@cumarav
Copy link
Contributor Author

cumarav commented Feb 28, 2025
edited
Loading

One more sreenshoot:

Image

Here as you see word Bearer changes reason

@pablocarle pablocarle mentioned this issue Mar 4, 2025
Merged
10 tasks
@balhar-jakub
Copy link
Member

balhar-jakub commented Mar 7, 2025
edited
Loading

@cumarav The status code was changed to the proper 1003 but we can't add the further details, the security requirements are gradually strengthening and thus we are allowed to expose less and less information especially around authentication and authorization.

I will mark the change in the message among the actual breaking changes, in case somebody else is expecting the message.

@pablocarle
Copy link
Contributor

The change in V3 to use Spring Cloud Gateway's websocket implementation brings in additional checks in the services' responses.
In this case, the 401 HTTP status that the service replies makes SCG fail on a validation for https://www.rfc-editor.org/rfc/rfc7235#section-3.1
Which states that the services MUST reply with a WWW-Authenticate header.

The code will continue to be 1011 (generic server error), but with an improved message to include the description of the issue, in this case, the lack of WWW-Authenticate header.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Verified defect in functionality Priority: High size/S
Projects
API Mediation Layer Backlog Management
Status: Unplanned Bugs
Milestone
No milestone
Development

No branches or pull requests
4 participants
@balhar-jakub @pablocarle @EvaJavornicka @cumarav