FHIR2 Authentication Filter gives error on wrong password

Tags: #<Tag:0x00007f0f171089e8> #<Tag:0x00007f0f17108920>

If wrong password is entered to access the FHIR resources an java.lang.IllegalStateException: Committed error is displayed

I am testing this on the master branch and the request is sent through Postman

Request http://localhost:8080/openmrs/ws/fhir2/R4/Person/?gender=male

Error log

[INFO] Initializing Spring FrameworkServlet 'openmrs'
INFO - HibernateContextDAO.authenticate(217) |2020-06-16 22:14:56,190| Failed login attempt (login=admin) - Invalid username and/or password: admin
[WARNING] /openmrs/ws/fhir2/R4/Person/
java.lang.IllegalStateException: Committed
    at org.eclipse.jetty.server.Response.resetBuffer (Response.java:1223)
    at org.eclipse.jetty.server.Response.resetForForward (Response.java:1215)
    at org.eclipse.jetty.server.Dispatcher.forward (Dispatcher.java:134)
    at org.eclipse.jetty.server.Dispatcher.forward (Dispatcher.java:74)
    at org.openmrs.module.fhir2.web.filter.ForwardingFilter.doFilter (ForwardingFilter.java:59)
    at org.openmrs.module.web.filter.ModuleFilterChain.doFilter (ModuleFilterChain.java:71)
    at org.openmrs.module.fhir2.web.filter.AuthenticationFilter.doFilter (AuthenticationFilter.java:67)
    at org.openmrs.module.web.filter.ModuleFilterChain.doFilter (ModuleFilterChain.java:71)
    at org.openmrs.module.referenceapplication.filter.RequireLoginLocationFilter.doFilter (RequireLoginLocationFilter.java:93)
    at org.openmrs.module.web.filter.ModuleFilterChain.doFilter (ModuleFilterChain.java:71)
    at org.openmrs.module.web.filter.ModuleFilter.doFilter (ModuleFilter.java:57)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.openmrs.web.filter.OpenmrsFilter.doFilterInternal (OpenmrsFilter.java:109)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal (OpenSessionInViewFilter.java:150)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.openmrs.web.filter.StartupFilter.doFilter (StartupFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.openmrs.web.filter.StartupFilter.doFilter (StartupFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.openmrs.web.filter.StartupFilter.doFilter (StartupFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal (CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle (ServletHandler.java:581)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle (SecurityHandler.java:548)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle (SessionHandler.java:226)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle (ContextHandler.java:1156)
    at org.eclipse.jetty.servlet.ServletHandler.doScope (ServletHandler.java:511)
    at org.eclipse.jetty.server.session.SessionHandler.doScope (SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope (ContextHandler.java:1088)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle (ContextHandlerCollection.java:213)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle (HandlerCollection.java:109)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle (HandlerWrapper.java:119)
    at org.eclipse.jetty.server.Server.handle (Server.java:517)
    at org.eclipse.jetty.server.HttpChannel.handle (HttpChannel.java:306)
    at org.eclipse.jetty.server.HttpConnection.onFillable (HttpConnection.java:242)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded (AbstractConnection.java:245)
    at org.eclipse.jetty.io.FillInterest.fillable (FillInterest.java:95)
    at org.eclipse.jetty.io.SelectChannelEndPoint$2.run (SelectChannelEndPoint.java:75)
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun (ExecuteProduceConsume.java:213)
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run (ExecuteProduceConsume.java:147)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob (QueuedThreadPool.java:654)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run (QueuedThreadPool.java:572)
    at java.lang.Thread.run (Thread.java:748)
[WARNING] //localhost:8080/openmrs/ws/fhir2/R4/Person/?gender=male
java.lang.IllegalStateException: Committed
    at org.eclipse.jetty.server.Response.resetBuffer (Response.java:1223)
    at org.eclipse.jetty.server.Response.resetForForward (Response.java:1215)
    at org.eclipse.jetty.server.Dispatcher.forward (Dispatcher.java:134)
    at org.eclipse.jetty.server.Dispatcher.forward (Dispatcher.java:74)
    at org.openmrs.module.fhir2.web.filter.ForwardingFilter.doFilter (ForwardingFilter.java:59)
    at org.openmrs.module.web.filter.ModuleFilterChain.doFilter (ModuleFilterChain.java:71)
    at org.openmrs.module.fhir2.web.filter.AuthenticationFilter.doFilter (AuthenticationFilter.java:67)
    at org.openmrs.module.web.filter.ModuleFilterChain.doFilter (ModuleFilterChain.java:71)
    at org.openmrs.module.referenceapplication.filter.RequireLoginLocationFilter.doFilter (RequireLoginLocationFilter.java:93)
    at org.openmrs.module.web.filter.ModuleFilterChain.doFilter (ModuleFilterChain.java:71)
    at org.openmrs.module.web.filter.ModuleFilter.doFilter (ModuleFilter.java:57)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.openmrs.web.filter.OpenmrsFilter.doFilterInternal (OpenmrsFilter.java:109)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal (OpenSessionInViewFilter.java:150)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.openmrs.web.filter.StartupFilter.doFilter (StartupFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.openmrs.web.filter.StartupFilter.doFilter (StartupFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.openmrs.web.filter.StartupFilter.doFilter (StartupFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal (CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1669)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle (ServletHandler.java:581)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle (SecurityHandler.java:548)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle (SessionHandler.java:226)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle (ContextHandler.java:1156)
    at org.eclipse.jetty.servlet.ServletHandler.doScope (ServletHandler.java:511)
    at org.eclipse.jetty.server.session.SessionHandler.doScope (SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope (ContextHandler.java:1088)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle (ContextHandlerCollection.java:213)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle (HandlerCollection.java:109)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle (HandlerWrapper.java:119)
    at org.eclipse.jetty.server.Server.handle (Server.java:517)
    at org.eclipse.jetty.server.HttpChannel.handle (HttpChannel.java:306)
    at org.eclipse.jetty.server.HttpConnection.onFillable (HttpConnection.java:242)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded (AbstractConnection.java:245)
    at org.eclipse.jetty.io.FillInterest.fillable (FillInterest.java:95)
    at org.eclipse.jetty.io.SelectChannelEndPoint$2.run (SelectChannelEndPoint.java:75)
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun (ExecuteProduceConsume.java:213)
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run (ExecuteProduceConsume.java:147)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob (QueuedThreadPool.java:654)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run (QueuedThreadPool.java:572)
    at java.lang.Thread.run (Thread.java:748)

Note the response is correct 401 Not authenticated maybe this is the reason why the unit test weren’t able to catch this

cc @ibacher @jecihjoy @dkayiwa

@sidvaish97 Thanks for this. Turns out this is a really stupid error on my part. There should be a return; here.

1 Like

@ibacher I guess we’ll also need to add this part at the very beginning of the doFilter function (as you suggested for the SmartAuthenticationFilter) because after a successful login if we try to login in again with a wrong password we still see a response and not 401 error

if (httpRequest.getRequestedSessionId() != null) {
				Context.logout();
			}

remove this part I guess && !httpRequest.isRequestedSessionIdValid()