State validation issue on Weblogic 14 server

Question

Hello,

We have followed the steps specified in the sample project tutorial below to learn how to sign in userr with Azure AD for our Java web application. After finishing configuration of the Sign in project, we can run it without any problem on Tomcat 9 server. However, after we deployed the project on the Weblogic 14 server, it always fails at the state validation stage, so the ID token can't be retrieved from the authentication server.

https://learn.microsoft.com/en-us/learn/modules/azure-java-app-enable-authentication-authorization/

The sample project uses OAuth 2.0 Code Authorization flow. According to the documentation, the "state" parameter is recommended, but not required.

My question is we skip the state validation step in our authentication project, is there any consequences?

If we have to validate state value existed in request and session, please help shed some lights about this Weblogic 14 deployment issue.

Error message from Weblogic 14 server:
Aug 09, 2022 1:58:14 PM com.microsoft.azuresamples.msal4j.helpers.AuthHelper validateState
INFO: validating state...
Aug 09, 2022 1:58:14 PM com.microsoft.azuresamples.msal4j.helpers.AuthHelper validateState
INFO: validateState-> requestState: 45365684-653c-4783-837d-66c3c98190f0
Aug 09, 2022 1:58:14 PM com.microsoft.azuresamples.msal4j.helpers.AuthHelper validateState
INFO: validateState-> sessionState: null
java.lang.NullPointerException
at com.microsoft.azuresamples.msal4j.helpers.AuthHelper.validateState(AuthHelper.java:249)
at com.microsoft.azuresamples.msal4j.helpers.AuthHelper.processAADCallback(AuthHelper.java:147)
at com.microsoft.azuresamples.msal4j.authservlets.AADRedirectServlet.doGet(AADRedirectServlet.java:40)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:295)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:260)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:137)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:353)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:82)
at com.microsoft.azuresamples.msal4j.authservlets.AuthenticationFilter.doFilter(AuthenticationFilter.java:59)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:82)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3869)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3832)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:344)
at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197)
at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)
at weblogic.servlet.internal.WebAppServletContext.processSecuredExecute(WebAppServletContext.java:2505)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2354)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2329)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2307)
at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1780)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1734)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:272)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:651)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:420)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:360)
AuthHelper Exception: null
Aug 09, 2022 1:58:14 PM com.microsoft.azuresamples.msal4j.helpers.AuthHelper processAADCallback
WARNING: Unable to exchange auth code for token:
null

Your help is much appreicated!
Jenny

Answer 1

Hi @Jenny ,

Thanks for reaching out.

I understand you are getting Null exception while trying to get the authorize code using Authorize end point due to number of reasons.

Are you still facing the same issue.

As the same request is working fine on tomcat server and not on Web logic server 14. There might be reason web login configurations has not been setup properly.
Did you check the xml files and jars are configured properly in the Web logic server.
Did you try to use another web logic version 12 or 12c to deploy your application.

Regarding state question, **my question is we skip the state validation step in our authentication project, is there any consequences? **

Your understanding is correct here, the "state" parameter is recommended, but not required in the request.
State parameter is mainly used to identify attacks. The value provided in the request for state parameter is also returned in the token response which helps to identify the request is prevented from cross site forgery attacks.

Thanks,
Shweta