Connection refused when calling CXF Webclient in custom Realm plugin

Linc12 · January 3, 2019, 5:20pm

Hi,

I'm building an Elasticsearch plugin and, while it's running, I need to reach an external service in order to retrieve some data to use in the plugin code and my the proper queries.

I use org.apache.cxf.jaxrs.client.WebClient like this:

String response = AccessController.doPrivileged((PrivilegedAction<String>) ()
        -> {
    return WebClient.create(baseUrl).
            accept(MediaType.APPLICATION_JSON).
            type(MediaType.APPLICATION_JSON).
            post(requestString, String.class);
});

that is called inside the authenticate() overridden method of my custom realm class:

public class MyRealm extends Realm

When that code is called I get:

[WARN ][o.a.c.p.PhaseInterceptorChain] Interceptor for {...} WebClient has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:67) ~[cxf-core-3.2.7.jar:3.2.7]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.2.7.jar:3.2.7]
        at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:710) [cxf-rt-rs-client-3.2.7.jar:3.2.7]
        at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1050) [cxf-rt-rs-client-3.2.7.jar:3.2.7]
        at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:897) [cxf-rt-rs-client-3.2.7.jar:3.2.7]
        at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:866) [cxf-rt-rs-client-3.2.7.jar:3.2.7]
        at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:334) [cxf-rt-rs-client-3.2.7.jar:3.2.7]
        at org.apache.cxf.jaxrs.client.WebClient.post(WebClient.java:343) [cxf-rt-rs-client-3.2.7.jar:3.2.7]

Caused by: java.net.ConnectException: ConnectException invoking ... Connection refused (Connection refused)
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:488) ~[?:?]
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1402) ~[?:?]
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1386) ~[?:?]
        at org.apache.cxf.io.AbstractWrappedOutputStream.close(AbstractWrappedOutputStream.java:77) ~[?:?]
        at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) ~[?:?]
        at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:673) ~[?:?]
        at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63) ~[?:?]

Caused by: java.net.ConnectException: Connection refused (Connection refused)
        at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:?]
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:400) ~[?:?]
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:243) ~[?:?]
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:225) ~[?:?]
        at java.net.Socket.connect(Socket.java:591) ~[?:?]
        at sun.net.NetworkClient.doConnect(NetworkClient.java:177) ~[?:?]

At first there were some troubles with permissions for java.net.NetPermission but I solved them by adding:

permission java.net.NetPermission "*";

in the plugin-security.policy file.

The plugin is built for Elasticsearch v6.3.0 .

Any idea on how to fix it or what else to use to make external requests instead of org.apache.cxf.jaxrs.client.WebClient inside the plugin?

I don't know if it's related but I also have the following WARNING:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.cxf.common.util.ReflectionUtil$11 (file:/usr/share/elasticsearch/plugins/myplugin/cxf-core-3.2.7.jar) to field java.net.Authenticator.theAuthenticator
WARNING: Please consider reporting this to the maintainers of org.apache.cxf.common.util.ReflectionUtil$11
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Any help will be appreciate!
Thanks

Linc12 · January 4, 2019, 9:11am

Just to add an expectable notice: the service on baseUrl is working and I tested it!
It's a http link not https (don't know if it matters) for the issue.

Also, I'm using X-Pack too and here is my elasticsearch.yml configuration:

cluster.name: "docker-cluster"
node.name: "docker-single-node"

http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: "Authorization"

http.host: 0.0.0.0
transport.host: 0.0.0.0
bootstrap.memory_lock: true
discovery.zen.ping.unicast.hosts: "elasticsearch"

xpack.security.enabled: true
xpack.monitoring.enabled: true
xpack.watcher.enabled: false
xpack.ml.enabled: false

xpack.security.authc.realms:
    file:
        type:                       file
        order:                      0

    native:
        type:                       native
        order:                      1

    # custom realm
    test:
        type:                       test
        order:                      2

xpack.security.audit.enabled: true

system · February 1, 2019, 9:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.