Versions:11.4.0, 11.4.1
Summary:
Whenever there are multiple TIBCO Spotfire Analyst client sessions open simultaneously on the same machine, the initial Analyst instance prompts for login even before idle-session timeout as well as absolute session timeout.
Details:
After upgrading to Spotfire version 11.4.0 or 11.4.1, when opening multiple TIBCO Spotfire Analyst client sessions on the same machine, the previous Spotfire Analyst instance will prompt to login when you select the 'Save my Login Information' option.
In the Spotfire Analyst logs, you will see entries like the following when the login prompt is thrown on the initial Spotfire Analyst session:
2021-08-03T16:24:10,066+02:00 2021-08-03 14:24:10,066 as [Main Thread] WARN Spotfire.Dxp.Services.TssSoapServices.PreferenceServiceClient [(null)] - WebServiceCall failed, giving up (PreferenceService.SynchronizePreferenceObjects). The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Bearer realm="SpotfireRealm",SF-Web location="/spotfire/auth/web/initiate",BASIC realm="SpotfireRealm"'.
System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Bearer realm="SpotfireRealm",SF-Web location="/spotfire/auth/web/initiate",BASIC realm="SpotfireRealm"'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
In the TIBCO Spotfire Server logs (server.log), the following is seen:
WARN 2021-08-03T16:23:05,557+0200 [unknown, #-, #264532] security.oauth.TokenEndpointManager: Invalid access token request
com.spotfire.server.security.oauth.OAuthClientException: Invalid refresh token
at com.spotfire.server.security.oauth.TokenEndpointManager.handleRefreshToken(TokenEndpointManager.java:263) ~[spotfire-server.jar:?]
at com.spotfire.server.security.oauth.TokenEndpointManager.handleRequest(TokenEndpointManager.java:102) ~[spotfire-server.jar:?]
at com.spotfire.server.security.oauth.TokenEndpoint.doPost(TokenEndpoint.java:47) ~[spotfire-server.jar:?]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:652) ~[servlet-api.jar:4.0.FR]
.
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:9.0.46]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.46]
at java.lang.Thread.run(Thread.java:834) [?:?]
This is due to the new feature of 'max number of concurrent sessions per user' that has been introduced in 11.4. The refresher tokens that are sent by the Spotfire Analyst client sessions are always rotated. Since 11.0, refresher tokens are saved whenever you select 'Save my Login Information' while logging with the Spotfire Analyst client. This saves the refresher token so that next time, it will use the same token to log you in.
Whenever two Spotfire Analyst sessions are opened at the same time (provided you are using 11.4.0 or 11.4.1 Spotfire Server), you will get the login prompt on first Spotfire Analyst session because the saved refresher token is used by the first Spotfire Analyst session to revalidate the credentials. Since tokens are rotated and Spotfire Server invalidates the token provided by first Spotfire Server, it will have to prompt for login again.
Resolution:
To resolve until a permanent fix is released, you can mitigate this issue by disabling the token rotation. This way, the refresher token sent for re-authentication is not invalidated by the Spotfire Server and the token still remains valid. Please follow these steps to mitigate this issue:
1. On the computer running Spotfire Server, open a command line as an administrator (or, if you are using Windows Integrated Authentication, as the Spotfire Server database user) and change the directory to the location of the config.bat file (config.sh on Linux). The default location is <server installation dir>/tomcat/spotfire-bin.
This is where you execute commands.
2. Export the active server configuration (the configuration.xml file) by using the export-config command.
Example:
config export-config --tool-password=mypassword
3. In the command prompt, enter the below command:
config set-config-prop --name="security.oauth2.refresh-token.invalidate-existing-access-token" --value="false"
4. Upload the modified configuration back to the Spotfire database by using the import-config command. The configuration that you import becomes the active configuration for that server or cluster.
Example:
config import-config --tool-password=mypassword --comment=what was changed
5. Restart the TIBCO Spotfire Server.
Note:
By default, the TIBCO Spotfire Analyst client will still prompt for login after 24 hours if kept open. This is because the AbsoluteSession Timeout is set to 24 hrs by default. AbsoluteSession Timeout can be seen in Configuration tool > Configuration > Security.