Port fixes for identity-apps

[HiranyaKavishani]

Initially this issue was tracked by #2428

[RusJaI]

Update [2024-02-02] - authenticationendpoint JSP file changes

Worked on the analysis of modified jsp files in authenticationendpoint/includes.
Listed the related PRs checking the diff between the files of U2 updated 4.2.0 live pack (wso2am-4.2.0.62) and Identity-apps 1.6.x branch.
Further checked the patches released modifying each of those jsp files and listed the results for products wso2am% and wso2is%.

Please find the sheet containing the analysis :https://docs.google.com/spreadsheets/d/1TN_q5sTZwm-Wb1S_dhKppJpTPszqittAhRW-gVAEGPc/edit?usp=sharing

[RusJaI]

Update [2024-02-06, 07] - authenticationendpoint JSP file changes

Completed the analysis of IS related changes (from IS patches) for 1.6.x branch. Concluded that there are no identity fixes to be added to the 1.6.x branch.

Further identified several jsp files which are identical is IS and APIM, within authenticationendpoint/includes directory.

Built the APIM pack, excluding those fiels (this included building the carbon apimgt, identity oauth saml2, carbon kernel and product apim with some orbit jars which are not yet relleased.)

could build a product pack successfully, but the following error appears at the startup and the server stops. :

org.wso2.andes.kernel.AndesException: Unable to initialise application registry
   at org.wso2.andes.server.Broker.startupImpl(Broker.java:312) ~[andes_3.3.28.jar:?]
   at org.wso2.andes.server.Broker.startup(Broker.java:110) ~[andes_3.3.28.jar:?]
   at org.wso2.andes.server.Main.startBroker(Main.java:218) ~[andes_3.3.28.jar:?]
   at org.wso2.andes.server.Main.execute(Main.java:207) ~[andes_3.3.28.jar:?]
   at org.wso2.andes.server.Main.<init>(Main.java:55) ~[andes_3.3.28.jar:?]
   at org.wso2.andes.server.Main.main(Main.java:48) ~[andes_3.3.28.jar:?]
   at org.wso2.carbon.andes.internal.QpidServiceComponent.startAndesBroker(QpidServiceComponent.java:351) ~[?:?]
   at org.wso2.carbon.andes.internal.QpidServiceComponent.activate(QpidServiceComponent.java:117) ~[?:?]
   at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
   at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
   at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke

Triggered another build upgrading the h2 orbit version in carbon apimgt and carbon kernel.

[RusJaI]

Update [2024-02-08 ] - authenticationendpoint JSP file changes

Started working on merging the APIM customizations with updated jsp files in identity apps into product apim

Considered the diff which had been maintained in APIM 4.2.0 GA pack and the corresponding identity apps branch which was used there (1.5.0 tag). With that, merged the changes to product APIM, comparing it with updated identity apps branch (1.6.x)

completed the analysis for half of the files EoD

[RusJaI]

Update [2024-02-09 ] - authenticationendpoint JSP file changes

Identified another set of files other than the authenticationendpoint/includes, which needed to be synced with identity apps changes.
Completed the analysis and relevent Identity apps porting.

Worked on and Completed the process of merging identity apps changes aiming the alpha release.
(There are some patch changes to be ported, but cannot do at this moment because they have partial changes to other identity components which we haven't done porting up to now)

With that, jsp changes for alpha release is done. PR : wso2/identity-apps#5461

Blocked in some build failures in product apim while trying to build a product pack with the changes (due to some other OSGI issues)
Hence tried applying the changed JSP files on an existing pack and tested the UI changes.

In the progress of removing backup-code usages from identity apps repo. The process seems not straightforward because there are errors from transitively affected files.

[RusJaI]

Update [2024-02-10 ] - authenticationendpoint JSP file changes

Removed backup code usage with PR : wso2/identity-apps#5492
Now there are no initial startup errors looking for missing jsp files or features.
But when trying to navigate to login page of publisher portal, following error appears in the terminal and UI doesn't load properly.

[2024-02-12 21:08:55,349]  INFO - CarbonEventManagementService Starting polling event receivers
[2024-02-12 21:08:55,357] ERROR - [default] Servlet.service() for servlet [default] in context with path [/authenticationendpoint] threw exception
com.google.gson.JsonSyntaxException: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 11 path $
	at com.google.gson.Gson.fromJson(Gson.java:1070) ~[com.google.gson_2.9.1.jar:?]
	at com.google.gson.Gson.fromJson(Gson.java:1016) ~[com.google.gson_2.9.1.jar:?]
	at com.google.gson.Gson.fromJson(Gson.java:959) ~[com.google.gson_2.9.1.jar:?]
	at com.google.gson.Gson.fromJson(Gson.java:927) ~[com.google.gson_2.9.1.jar:?]
	at org.wso2.carbon.identity.application.authentication.endpoint.util.filter.AuthParameterFilter.getServletRequestWithParams(AuthParameterFilter.java:117) ~[?:?]
	at org.wso2.carbon.identity.application.authentication.endpoint.util.filter.AuthParameterFilter.doFilter(AuthParameterFilter.java:82) ~[?:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:129) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.11.jar:?]
	at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:115) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.11.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:167) ~[org.wso2.carbon.identity.authz.valve_1.8.11.jar:?]
	at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:118) ~[org.wso2.carbon.identity.auth.valve_1.8.11.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:114) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:75) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat_9.0.82.wso2v1.jar:?]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat_9.0.82.wso2v1.jar:?]
	at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 11 path $
	at com.google.gson.stream.JsonReader.beginObject(JsonReader.java:395) ~[com.google.gson_2.9.1.jar:?]
	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:182) ~[com.google.gson_2.9.1.jar:?]
	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:144) ~[com.google.gson_2.9.1.jar:?]
	at com.google.gson.Gson.fromJson(Gson.java:1058) ~[com.google.gson_2.9.1.jar:?]
	... 38 more

When debugging the code, it was identified that, when it invokes the endpoint authAPIURL = https://localhost:9443/api/identity/auth/v1.1/data/AuthRequestKey/710dfce6-6460-449a-b2cd-5650ac0b1187, it returns the html page of the carbon console as contextProperties instead of the expected json response, at AuthParameterFilter.getServletRequestWithParams() in carbon-identity-framework.

[RusJaI]

Update [2024-02-13, 14 ] - authenticationendpoint JSP file changes

When checking the identity framework tag in APIM 4.2.0, AuthParameterFilter.java class is not there. It has been introduced with a new IS feature which causes to add an additional war file to APIM product. Considering the said issue it was decided to remove the corresponding fix from 1.6.x branch. Created the PR : wso2/carbon-identity-framework#5509

Considering the impact of the said fix and after having another discussion with the IS team, it was decided to keep the fix in identity apps branch and merge it into product apim as well.

For M2 release it was targeted to keep the rest of the jsp changes + backup code removal.

Tried figuring out the build issue occured while building the product. Built all relevant repos in a clean repo and could resolve the build issue.

With that, built the APIM pack with jsp changes (not contain the security fix that caused the above issues), there was a problem in the loaded UI for login pages. fixed it by solving the name mismatch of a themes min css file.

When click on the forget password option it returned a 400 status code. When checked the same flow in M1 pack, the issue exists there as well. Created the issue #2477 to track it.

With that, created the following PRs completing the targetted progress for alpha release :

• identity apps : Remove backup code usage from identity-apps branch and bump carbon-identity-framework version identity-apps#5492
• product apim : Sync jsp changes from identity apps to product apim product-apim#13371

[RusJaI]

Update [2024-02-15, 16, 19 ]

Ported the features and tested the startup and initial login flows . PRs :

1. • Sync jsp changes from identity apps product-apim#13376
2. • [4.9.x] Apply fixes from patches to identity components carbon-kernel#3891
3. • [5.25.x] Apply fixes from patches to identity components carbon-identity-framework#5518
4. • [1.6.x] Apply fixes from patches to identity components identity-apps#5548
5. • Apply fixes from patches to identity components product-apim#13377

changes are being added to PRs 2, 3, 4, 5 because they are not merged (added after m2 release)

Completed the analysis of patches which has changes across multiple identity components with respect to the following jsp files :

• cookie-policy-content.jsp
• country-dropdown.jsp
• footer.jsp
• header.jsp
• init-loginform-action-url.jsp

Applied the corresponding patches and tested the basic flows in the product pack.

[RusJaI]

Update [2024-02-20]

Had to re-evaluated the issue wso2/product-is#14878 for applying the changes into APIM.

Discussed to remove this feature only from product apim, while maintaining the relevant changes in identity apps and identity framework.

It was identified that the corresponding war (api#identity#auth#v1.1
) file which has become a mandatory requirement when applying the feature has been already a requirement from APIM 4.2.0 onwards. But no error has been occured up to now since that corresponding flow has not been met by our usages.

Evaluated the possible applications of IdentifierFirstLogin, including account creation process from devPortal. couldn't find a usage.

Hence it was discussed to remove corresponding if clause considering the usage,wso2/product-apim@5b47361

Removed the corresponding code block from our code and tested the startup and basic login flows.

[RusJaI]

Update [2024-02-21, 22]

Analysed the security fixes for following files one by one and checked the changes made each commit. (fixes were applicable mainly in identity apps + carbon identity framework, identity inbound localaouth and kernel)

• init-url.jsp
• layout-resolver.jsp
• localize.jsp
• privacy-policy-content.jsp
• product-footer.jsp
• product-title.jsp
• template-mapper.jsp
• title.jsp
• basicauth.jsp
• error.jsp
• identifierauth.jsp
• login.jsp
• password-recovery.jsp
• self-registration-complete.jsp
• self-registration-username-request.jsp
• self-registration-with-verification.jsp

Applied the fixes which were missing in the corresponding branch.

[RusJaI]

Update [2024-02-25 Sunday]

Analysed the security fixes for following files one by one and checked the changes made each commit. (fixes were applicable mainly in identity apps + carbon identity framework, identity inbound localaouth and kernel)

• template-mapper.jsp
• localize.jsp
• layout-resolver.jsp
• init-url.jsp
• init-loginform-action-url.jsp
• footer.jsp
• country-dropdown.jsp

With that, all the files in extensions directory in product APIM (customized files) and all the files in authenticationendpoint/includes are covered by the effort up to now.

*** Please note that modifications from the patch updates which has been released after 22nd February 2024 are not included.

Started checking on the updates to the set of jsp files of authenticationendpoint which are directly coming from identity apps (no customizations from APIM side and not in the includes/ directory)

[RusJaI]

Update [2024-02-26]

Completed applying identity apps related patches on all relevant IS branches.
please find the internal git issue which was created to track the missing fixes in each branch (because we can't point support PRs and U2 numbers in the public PRs)
: https://github.com/wso2-enterprise/wso2-apim-internal/issues/5625

There's one update (U2 6779) which was discussed to reproduce and check the applicability before applying, because it requires to pack an additional war app inside the product.

Tested flow :

1. Go to carbon console and edit the SP app for devportal
2. under claim configuration add new claim for organization and make it mandatory.
3. Save the app
4. Create a user account in dev portal
5. login from the created user
6. It navigates to a page to provide Mandatory Details

8. edit the url in the brower :
   for example, initially the URL appears as follows :
   https://localhost:9443/authenticationendpoint/claims.do?missingClaims=http%3A%2F%2Fwso2.org%2Fclaims%2Fcountry&displayNames=http%3A%2F%2Fwso2.org%2Fclaims%2Forganization%7COrganization&sessionDataKey=068f0cd8-5d0b-42cc-9dfe-bdfc303323f5&sp=apim_devportal

But when we edit it and add country instead of organization, and press enter, it renders that corresponding preview altering the initial UI as follows :

Since the issue is reproducible in APIM, decided to apply the fix.

[RusJaI]

Added config and tested the pack without war file and component jars, to check the usage of the config added by update 6779:
Got the following error in the terminal :

[2024-02-26 18:19:13,377] ERROR - do] Servlet.service() for servlet [claims.do] in context with path [/authenticationendpoint] threw exception [An exception occurred processing [/requested-claims.jsp] at line [53]

50:         if (request.getQueryString().contains(Constants.MISSING_CLAIMS)) {
51:             request.getRequestDispatcher("error.do").forward(request, response);
52:         }
53:         missingClaimList = request.getParameter(Constants.MISSING_CLAIMS).split(",");
54:     }
55:     if (request.getParameter(Constants.REQUEST_PARAM_SP) != null) {
56:         appName = request.getParameter(Constants.REQUEST_PARAM_SP);


Stacktrace:] with root cause
java.lang.NullPointerException: null
	at org.apache.jsp.requested_002dclaims_jsp._jspService(requested_002dclaims_jsp.java:290) ~[?:?]
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) ~[tomcat_9.0.85.wso2v1.jar:?]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:623) ~[tomcat-servlet-api_9.0.85.wso2v1.jar:?]
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:379) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327) ~[tomcat_9.0.85.wso2v1.jar:?]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:623) ~[tomcat-servlet-api_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53) ~[org.wso2.carbon.ui_4.9.26.SNAPSHOT.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.wso2.carbon.identity.application.authentication.endpoint.util.filter.AuthenticationEndpointFilter.doFilter(AuthenticationEndpointFilter.java:190) ~[?:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:129) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.11.jar:?]
	at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:115) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.11.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:167) ~[org.wso2.carbon.identity.authz.valve_1.8.11.jar:?]
	at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:118) ~[org.wso2.carbon.identity.auth.valve_1.8.11.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:114) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:75) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137) ~[org.wso2.carbon.tomcat.ext_4.9.26.SNAPSHOT.jar:?]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat_9.0.85.wso2v1.jar:?]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat_9.0.85.wso2v1.jar:?]
	at java.lang.Thread.run(Thread.java:829) [?:?]

[RusJaI]

Update [2024-02-27]

Added the webapp and the 2 jars manually inside the product pack and tested the fix.
But it produces a null pointer exception at
missingClaimList = request.getParameter(Constants.MISSING_CLAIMS).split(",");
where it suppose to be able to get the missing claims.
When discussed this with IS team, they mentioned that they are using a tomcat filter from identity framework side for this. Either we have to apply that or add a code level fix that they've suggested, to get the missingClaimList through the added war.
Decided to go ahead with the code level fix to product apim. Commit : wso2/identity-apps@e9a06aa

Tested the fix and verified that the initially reproduced security vulnerability is addressed by the fix.

[RusJaI]

Update [2024-02-29]

It was decided to create a new feature module in Product APIM side, considering the abilitiy to create a new branch at identity-local-auth-api repo.

commit : wso2/product-apim@0000e98

PR : wso2/product-apim#13390

[tharikaGitHub]

Closing as the task is completed.