POST to 'lockouts' on user service plugin causes internal server error

I’m trying to call:


Using version 2.0.2 of the “User Service” administration plugin on version 3.9.3 of Openfire but am getting (I think) the following exception in the logs:

2015.04.02 03:04:58 org.jivesoftware.openfire.container.PluginServlet - No thread local value in scope for proxy of class com.sun.proxy.$Proxy5 java.lang.IllegalStateException: No thread local value in scope for proxy of class com.sun.proxy.$Proxy5 at com.sun.jersey.server.impl.ThreadLocalInvoker.invoke( ) at com.sun.proxy.$Proxy5.getHeader(Unknown Source) at org.jivesoftware.openfire.plugin.AuthFilter.filter( at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApp at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApp at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebAppl at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebAppl at com.sun.jersey.spi.container.servlet.WebComponent.service( ) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer. java:540) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer. java:715) at javax.servlet.http.HttpServlet.service( at org.jivesoftware.openfire.container.PluginServlet.handleServlet(PluginServlet.j ava:316) at org.jivesoftware.openfire.container.PluginServlet.service( 1) at javax.servlet.http.HttpServlet.service( at org.eclipse.jetty.servlet.ServletHolder.handle( at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1359) at org.jivesoftware.admin.PluginFilter.doFilter( at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at org.jivesoftware.admin.AuthCheckFilter.doFilter( at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage( 8) at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter( at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330) at org.eclipse.jetty.servlet.ServletHandler.doHandle( at org.eclipse.jetty.server.handler.ScopedHandler.handle( at at org.eclipse.jetty.server.session.SessionHandler.doHandle( 7) at org.eclipse.jetty.server.handler.ContextHandler.doHandle( 1) at org.eclipse.jetty.servlet.ServletHandler.doScope( at org.eclipse.jetty.server.session.SessionHandler.doScope( ) at org.eclipse.jetty.server.handler.ContextHandler.doScope( ) at org.eclipse.jetty.server.handler.ScopedHandler.handle( at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandler at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.jav a:149) at org.eclipse.jetty.server.handler.HandlerWrapper.handle( at org.eclipse.jetty.server.Server.handle( at org.eclipse.jetty.server.HttpConnection.handleRequest( at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConne at org.eclipse.jetty.http.HttpParser.parseNext( at org.eclipse.jetty.http.HttpParser.parseAvailable( at org.eclipse.jetty.server.AsyncHttpConnection.handle( ) at a:586) at$ :44) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob( ) at org.eclipse.jetty.util.thread.QueuedThreadPool$ at

I am doing this to lockout a freshly created user which was created by calling:


with the relevant payload.

Anyone any idea what is going wrong? Is the exception even relevant, it’s difficult to track down the exact error.

Could you provide me your full HTTP request (with headers). And which response do you get from userService plugin?


I guess the userid is the username?

Contains your userId some special characters? (/_?) etc.?

The only header that is being set is the Authorization header via HttpURLConnection.setRequestProperty.

I can’t actually see the full request (is there a way to see the full request at the Openfire end?). It is using the same code for both requests which is weird why the first one for creating works and the second fails.

The username is an email address, I’ve tried escaping it using XmppStringUtils.escapeLocalpart, I’ve tried not escaping. I’ve tried url encoding it and I’ve tried url encoding it with escaping and without. I still get the same error.

Ok, the email is the problem. Because the email contains the @ which will be chopped by openfire filter.

This issue is already fixed in the latest version of openfire 3.10.0.

Solution 1) you use openfire 3.10.0

Solution 2) username should be not the email. (If you create a new user you have also the possibility to save the email)


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <name>Test User</name>

Thanks. So how do I get hold of version 3.10.0? Is there an eta for its release?

I don’t know the ETA but you could use the nightly version: Ignite Realtime: Openfire Nightly Builds

I’ve just upgraded to version 3.10.0 and I’m still getting the problem even when not using an email address, so if I have the url:

and am doing a POST.

I still get the error:

2015.04.23 00:48:36 org.jivesoftware.openfire.container.PluginServlet - No thread local value in scope for proxy of class com.sun.proxy.$Proxy58

java.lang.IllegalStateException: No thread local value in scope for proxy of class com.sun.proxy.$Proxy58

at com.sun.jersey.server.impl.ThreadLocalInvoker.invoke( )

at com.sun.proxy.$Proxy58.getHeader(Unknown Source)

at org.jivesoftware.openfire.plugin.AuthFilter.filter(

at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApp

It seems that you set IP restriction for the REST API. And something there went wrong.

Try at first without any IP restriction.

That worked but it’s hardly a solution. The ip restriction is very important to have. Also just prior to making the lockouts call I am creating a new user. So the ip restriction isn’t really the source of the problem. I’d prefer not to have to rely just on the secret key.

I could check that and fix the problem.

Does the problem appears since the 3.10? Or did you had already problems with 3.9.3 and IP restriction?

I discovered the problem originally in 3.9.3 and ip restriction was present (as reported in the original post). I never tested with the ip restriction removed in 3.9.3 but I got the same error in both 3.9.3 and 3.10 when ip restriction was present.

Switch off ip restriction in 3.10 and the lockout works.

Thy for your feedback. I will investigate to fix the issue.

Try to use the REST API Plugin. It have all the feature which userService have and many more. In the REST API Plugin should the bug already be fixed.

The only thing to change is the URL.

From: plugins/userService/lockouts/

To: plugins/restapi/v1/lockouts/

Using that url returns me the html for the admin login page, the start of which looks like:





48 Openfire Admin Console





The line numbers are added by the “less” command when I look at the file.

I assume the url isn’t mapped in the web.xml file (or however the plugin is being handled). My http call code isn’t following redirects so I assume that’s the actual text being returned by the call.

Did you installed, enabled and set the authentication way by REST API Plugin?

Sorry I misread your previous comment. I’ve now installed the REST api plugin, configured it as per the user service plugin and both creating users and the lockouts works correctly with ip restriction in place.

Thanks for the help.