Graal Selenium Authentication
110 views
Skip to first unread message
Mark Ibrahim
Jun 6, 2025, 6:48:16 PM6/6/25
to ZAP User Group
Hello, I am currently trying to convert older Nashorn scripts to Graal but am having problems with scripts that use Selenium WebDriver for single-sign-on authentication. My scripts were originally based on the Zap Selenium authentication guide, and I am aware that the sample scripts say that they do not support Graal in their current state.
I have attempted several ways of making the script thread safe but am still experiencing the following error:
180543 [ZAP-IO-Server-1-1] ERROR org.zaproxy.addon.network.internal.server.http.MainServerHandler - An error occurred while notifying a handler:
java.lang.IllegalStateException: Multi threaded access requested by thread Thread[ZAP-IO-Server-1-1,10,main] but is not allowed for language(s) js.
at com.oracle.truffle.polyglot.PolyglotEngineException.illegalState(PolyglotEngineException.java:135) ~[?:?]
at com.oracle.truffle.polyglot.PolyglotContextImpl.throwDeniedThreadAccess(PolyglotContextImpl.java:1197) ~[?:?]
at com.oracle.truffle.polyglot.PolyglotContextImpl.checkAllThreadAccesses(PolyglotContextImpl.java:998) ~[?:?]
at com.oracle.truffle.polyglot.PolyglotContextImpl.enterThreadChanged(PolyglotContextImpl.java:829) ~[?:?]
at com.oracle.truffle.polyglot.PolyglotEngineImpl.enterCached(PolyglotEngineImpl.java:2047) ~[?:?]
at com.oracle.truffle.polyglot.HostToGuestRootNode.execute(HostToGuestRootNode.java:109) ~[?:?]
at com.oracle.truffle.api.impl.DefaultCallTarget.callDirectOrIndirect(DefaultCallTarget.java:85) ~[?:?]
at com.oracle.truffle.api.impl.DefaultCallTarget.call(DefaultCallTarget.java:102) ~[?:?]
at com.oracle.truffle.polyglot.PolyglotFunctionProxyHandler.invoke(PolyglotFunctionProxyHandler.java:155) ~[?:?]
at jdk.proxy6/jdk.proxy6.$Proxy72.handleMessage(Unknown Source) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:151) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:131) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82) ~[?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [network-beta-0.21.0.zap:?]
at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
Caused by: com.oracle.truffle.api.TruffleStackTrace$LazyStackTrace
I don't see any other community examples of Selenium scripts that are compatible with Graal.
If you have any intuition or alternative suggestions for how I can implement single-sign-on with or without Selenium, please let me know.
Thank you for your help.
I have attempted several ways of making the script thread safe but am still experiencing the following error:
180543 [ZAP-IO-Server-1-1] ERROR org.zaproxy.addon.network.internal.server.http.MainServerHandler - An error occurred while notifying a handler:
java.lang.IllegalStateException: Multi threaded access requested by thread Thread[ZAP-IO-Server-1-1,10,main] but is not allowed for language(s) js.
at com.oracle.truffle.polyglot.PolyglotEngineException.illegalState(PolyglotEngineException.java:135) ~[?:?]
at com.oracle.truffle.polyglot.PolyglotContextImpl.throwDeniedThreadAccess(PolyglotContextImpl.java:1197) ~[?:?]
at com.oracle.truffle.polyglot.PolyglotContextImpl.checkAllThreadAccesses(PolyglotContextImpl.java:998) ~[?:?]
at com.oracle.truffle.polyglot.PolyglotContextImpl.enterThreadChanged(PolyglotContextImpl.java:829) ~[?:?]
at com.oracle.truffle.polyglot.PolyglotEngineImpl.enterCached(PolyglotEngineImpl.java:2047) ~[?:?]
at com.oracle.truffle.polyglot.HostToGuestRootNode.execute(HostToGuestRootNode.java:109) ~[?:?]
at com.oracle.truffle.api.impl.DefaultCallTarget.callDirectOrIndirect(DefaultCallTarget.java:85) ~[?:?]
at com.oracle.truffle.api.impl.DefaultCallTarget.call(DefaultCallTarget.java:102) ~[?:?]
at com.oracle.truffle.polyglot.PolyglotFunctionProxyHandler.invoke(PolyglotFunctionProxyHandler.java:155) ~[?:?]
at jdk.proxy6/jdk.proxy6.$Proxy72.handleMessage(Unknown Source) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:151) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:131) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82) ~[?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [network-beta-0.21.0.zap:?]
at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
Caused by: com.oracle.truffle.api.TruffleStackTrace$LazyStackTrace
I don't see any other community examples of Selenium scripts that are compatible with Graal.
If you have any intuition or alternative suggestions for how I can implement single-sign-on with or without Selenium, please let me know.
Thank you for your help.
Mark Ibrahim
Jun 6, 2025, 7:21:31 PM6/6/25
to ZAP User Group
If Selenium's WebDriver isn't supported in Graal, could converting the script to Jython be a valid option? Are there any extra steps to passing Zap a Jython script instead of Graal?
Thank you
Thank you
Simon Bennetts
Jun 10, 2025, 1:22:44 PM6/10/25
to ZAP User Group
The problem is that Graal JS does not allow multithreading.
The scripts should not be sharing objects created by JS
with other parts of the code that might use them concurrently.
However, we have been making a lot of improvements in ZAP's authentication handling, so you might not need scripts at all.
First of all, try the Authentication Tester - if that works then your life should be much easier.
If that doesnt work then we still have other options that should be easier than scripting..
Cheers,
Simon
Mark Ibrahim
Jun 12, 2025, 6:20:52 PM6/12/25
to ZAP User Group
Hi Simon, thank you for your reply.
Unfortunately, the auth tester seems to struggle with login pages that ask for the username and password in two separate stages, like portal.azure.com. The automatic login can't detect the fields properly after entering the username.
Instead, I used the "Steps" tab of the auth tester to create a functional browser auth procedure. This gave me the "Passed" status in the auth test, so I plugged it into an automation with a spider job.
For some reason, the spider job repeatedly opens the login page, enters the username, presses "Next," and then immediately closes the tab. This happens more than 10 times in 3 minutes with nothing emitted in the "Output" window in Zap UI.
Unfortunately, the auth tester seems to struggle with login pages that ask for the username and password in two separate stages, like portal.azure.com. The automatic login can't detect the fields properly after entering the username.
Instead, I used the "Steps" tab of the auth tester to create a functional browser auth procedure. This gave me the "Passed" status in the auth test, so I plugged it into an automation with a spider job.
For some reason, the spider job repeatedly opens the login page, enters the username, presses "Next," and then immediately closes the tab. This happens more than 10 times in 3 minutes with nothing emitted in the "Output" window in Zap UI.
Please let me know if you have any ideas to help resolve these authentication issues.
Thank you very much.
Thank you very much.
Mark Ibrahim
Jun 12, 2025, 7:05:12 PM6/12/25
to ZAP User Group
Also, do you have any other suggestions apart from browser auth for this site? Is there another way to make use of Selenium?
Thank you
Thank you
thc202
Jun 13, 2025, 3:22:49 AM6/13/25
to zaprox...@googlegroups.com
Have you tried with a weekly release? There have been many
fixes/enhancements to the browser based auth recently. I just checked
the site you mentioned and the auth tester is able to submit both the
username and the password.
If you are still having issues withe the latest weekly release enable
the Record Diagnostics and consider sharing them with us (directly).
Best regards.
On 12/06/2025 23:20, Mark Ibrahim wrote:
> Hi Simon, thank you for your reply.
>
> Unfortunately, the auth tester seems to struggle with login pages that ask
> for the username and password in two separate stages, like portal.azure.com.
> The automatic login can't detect the fields properly after entering the
> username.
> Instead, I used the "Steps" tab of the auth tester to create a functional
> browser auth procedure. This gave me the "Passed" status in the auth test,
> so I plugged it into an automation with a spider job.
>
> For some reason, the spider job repeatedly opens the login page, enters the
> username, presses "Next," and then immediately closes the tab. This happens
> more than 10 times in 3 minutes with nothing emitted in the "Output" window
> in Zap UI.
>
> Please let me know if you have any ideas to help resolve these
> authentication issues.
>
> Thank you very much.
> On Tuesday, June 10, 2025 at 10:22:44 AM UTC-7 psi...@gmail.com wrote:
>
>> The problem is that Graal JS does not allow multithreading.
>> The scripts should not be sharing objects created by JS with other parts
>> of the code that might use them concurrently.
>>
>> However, we have been making a lot of improvements in ZAP's authentication
>> handling, so you might not need scripts at all.
>> First of all, try the Authentication Tester
>> <https://www.zaproxy.org/blog/2023-05-23-authentication-tester/> - if
fixes/enhancements to the browser based auth recently. I just checked
the site you mentioned and the auth tester is able to submit both the
username and the password.
If you are still having issues withe the latest weekly release enable
the Record Diagnostics and consider sharing them with us (directly).
Best regards.
On 12/06/2025 23:20, Mark Ibrahim wrote:
> Hi Simon, thank you for your reply.
>
> Unfortunately, the auth tester seems to struggle with login pages that ask
> for the username and password in two separate stages, like portal.azure.com.
> The automatic login can't detect the fields properly after entering the
> username.
> Instead, I used the "Steps" tab of the auth tester to create a functional
> browser auth procedure. This gave me the "Passed" status in the auth test,
> so I plugged it into an automation with a spider job.
>
> For some reason, the spider job repeatedly opens the login page, enters the
> username, presses "Next," and then immediately closes the tab. This happens
> more than 10 times in 3 minutes with nothing emitted in the "Output" window
> in Zap UI.
>
> Please let me know if you have any ideas to help resolve these
> authentication issues.
>
> Thank you very much.
> On Tuesday, June 10, 2025 at 10:22:44 AM UTC-7 psi...@gmail.com wrote:
>
>> The problem is that Graal JS does not allow multithreading.
>> The scripts should not be sharing objects created by JS with other parts
>> of the code that might use them concurrently.
>>
>> However, we have been making a lot of improvements in ZAP's authentication
>> handling, so you might not need scripts at all.
>> First of all, try the Authentication Tester
>> that works then your life should be much easier.
>> If that doesnt work then we still have other options that should be easier
>> than scripting..
>>
>> Cheers,
>>
>> Simon
>>
>> On Saturday, 7 June 2025 at 00:21:31 UTC+1 mark.mahe...@gmail.com wrote:
>>
>>> If Selenium's WebDriver isn't supported in Graal, could converting the
>>> script to Jython be a valid option? Are there any extra steps to passing
>>> Zap a Jython script instead of Graal?
>>>
>>> Thank you
>>>
>>> On Friday, June 6, 2025 at 3:48:16 PM UTC-7 Mark Ibrahim wrote:
>>>
>>>> Hello, I am currently trying to convert older Nashorn scripts to Graal
>>>> but am having problems with scripts that use Selenium WebDriver for
>>>> single-sign-on authentication. My scripts were originally based on the Zap
>>>> Selenium authentication guide
>>>> <https://www.zaproxy.org/blog/2023-02-01-authenticating-using-selenium/>,
>> If that doesnt work then we still have other options that should be easier
>> than scripting..
>>
>> Cheers,
>>
>> Simon
>>
>> On Saturday, 7 June 2025 at 00:21:31 UTC+1 mark.mahe...@gmail.com wrote:
>>
>>> If Selenium's WebDriver isn't supported in Graal, could converting the
>>> script to Jython be a valid option? Are there any extra steps to passing
>>> Zap a Jython script instead of Graal?
>>>
>>> Thank you
>>>
>>> On Friday, June 6, 2025 at 3:48:16 PM UTC-7 Mark Ibrahim wrote:
>>>
>>>> Hello, I am currently trying to convert older Nashorn scripts to Graal
>>>> but am having problems with scripts that use Selenium WebDriver for
>>>> single-sign-on authentication. My scripts were originally based on the Zap
>>>> Selenium authentication guide
>>>> and I am aware that the sample scripts
>>>> <https://github.com/zaproxy/community-scripts/blob/main/other/af-plans/juiceshop-selenium-auth/JuiceShopAuthentication.js> say
Mark Ibrahim
Jun 13, 2025, 2:35:27 PM6/13/25
to ZAP User Group
Hello, I am still having problems with the auth tester in zap-weekly. Can I direct message you on slack with the diagnostics?
Thank you
Thank you
Reply all
Reply to author
Forward
0 new messages