Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-123

CDSSO session token cleared when hitting denied URL

    XMLWordPrintable

    Details

      Description

      Problem
      When CDSSO is enabled
      Setup/Tests

      1. In a environment with OpenAM13 setup (openam.example.com)
      and with 3 Apache 2.4 with WPA4.0.1 setup.

      • 2 of these Apache 2.4 WPA is web1.example.com and web2.example.com
      • Another Apache 2.4 to web3.example.net. We do not need this web server to see the issue but just configure to ensure CDSSO works.

      2. A policy is defined to grant access to the URL
      "://:/public/" for POST/GET and another to deny access to a protected URL "://:/protected/" or all HTTP methods.

      3. The OpenAM 13 is set with the platform cookie .example.com
      The All the web agent are set with CDSSO enabled and
      the CDSSO cookie domain list ".example.com and .example.net"

      4. Now, initially one can login to any of the above web and navigate to all the "/public/index.html" without issues.

      Observed
      5. When one access /protected/index.html on the WPA hosting domain .example.com, this causes a Forbidden access and the URL is redirected to OpenAM for authentication.

      6. Without going forward on (5), access the other web server for /public/index.html. This causes a OpenAM login request. (ie: SSO session seems to be lost)

      Expected

      5. On 4.0.0-8, the /protected/index.html pages returns the 403 FORBIDDEN error. but Accessing later /public/index.html on this web server and other web server seems to be fine. (IE: Issues not seen on 4.0.0-8)

      Investigation
      Suspected change in 4.0.1 from AMAGENTS-47 and OPENAM-8366 may clear the domain cookies for Forbidden access in CDSSO context

      2016-07-11 21:58:47.643 +0800 WARNING [0x7f428f6a4700:8041] validate_policy(): decision: deny, reason: no action decisions found
      2016-07-11 21:58:47.643 +0800   DEBUG [0x7f428f6a4700:8041][source/process.c:1808] handle_exit(): (entry status: access denied)
      2016-07-11 21:58:47.643 +0800   DEBUG [0x7f428f6a4700:8041][source/process.c:2140] handle_exit(): resetting session cookie in .example.com domain
      2016-07-11 21:58:47.643 +0800   DEBUG [0x7f428f6a4700:8041][source/process.c:1465] do_cookie_set_generic(): iPlanetDirectoryPro=;Max-Age=0;Expires=Thu, 01-Jan-1970 00:00:01 GMT;Domain=.example.com;Path=/
      2016-07-11 21:58:47.643 +0800   DEBUG [0x7f428f6a4700:8041][source/process.c:2140] handle_exit(): resetting session cookie in .example.net domain
      2016-07-11 21:58:47.643 +0800   DEBUG [0x7f428f6a4700:8041][source/process.c:1465] do_cookie_set_generic(): iPlanetDirectoryPro=;Max-Age=0;Expires=Thu, 01-Jan-1970 00:00:01 GMT;Domain=.example.net;Path=/
      2016-07-11 21:58:47.643 +0800   DEBUG [0x7f428f6a4700:8041][source/process.c:1465] do_cookie_set_generic(): iPlanetDirectoryPro=;Max-Age=0;Expires=Thu, 01-Jan-1970 00:00:01 GMT;Path=/
      2016-07-11 21:58:47.643 +0800   DEBUG [0x7f428f6a4700:8041][source/apache/agent.c:733] amagent_auth_handler(): exit status: forbidden (3)
      ...
      

      IMPACT
      When CDSSO is enabled and if a forbidden URL is accessed on a web server with the same cookie domain as the SSO session, a full re-authentication is needed.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              chris.lee Chris Lee
              Reporter:
              chee-weng.chea C-Weng C
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: