Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-2116

Illegal attempt to use a restricted token when configured profile attribute fetching

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • None
    • None
    • None

      Description

      Bug description

      Configuring profile attribute fetching using the J2EE Agent responds with a 403 and the following exception in the logs:

      Output: <?xml version="1.0" encoding="UTF-8"?>

      <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://isp.com/types" xmlns:ns1="http://java.sun.com/jax-rpc-ri/internal" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><env:Body><env:Fault xsi:type="env:Fault"><faultcode>env:Server</faultcode><faultstring>com.iplanet.sso.SSOException</faultstring><detail><ans1:SSOException xmlns:ans1="http://isp.com/wsdl" xsi:type="ns0:SSOException"><errorCode xsi:type="xsd:string">restrictionViolation</errorCode><resourceBundleName xsi:type="xsd:string">amSession</resourceBundleName><l10NMessage xsi:type="xsd:string">Illegal attempt to use a restricted token.</l10NMessage><message xsi:type="xsd:string">Illegal attempt to use a restricted token.</message></ans1:SSOException></detail></env:Fault></env:Body></env:Envelope>

       

      amFilter:10/30/2018 03:06:37:866 PM UTC: Thread[http-bio-8081-exec-8,5,main]

      AmFilter: user SSO Token is invalid. Invalid User SSO Token: , for user:id=eliottest,ou=user,dc=openam,dc=forgerock,dc=org. Redirect to authentication page.

      amFilter:10/30/2018 03:06:37:866 PM UTC: Thread[http-bio-8081-exec-8,5,main]

      ERROR: AmFilter: An error occurred while processing request. Access will be denied.

      java.lang.NullPointerException

      at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectURL(AmFilterRequestContext.java:296)

      at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectURL(AmFilterRequestContext.java:266)

      at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectResult(AmFilterRequestContext.java:412)

      at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectResult(AmFilterRequestContext.java:394)

      at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:205)

      at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:157)

      at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:70)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)

      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)

      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)

      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)

      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)

      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)

      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

      at java.lang.Thread.run(Thread.java:748)

      How to reproduce the issue

      • AM-6.0.0.4 vanilla install
      • setup JEE Policy Agent 3.5.1 in "/" realm with appropriate policies
      Expected behaviour
      Successful authentication enabling access to protected resource
      
      Current behaviour
      Authentication fails with a 403 throwing a null pointer exception

       

        Attachments

          Issue Links

            Activity

              People

              kamal.sivanandam@forgerock.com Kamal Sivanandam
              eliot.kerslake Eliot Kerslake [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: