Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-2257

WebSphere TAI throws exception if openam is down which breaks authentication of non-openam protected apps

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Expired
    • Affects Version/s: 3.5.1
    • Fix Version/s: None
    • Component/s: J2EE Agents
    • Environment:

      Description

      I have a WAS system that uses more than one TAI for authentication, the OpenAM one and an additional bespoke one. When WAS needs to authenticate a request the TAIs run in sequence with the isTargetInterceptor() method being run on each one until a true return code is detected.

      When the OpenAM policy server is down this method throws an exception:

      [7/9/13 2:01:00:786 NZST] 00000041 webapp E com.ibm.ws.webcontainer.webapp.WebApp logServletError SRVE0293E: [Servlet Error]-[SearchSeedlistServletSecured]: java.lang.NoClassDefFoundError: com.sun.identity.agents.websphere.AmWebsphereManager (initialization failure)
      at java.lang.J9VMInternals.initialize(J9VMInternals.java:168)
      at com.sun.identity.agents.websphere.AmTrustAssociationInterceptor.isTargetInterceptor(AmTrustAssociationInterceptor.java:60)
      at com.ibm.ws.security.web.TAIWrapper.isTargetInterceptor(TAIWrapper.java:195)
      at com.ibm.ws.security.web.TrustAssociationManager.getInterceptor(TrustAssociationManager.java:146)
      at com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation(WebAuthenticator.java:391)
      at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:3123)
      at com.ibm.ws.security.web.WebCollaborator.authorize(WebCollaborator.java:993)
      at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:434)

      I am not sure why it says classnotfound, but this terminates the whole TAI chain. In our case the OpenAM TAI runs before the other one, and this means that if the URL was not protected by OpenAM you can't login using any other mechanism, which could either by the 2nd TAI or by a normal WAS login form.

      The isTargetInterceptor() should catch the exception and return false.

      The negotiateValidateandEstablishTrust() method is allowed to throw at exception

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              diego.colantoni Diego Colantoni
              Reporter:
              richard.hardy@solnetsolutions.co.nz Richard Hardy
              QA Assignee:
                edwardb edwardb
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: