Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-2930

NPE if you access protected resources without an ssoToken while IPDP mode is on

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 5.7.0
    • None
    • Java Agents
    • None

    Description

      Reproduce:
      > Set up 5.6.1.2

      Set config:

         },
          "customProperties": {
            "inherited": false,
            "value": [
              
         "org.forgerock.agents.sso.exchange.cache.size=100",
              "org.forgerock.agents.accept.ipdp.cookie=true",
              "org.forgerock.agents.sso.exchange.cache.ttl.minutes=5"
            ]
          },
      

      Restart agent.
      Access Protected Resource without an IPDP cookie.

      Get NPE from Guava:

      >2019-08-29 04:13:15:830 AM AEST: http-nio-8081-exec-8/5/main
      INFO: NotEnforcedRuleHelper.isAuthNRequest: requestURI: /agentapp/; AuthNRedirectURI is /frqa/sunwCDSSORedirectURI; result is false
      >2019-08-29 04:13:15:831 AM AEST: http-nio-8081-exec-8/5/main
      INFO: NotEnforcedRuleHelper.isAccessDeniedRequest: requestURI: null; accessDeniedURI is /agentapp/; result is false
      >2019-08-29 04:13:15:831 AM AEST: http-nio-8081-exec-8/5/main
      ERROR: AmFilter: Error while delegating to inbound handler: CDSSO Task Handler, access will be denied
      java.lang.NullPointerException
      	at org.forgerock.agents.shaded.com.google.common.base.Preconditions.checkNotNull(Preconditions.java:877)
      	at org.forgerock.agents.shaded.com.google.common.cache.LocalCache.getIfPresent(LocalCache.java:3956)
      	at org.forgerock.agents.shaded.com.google.common.cache.LocalCache$LocalManualCache.getIfPresent(LocalCache.java:4865)
      	at org.forgerock.agents.AgentCache.getSessionInfoFromSsoToken(AgentCache.java:474)
      	at com.sun.identity.agents.filter.AuthnTaskHandler.getUserCredentials(AuthnTaskHandler.java:176)
      	at com.sun.identity.agents.filter.AuthnTaskHandler.process(AuthnTaskHandler.java:96)
      	at com.sun.identity.agents.filter.AmFilter.processTaskHandlerInternal(AmFilter.java:236)
      	at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:202)
      	at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:177)
      	at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:81)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:748)
      

      Code Analysis:
      Not looked at it and not familiar with this code. Looks like it trips up when we add a new entry into the SSO token -> session UID cache. Under the conditions though because this is not thrown when you access the protected resource with a token already, I'm assuming when ssoToken = not present it throws NPE based on this.

      Expected:
      Users would expect a redirect for AuthN --> AuthZ.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              jeremy.cocks Jeremy Cocks
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: