Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-4064

fragments don't work in a ssl terminated environment

    XMLWordPrintable

    Details

      Description

      Description
      In an SSL terminated environment, in the default login flow if override host and protocol are enabled, the resulting location will be overridden eg from http to https for urls such as agent/cdsso-oauth2. If the same is done with fragments enabled then the same override should take place as internally url this may not resolve (eg /agent/login-fragment-relay gets a 404)

      Reproduction
      A unit test has been created to illustrate this. In it create_fragment_relay_url is called once with no overrides, and a second time with overrides*

      1. In advanced properties set org.forgerock.agents.config.fragment.redirect.enable=1
      2. change one or more of the protocol,host,port (eg agent->pagent)from the default com.sun.identity.agents.config.agenturi.prefix=http://pagent.localtest.me:80/agentapp
      3. NB another way of achieving this would be to use one or more of X-Forwarded-Proto,X-Forwarded-Host or X-Forwarded-Port
      4. In the Advanced tab, perform one or more of the following steps:

      Enable Override Request URL Protocol.

      The equivalent property setting is com.sun.identity.agents.config.override.protocol=true.

      Enable Override Request URL Host.

      The equivalent property setting is com.sun.identity.agents.config.override.host=true.

      Enable Override Request URL Port.

      The equivalent property setting is com.sun.identity.agents.config.override.port=true.
      (In my example I am overriding the host)

      1. curl -v http://agent.localtest.me:80/index.html#chapter-1
      2. expected result
        without overrides either an internal redirect to /agent/login-fragment-relay?state=x or a full url based on the original url should be the result.
        eg Location: /agent/login-fragment-relay?state=IxkkAnW3e50DiLJU7ATY_x5kfd4 or http://agent.localtest.me:80/agent/login-fragment-relay?state=IxkkAnW3e50DiLJU7ATY_x5kfd4
        with overrides, host and port of the overridden url replace the original. An internal redirect should not be used (unless there was no change in any parameters)
        http://pagent.localtest.me:80/agent/login-fragment-relay?state=IxkkAnW3e50DiLJU7ATY_x5kfd4

      actual result
      without overrides an internal redirect to /agent/login-fragment-relay?state=x is in the location
      Location: /agent/login-fragment-relay?state=b6toKjP0bMZ2s68w7-JvAHX_CAM
      with overrides, an internal redirect to /agent/login-fragment-relay?state=x is in the location
      Location: /agent/login-fragment-relay?state=IxkkAnW3e50DiLJU7ATY_x5kfd4

        Attachments

        1. 5.8.0.png
          5.8.0.png
          134 kB
        2. debug.log
          7 kB

          Issue Links

            Activity

              People

              Assignee:
              alex.levin@forgerock.com Alex Levin
              Reporter:
              alex.levin@forgerock.com Alex Levin
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: