Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-712

C Agent 5 ignores conditional login

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.0.0.0
    • Fix Version/s: 5.0.0.0
    • Component/s: Web Agents
    • Environment:
      Ubuntu 14.04 / Apache 2.4 / PA: Version: 5.0.0-SNAPSHOT, Revision: 0725088, Container: Apache 2.4 Linux 64bit/Linux, Build date: Jun 26 2017 16:50:07

      Description

      C Agent 5 ignores condition login

      Steps to Reproduce

      1.) Setup:

      • Agent Profile > Global Tab
      • Agent Profile > Custom Properties
        • com.forgerock.agents.conditional.login.url[0]=riso-ubuntu14.test.forgerock.com|http://conditional.login.test1.com:8080/openam
        • com.forgerock.agents.conditional.login.url[1]=riso-ubuntu14alt.test.forgerock.com|http://conditional.login.test2.com:8080/openam

      2.) Hit agent protected page, in my case
      http://riso-ubuntu14alt.test.forgerock.com:80/index.html

      Expected Result

      You should be redirected to http://conditional.login.test2.com:8080/openam login page
      if you hit riso-ubuntu14, you should be redirected to conditional.login.test1 login page

      Observed Result

      Redirected to default AM login page. It does not care if I hit riso-ubuntu14 or riso-ubuntu14alt. Conditional login is ignored

      Agent 5 debug log
      2017-06-30 08:36:07.265 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:249] setup_request_data():
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:271] setup_request_data(): client ip: 172.25.1.42
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:309] setup_request_data(): client hostname: (empty)
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:317] setup_request_data(): original request url: http://riso-ubuntu14alt.test.forgerock.com/index.html
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:397] setup_request_data(): 
      method: GET 
      original url: http://riso-ubuntu14alt.test.forgerock.com/index.html
      proto: http
      host: riso-ubuntu14alt.test.forgerock.com
      port: 80
      path: /index.html
      query: 
      complete: http://riso-ubuntu14alt.test.forgerock.com:80/index.html
      overridden: http://riso-ubuntu14alt.test.forgerock.com:80/index.html
      pathinfo: 
      normalized (pathinfo removed): (empty)
      overridden (pathinfo removed): (empty)
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:421] validate_url():
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:433] validate_url(): request url validation feature is not enabled
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:442] validate_fqdn_access():
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:472] validate_fqdn_access(): comparing a valid host name riso-ubuntu14alt.test.forgerock.com with riso-ubuntu14alt.test.forgerock.com
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:477] validate_fqdn_access(): host name riso-ubuntu14alt.test.forgerock.com is valid (maps to riso-ubuntu14alt.test.forgerock.com, key: riso-ubuntu14alt)
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:544] handle_not_enforced(): application logout url feature is not enabled
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:684] handle_not_enforced(): not enforced client ip validation feature is not enabled
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:687] handle_not_enforced(): validating http://riso-ubuntu14alt.test.forgerock.com:80/index.html
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:763] handle_not_enforced(): not enforced url validation feature is not enabled
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:808] handle_not_enforced(): extended not enforced url validation feature is not enabled
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:811] handle_not_enforced(): http://riso-ubuntu14alt.test.forgerock.com:80/index.html is enforced
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:952] validate_policy(): for http://riso-ubuntu14alt.test.forgerock.com:80/index.html (ignoring pathinfo: no), entry status: not found
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:1987] handle_exit(): (entry status: invalid session)
      2017-06-30 08:36:07.266 +0100   DEBUG [0x7f23aa3a4700:17234][source/request.c:1574] do_cookie_set_generic(): iPlanetDirectoryPro=;Max-Age=0;Expires=Thu, 01-Jan-1970 00:00:01 GMT;Path=/
      2017-06-30 08:36:07.268 +0100   DEBUG [0x7f23aa3a4700:17234][source/utility.c:1551] get_valid_openam_url(): active OpenAM service url: http://perf-openam.internal.forgerock.com:8080/openam (0)
      2017-06-30 08:36:07.268 +0100   DEBUG [0x7f23aa3a4700:17234][source/apache/agent.c:736] amagent_auth_handler(): exit status: redirect (1)
      

      Agent 4 handles conditional login properly. I used rules:

      • com.forgerock.agents.conditional.login.url[0]=perf-openam2.internal.forgerock.com|http://conditional.login.test1.com:8080/openam
      • com.forgerock.agents.conditional.login.url[1]=perf-openam2alt.internal.forgerock.com|http://conditional.login.test2.com:8080/openam

      I hit perf-openam2alt(agent's virtual host) and as you can see from logs conditional logi was handled by agent 4 + I was redirected to AM page set in rules(conditional.login.test2.com)
      find_active_login_server(): conditional login pattern: perf-openam2.internal.forgerock.com, url: http://perf-openam2alt.internal.forgerock.com:80/index.html, match status: no match
      find_active_login_server(): conditional login pattern: perf-openam2alt.internal.forgerock.com, url: http://perf-openam2alt.internal.forgerock.com:80/index.html, match status: match
      find_active_login_server(): selected login url: http://conditional.login.test2.com:8080/openam?goto=http%3A%2F%2Fperf-openam2alt.internal.forgerock.com%3A80%2Findex.html
      handle_exit(): find_active_login_server value: http://conditional.login.test2.com:8080/openam?goto=http%3A%2F%2Fperf-openam2alt.internal.forgerock.com%3A80%2Findex.html
      set_custom_response(): status: redirect (exit: redirect)

      Agent 4 debug logs
      2017-06-30 08:39:27.935 +0100   DEBUG [0x7fcd9ebfd700:28061][source/apache/agent.c:579] get_method_num(): method GET (GET, 0)
      2017-06-30 08:39:27.935 +0100   DEBUG [0x7fcd9ebfd700:28061][source/apache/agent.c:588] get_method_num(): number corresponds to GET method
      2017-06-30 08:39:27.935 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:235] setup_request_data():
      2017-06-30 08:39:27.935 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:257] setup_request_data(): client ip: 172.25.1.42
      2017-06-30 08:39:27.935 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:295] setup_request_data(): client hostname: (empty)
      2017-06-30 08:39:27.935 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:303] setup_request_data(): original request url: http://perf-openam2alt.internal.forgerock.com/index.html
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:320] setup_request_data(): no token in query parameters
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:389] setup_request_data(): 
      method: GET 
      original url: http://perf-openam2alt.internal.forgerock.com/index.html
      proto: http
      host: perf-openam2alt.internal.forgerock.com
      port: 80
      path: /index.html
      query: 
      complete: http://perf-openam2alt.internal.forgerock.com:80/index.html
      overridden: http://perf-openam2alt.internal.forgerock.com:80/index.html
      pathinfo: 
      normalized (pathinfo removed): (empty)
      overridden (pathinfo removed): (empty)
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:404] validate_url():
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:416] validate_url(): request url validation feature is not enabled
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:424] handle_notification():
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:480] validate_fqdn_access():
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:510] validate_fqdn_access(): comparing a valid host name perf-openam2alt.internal.forgerock.com with perf-openam2alt.internal.forgerock.com
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:515] validate_fqdn_access(): host name perf-openam2alt.internal.forgerock.com is valid (maps to perf-openam2alt.internal.forgerock.com, key: perf-openam2alt)
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:908] validate_token():
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/utility.c:1049] get_cookie_value(;): parsing cookie header: amlbcookie=01
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:999] validate_token(): sso token: (empty), status: success
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:552] handle_not_enforced():
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:613] handle_not_enforced(): application logout url feature is not enabled
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:753] handle_not_enforced(): not enforced client ip validation feature is not enabled
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:756] handle_not_enforced(): validating http://perf-openam2alt.internal.forgerock.com:80/index.html
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:829] handle_not_enforced(): not enforced url validation feature is not enabled
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:874] handle_not_enforced(): extended not enforced url validation feature is not enabled
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:877] handle_not_enforced(): http://perf-openam2alt.internal.forgerock.com:80/index.html is enforced
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:1132] validate_policy(): for http://perf-openam2alt.internal.forgerock.com:80/index.html (ignoring pathinfo: no), entry status: not found
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:2056] handle_exit(): (entry status: invalid session)
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:1965] find_active_login_server(): conditional login pattern: perf-openam2.internal.forgerock.com, url: http://perf-openam2alt.internal.forgerock.com:80/index.html, match status: no match
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:1965] find_active_login_server(): conditional login pattern: perf-openam2alt.internal.forgerock.com, url: http://perf-openam2alt.internal.forgerock.com:80/index.html, match status: match
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:2033] find_active_login_server(): selected login url: http://conditional.login.test2.com:8080/openam?goto=http%3A%2F%2Fperf-openam2alt.internal.forgerock.com%3A80%2Findex.html
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/process.c:2566] handle_exit(): find_active_login_server value: http://conditional.login.test2.com:8080/openam?goto=http%3A%2F%2Fperf-openam2alt.internal.forgerock.com%3A80%2Findex.html
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/apache/agent.c:568] set_custom_response(): status: redirect (exit: redirect)
      2017-06-30 08:39:27.936 +0100   DEBUG [0x7fcd9ebfd700:28061][source/apache/agent.c:931] amagent_auth_handler(): exit status: redirect (1)
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              nick.james Nicholas James
              Reporter:
              richard.hruza Richard Hruza
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: