Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-757

agent.logout.url.regex is not working for C Agent 5

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 5.0.0.0
    • Fix Version/s: None
    • Component/s: Web Agents
    • Environment:
      Ubuntu 14 / Apache 2.4 / Version: 5.0.0-SNAPSHOT, Revision: e62147a, Build date: Jul 11 2017 13:47:14

      Description

      com.forgerock.agents.agent.logout.url.regex is not working for C Agent 5.

       

      Steps to Reproduce

      1.) Setup custom properties(Advanced Tab) in agent profile

      com.forgerock.agents.config.logout.redirect.disable=true
      com.forgerock.agents.agent.logout.url.regex=.*(\/index\.html\?|\/hello\/123\.html\?).*(action=logout)(.*|$)
      

      2.) Create a policies:

      *://*:*/*?*
      *://*:*/*
      

      3.) Hit the index page and login with user
      4.) You can see index page. add a parameter action=logout and hit the page, e.g
      http://riso-ubuntu14.test.forgerock.com/index.html?action=logout

      Expected result

      You stay on index page, because logout.redirect.disable is enabled and you are logged out

      • if you hit different page you will be redirected to AM login page
      • you can check in OpenAM / Sessions that users session was deleted

      Observed Result

      you are not logged out, the session still exist

      C Agent 5 debug log
      2017-07-12 12:14:59.994 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:249] setup_request_data():
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:271] setup_request_data(): client ip: 172.25.1.224
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:309] setup_request_data(): client hostname: (empty)
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:317] setup_request_data(): original request url: http://riso-ubuntu14.test.forgerock.com/index.html?action=logout
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:397] setup_request_data(): 
      method: GET 
      original url: http://riso-ubuntu14.test.forgerock.com/index.html?action=logout
      proto: http
      host: riso-ubuntu14.test.forgerock.com
      port: 80
      path: /index.html
      query: ?action=logout
      complete: http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout
      overridden: http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout
      pathinfo: 
      normalized (pathinfo removed): (empty)
      overridden (pathinfo removed): (empty)
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:421] validate_url():
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:433] validate_url(): request url validation feature is not enabled
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:442] validate_fqdn_access():
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:445] validate_fqdn_access(): feature is not enabled
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request_auth.c:272] header {"typ":"JWT","alg":"RS256"} (27)
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request_auth.c:282] JWT {"sub":"demo","auditTrackingId":"e41a03e7-9213-4301-b7a2-d0782158f7d3-7834088","iss":"http://perf-openam.internal.forgerock.com:8080/openam/oauth2","tokenName":"id_token","nonce":"c74e65b445201e6d38f9639d035c73e2","aud":"apache24","azp":"apache24","auth_time":1499858077,"forgerock":{"ssotoken":"AQIC5wM2LY4SfcxIJ165txlzoTA44bpX-Tlb3gbDt1Y3HJs.*AAJTSQACMDEAAlNLABM4OTczNDY5ODgyNDg5OTg1NTU0AAJTMQAA*","suid":"tnSPo0yRstERinHtlaHl5rP43yVyXI9mPKkRC19wi6g="},"realm":"/","exp":1499894077,"tokenType":"JWTToken","iat":1499858077}
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request_auth.c:305] token hash tnSPo0yRstERinHtlaHl5rP43yVyXI9mPKkRC19wi6g=
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request_auth.c:314] nonce c74e65b445201e6d38f9639d035c73e2
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:544] handle_not_enforced(): application logout url feature is not enabled
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:684] handle_not_enforced(): not enforced client ip validation feature is not enabled
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:687] handle_not_enforced(): validating http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout
      2017-07-12 12:14:59.995 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:763] handle_not_enforced(): not enforced url validation feature is not enabled
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:808] handle_not_enforced(): extended not enforced url validation feature is not enabled
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:811] handle_not_enforced(): http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout is enforced
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:952] validate_policy(): for http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout (ignoring pathinfo: no), entry status: success
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1004] validate_policy(): session cache key: tnSPo0yRstERinHtlaHl5rP43yVyXI9mPKkRC19wi6g=
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1007] validate_policy(): get session cache status: success
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1216] validate_policy(): trying cache entry for: http://riso-ubuntu14.test.forgerock.com:80/index.html
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1233] validate_policy(): cached entry: http://riso-ubuntu14.test.forgerock.com:80/index.html, resource: http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout, status: no match
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1252] validate_policy(): global policy cache status: success
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1216] validate_policy(): trying cache entry for: http://riso-ubuntu14.test.forgerock.com:80/favicon.ico
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1233] validate_policy(): cached entry: http://riso-ubuntu14.test.forgerock.com:80/favicon.ico, resource: http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout, status: no match
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1252] validate_policy(): global policy cache status: success
      2017-07-12 12:14:59.996 +0100 WARNING [0x7f3e90ba9700:20827] validate_policy(): validate policy did not find a match for 'http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout' in the cached entries, retrying with the new request to the policy service
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:952] validate_policy(): for http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout (ignoring pathinfo: no), entry status: try again
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1004] validate_policy(): session cache key: tnSPo0yRstERinHtlaHl5rP43yVyXI9mPKkRC19wi6g=
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1007] validate_policy(): get session cache status: try again
      2017-07-12 12:14:59.996 +0100   DEBUG [0x7f3e90ba9700:20827][source/utility.c:1551] get_valid_openam_url(): active OpenAM service url: http://perf-openam.internal.forgerock.com:8080/openam (0)
      2017-07-12 12:14:59.997 +0100   DEBUG [0x7f3e90ba9700:20827][source/utility.c:1656] am_timer(): getaddrinfo took 0 seconds
      2017-07-12 12:14:59.998 +0100   DEBUG [0x7f3e90ba9700:20827][source/net.c:78] net_connect(): connected to perf-openam.internal.forgerock.com:8080 (IPv4)
      2017-07-12 12:15:00.010 +0100   DEBUG [0x7f3e90ba9700:20827][source/utility.c:1656] am_timer(): getaddrinfo took 0 seconds
      2017-07-12 12:15:00.011 +0100   DEBUG [0x7f3e90ba9700:20827][source/net.c:78] net_connect(): connected to perf-openam.internal.forgerock.com:8080 (IPv4)
      2017-07-12 12:15:00.018 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1128] validate_policy(): session cache key: tnSPo0yRstERinHtlaHl5rP43yVyXI9mPKkRC19wi6g=, added = 0
      2017-07-12 12:15:00.018 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1216] validate_policy(): trying cache entry for: http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout
      2017-07-12 12:15:00.019 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1233] validate_policy(): cached entry: http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout, resource: http://riso-ubuntu14.test.forgerock.com:80/index.html?action=logout, status: exact match
      2017-07-12 12:15:00.019 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1338] validate_policy(): method: GET, decision: allow
      2017-07-12 12:15:00.019 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1987] handle_exit(): (entry status: success)
      2017-07-12 12:15:00.019 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1574] do_cookie_set_generic(): iPlanetDirectoryPro=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJkZW1vIiwiYXVkaXRUcmFja2luZ0lkIjoiZTQxYTAzZTctOTIxMy00MzAxLWI3YTItZDA3ODIxNThmN2QzLTc4MzQwODgiLCJpc3MiOiJodHRwOi8vcGVyZi1vcGVuYW0uaW50ZXJuYWwuZm9yZ2Vyb2NrLmNvbTo4MDgwL29wZW5hbS9vYXV0aDIiLCJ0b2tlbk5hbWUiOiJpZF90b2tlbiIsIm5vbmNlIjoiYzc0ZTY1YjQ0NTIwMWU2ZDM4Zjk2MzlkMDM1YzczZTIiLCJhdWQiOiJhcGFjaGUyNCIsImF6cCI6ImFwYWNoZTI0IiwiYXV0aF90aW1lIjoxNDk5ODU4MDc3LCJmb3JnZXJvY2siOnsic3NvdG9rZW4iOiJBUUlDNXdNMkxZNFNmY3hJSjE2NXR4bHpvVEE0NGJwWC1UbGIzZ2JEdDFZM0hKcy4qQUFKVFNRQUNNREVBQWxOTEFCTTRPVGN6TkRZNU9EZ3lORGc1T1RnMU5UVTBBQUpUTVFBQSoiLCJzdWlkIjoidG5TUG8weVJzdEVSaW5IdGxhSGw1clA0M3lWeVhJOW1QS2tSQzE5d2k2Zz0ifSwicmVhbG0iOiIvIiwiZXhwIjoxNDk5ODk0MDc3LCJ0b2tlblR5cGUiOiJKV1RUb2tlbiIsImlhdCI6MTQ5OTg1ODA3N30.I-M7KGfwItC-aE5SfMGr2R8aH0k2Jbir3H-t8I7rw1xx1GBY38aOdGC6q5VJ-S-E7VHlZPUssRpfDlsdETF2hJPd3eH7IMdUdPu4tW5nABsha8L8Y3EIzStBmbxyoNV54BtwHVCvQqA-5BTgouhaKEuCmUHhIrHa6DLaY9_5k9e6083G8WghZCc-57RwTPqLpzd0GI606uYwaSOSBMBMzMojkHp4lZgtkdpvS8-2zZ6-kUSd3vfBHWPmKJ7BMCzRRqIlY-qfIb5s3Gqw-aBpe4X8BbdOKo1A7la3sXVqkGW0DEZJ_J_omZG1PixHDQqSSvumyYwRH_kvNhG2jrysQA;Path=/
      2017-07-12 12:15:00.019 +0100   DEBUG [0x7f3e90ba9700:20827][source/request.c:1710] set_user_attributes(): all set user attribute options are set to none
      2017-07-12 12:15:00.019 +0100   DEBUG [0x7f3e90ba9700:20827][source/apache/agent.c:731] amagent_auth_handler(): exit status: success (0)
      

      This issue does not exist for Agent 4, I can see in logs that logout is handled by agent
      match(): 'http://perf-openam2.internal.forgerock.com:80/index.html?action=logout' matches '.(\/index\.html?|\/hello\/123\.html?).(action=logout)(.*|$)'
      handle_not_enforced(): http://perf-openam2.internal.forgerock.com:80/index.html?action=logout is an application logout url (not enforced)

      See the whole logs

      C Agent 4 debug log
      2017-07-12 12:19:12.368 +0100   DEBUG [0x7fcda5ff9700:27958][source/apache/agent.c:579] get_method_num(): method GET (GET, 0)
      2017-07-12 12:19:12.368 +0100   DEBUG [0x7fcda5ff9700:27958][source/apache/agent.c:588] get_method_num(): number corresponds to GET method
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:235] setup_request_data():
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:257] setup_request_data(): client ip: 172.25.1.224
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:295] setup_request_data(): client hostname: (empty)
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:303] setup_request_data(): original request url: http://perf-openam2.internal.forgerock.com/index.html?action=logout
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:320] setup_request_data(): no token in query parameters
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:389] setup_request_data(): 
      method: GET 
      original url: http://perf-openam2.internal.forgerock.com/index.html?action=logout
      proto: http
      host: perf-openam2.internal.forgerock.com
      port: 80
      path: /index.html
      query: ?action=logout
      complete: http://perf-openam2.internal.forgerock.com:80/index.html?action=logout
      overridden: http://perf-openam2.internal.forgerock.com:80/index.html?action=logout
      pathinfo: 
      normalized (pathinfo removed): (empty)
      overridden (pathinfo removed): (empty)
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:404] validate_url():
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:416] validate_url(): request url validation feature is not enabled
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:424] handle_notification():
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:480] validate_fqdn_access():
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:483] validate_fqdn_access(): feature is not enabled
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:908] validate_token():
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/utility.c:1049] get_cookie_value(;): parsing cookie header: amlbcookie=01; iPlanetDirectoryPro="AQIC5wM2LY4Sfcx2Gau5PWNKNfiX0jvcSEoyye5ZJDswxVI.*AAJTSQACMDEAAlNLABQtNDQ2ODI2MjI4OTUzNjQ2ODY5OQACUzEAAA..*"
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/utility.c:1049] get_cookie_value(=): parsing cookie header:  iPlanetDirectoryPro="AQIC5wM2LY4Sfcx2Gau5PWNKNfiX0jvcSEoyye5ZJDswxVI.*AAJTSQACMDEAAlNLABQtNDQ2ODI2MjI4OTUzNjQ2ODY5OQACUzEAAA..*"
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:999] validate_token(): sso token: AQIC5wM2LY4Sfcx2Gau5PWNKNfiX0jvcSEoyye5ZJDswxVI.*AAJTSQACMDEAAlNLABQtNDQ2ODI2MjI4OTUzNjQ2ODY5OQACUzEAAA..*, status: success
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:1006] validate_token(): sso token SI: 01, S1: 
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:552] handle_not_enforced():
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/utility.c:267] match(): 'http://perf-openam2.internal.forgerock.com:80/index.html?action=logout' matches '.*(\/index\.html\?|\/hello\/123\.html\?).*(action=logout)(.*|$)'
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:591] handle_not_enforced(): http://perf-openam2.internal.forgerock.com:80/index.html?action=logout is an application logout url (not enforced)
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/process.c:2056] handle_exit(): (entry status: success)
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/utility.c:1743] get_valid_openam_url(): active OpenAM service url: http://perf-openam.internal.forgerock.com:8080/openam (0)
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcda5ff9700:27958][source/apache/agent.c:931] amagent_auth_handler(): exit status: success (0)
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcd9fbef700:27958][source/utility.c:1848] am_timer(): getaddrinfo took 0 seconds
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcd9fbef700:27958][source/net_client.c:562] sync_connect(): connected to perf-openam.internal.forgerock.com:8080 (IPv4)
      2017-07-12 12:19:12.369 +0100   DEBUG [0x7fcd9fbef700:27958][source/net_ops.c:1235] am_agent_logout(): sending request:
      POST /openam/authservice HTTP/1.1
      Host: perf-openam.internal.forgerock.com:8080
      User-Agent: OpenAM Web Agent/4.1.0
      Accept: text/xml
      Connection: Close
      Content-Type: text/xml; charset=UTF-8
      Content-Length: 359
      
      <?xml version="1.0" encoding="UTF-8"?><RequestSet vers="1.0" svcid="auth" reqid="0"><Request><![CDATA[<?xml version="1.0" encoding="UTF-8"?><AuthContext version="1.0"><Request authIdentifier="AQIC5wM2LY4Sfcx2Gau5PWNKNfiX0jvcSEoyye5ZJDswxVI.*AAJTSQACMDEAAlNLABQtNDQ2ODI2MjI4OTUzNjQ2ODY5OQACUzEAAA..*"><Logout/></Request></AuthContext>]]></Request></RequestSet>
      2017-07-12 12:19:12.371 +0100   DEBUG [0x7fcd9fbef700:27958][source/net_ops.c:1255] am_agent_logout(): response status code: 200
      2017-07-12 12:19:12.373 +0100   DEBUG [0x7fcd95fef700:28061][source/apache/agent.c:579] get_method_num(): method POST (POST, 2)
      2017-07-12 12:19:12.373 +0100   DEBUG [0x7fcd95fef700:28061][source/apache/agent.c:588] get_method_num(): number corresponds to POST method
      

        Attachments

          Activity

            People

            Assignee:
            rich.riley Rich Riley [X] (Inactive)
            Reporter:
            richard.hruza Richard Hruza
            QA Assignee:
            Richard Hruza Richard Hruza
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: