Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10377

Agent creates unexpired tokens which are not deleted from CTS

    XMLWordPrintable

    Details

    • Bug
    • Status: Reopened
    • Major
    • Resolution: Unresolved
    • 14.0.0, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 6.5.0.1
    • None
    • CTS, session
    • OpenAM 14.0.0-M10 Build 61d330f1bd (2017-January-06 09:26)
    • Rank:
      1|hzxe27:

      Description

      When agent communicate with OpenAM, it has to authenticate to AM. After that in CTS is created unexpired application session (session property willExpireFlag":false). Agent contains property com.sun.identity.agents.config.polling.interval = 180 (default value in minutes), it means after this time agent clear his config from cache + delete also the application session, so it has to authenticate to AM one more time and new unexpired application token is created. The old one still persist in CTS. After some time there will be a lot of these tokens.

      Steps to reproduce

      1.) Default installation of AM
      2.) Install WPA, create agent profile, policy
      3.) Set com.sun.identity.agents.config.polling.interval = 1 (this property is not hot-swappable, possible to set it in PA profile and also in agent.conf)
      4.) Login to protected page via agent
      5.) Look in CTS and find an agent application token (my agent profile name = apache24, so coreTokenUserId will be: id=apache24,ou=agent,dc=openam,dc=forgerock,dc=com)
      6.) Wait more then 1 minute and refresh the protected page and check the CTS

      Observed Result:

      agent authenticate one more time and new token is created, the old one persist in CTS

      My logs from load balancer where is possible to see how agent creates new tokens

      Jan 12 13:52:43 localhost haproxy[19904]: 172.24.3.66:45239 [12/Jan/2017:13:52:43.409] fe be/perf-openam 0/0/1/10/11 200 712 - - --NR 2/2/0/0/0 0/0 "POST /openam/authservice HTTP/1.1"
      Jan 12 13:52:43 localhost haproxy[19904]: 172.24.3.66:45240 [12/Jan/2017:13:52:43.423] fe be/perf-openam2 0/0/0/45/45 200 2731 - - --NN 2/2/0/0/0 0/0 "POST /openam/authservice HTTP/1.1"
      Jan 12 13:52:43 localhost haproxy[19904]: 172.24.3.66:45242 [12/Jan/2017:13:52:43.469] fe be/perf-openam 0/0/0/6/7 200 10730 - - --NN 2/2/0/0/0 0/0 "GET /openam/identity/xml/read?name=apache24&attributes_names=realm&attributes_values_realm=%2F&attributes_names=objecttype&attributes_values_objecttype=Agent&admin=AQIC5wM2LY4SfcxN0EWYGu4XiuFh-6c-alZe-qgI2y8g_o8.*AAJTSQACMDEAAlNLABM1NDg0NzcyNDMwMjUyMTI5ODcxAAJTMQAA* HTTP/1.1"
      Jan 12 13:52:43 localhost haproxy[19904]: 172.24.3.66:45243 [12/Jan/2017:13:52:43.478] fe be/perf-openam2 0/0/1/15/16 200 2289 - - --NN 2/2/0/0/0 0/0 "POST /openam/sessionservice HTTP/1.1"
      Jan 12 13:52:43 localhost haproxy[19904]: 172.24.3.66:45244 [12/Jan/2017:13:52:43.496] fe be/perf-openam 0/0/0/16/17 200 693 - - --NN 2/2/0/0/0 0/0 "POST /openam/policyservice HTTP/1.1"
      Jan 12 13:52:43 localhost haproxy[19904]: 172.24.3.66:45245 [12/Jan/2017:13:52:43.515] fe be/perf-openam2 0/0/0/13/13 200 2473 - - --NN 2/2/0/0/0 0/0 "POST /openam/sessionservice HTTP/1.1"
      Jan 12 13:52:43 localhost haproxy[19904]: 172.24.3.66:45246 [12/Jan/2017:13:52:43.531] fe be/perf-openam 0/0/0/15/15 200 990 - - --NN 2/2/0/0/0 0/0 "POST /openam/policyservice HTTP/1.1"
      Jan 12 13:55:32 localhost haproxy[19904]: 172.24.3.66:45247 [12/Jan/2017:13:55:32.929] fe be/perf-openam2 0/0/1/9/10 200 712 - - --NR 0/0/0/0/0 0/0 "POST /openam/authservice HTTP/1.1"
      Jan 12 13:55:32 localhost haproxy[19904]: 172.24.3.66:45248 [12/Jan/2017:13:55:32.941] fe be/perf-openam 0/0/0/56/56 200 2751 - - --NN 0/0/0/0/0 0/0 "POST /openam/authservice HTTP/1.1"
      Jan 12 13:55:33 localhost haproxy[19904]: 172.24.3.66:45249 [12/Jan/2017:13:55:33.000] fe be/perf-openam2 0/0/0/13/13 200 10730 - - --NN 0/0/0/0/0 0/0 "GET /openam/identity/xml/read?name=apache24&attributes_names=realm&attributes_values_realm=%2F&attributes_names=objecttype&attributes_values_objecttype=Agent&admin=AQIC5wM2LY4SfcyB8NsQhXYyxB2Q6vjiQuzTZrvXjpsfPSQ.*AAJTSQACMDMAAlNLABQtNDI2OTM3OTc3MzU1ODI2OTg1NAACUzEAAA..* HTTP/1.1"
      Jan 12 13:55:33 localhost haproxy[19904]: 172.24.3.66:45250 [12/Jan/2017:13:55:33.016] fe be/perf-openam 0/0/0/25/25 200 2297 - - --NN 0/0/0/0/0 0/0 "POST /openam/sessionservice HTTP/1.1"
      Jan 12 13:55:33 localhost haproxy[19904]: 172.24.3.66:45251 [12/Jan/2017:13:55:33.044] fe be/perf-openam2 0/0/1/20/21 200 693 - - --NN 0/0/0/0/0 0/0 "POST /openam/policyservice HTTP/1.1"
      Jan 12 13:55:33 localhost haproxy[19904]: 172.24.3.66:45252 [12/Jan/2017:13:55:33.069] fe be/perf-openam 0/0/0/20/20 200 2473 - - --NN 0/0/0/0/0 0/0 "POST /openam/sessionservice HTTP/1.1"
      Jan 12 13:55:33 localhost haproxy[19904]: 172.24.3.66:45253 [12/Jan/2017:13:55:33.092] fe be/perf-openam2 0/0/0/20/20 200 990 - - --NN 0/0/0/0/0 0/0 "POST /openam/policyservice HTTP/1.1"
      Jan 12 13:59:56 localhost haproxy[19904]: 172.24.3.66:45254 [12/Jan/2017:13:59:56.428] fe be/perf-openam 0/0/1/5/6 200 716 - - --NR 0/0/0/0/0 0/0 "POST /openam/authservice HTTP/1.1"
      Jan 12 13:59:56 localhost haproxy[19904]: 172.24.3.66:45255 [12/Jan/2017:13:59:56.436] fe be/perf-openam2 0/0/0/38/38 200 2735 - - --NN 0/0/0/0/0 0/0 "POST /openam/authservice HTTP/1.1"
      Jan 12 13:59:56 localhost haproxy[19904]: 172.24.3.66:45257 [12/Jan/2017:13:59:56.476] fe be/perf-openam 0/0/0/4/5 200 10730 - - --NN 0/0/0/0/0 0/0 "GET /openam/identity/xml/read?name=apache24&attributes_names=realm&attributes_values_realm=%2F&attributes_names=objecttype&attributes_values_objecttype=Agent&admin=AQIC5wM2LY4Sfcyey8CVnOIK54e9JvEAh3xme6puVRLs7_Q.*AAJTSQACMDEAAlNLABM4NTk5MTU1NTY2MzI2NjI5NzAwAAJTMQAA* HTTP/1.1"
      Jan 12 13:59:56 localhost haproxy[19904]: 172.24.3.66:45258 [12/Jan/2017:13:59:56.483] fe be/perf-openam2 0/0/0/18/19 200 2289 - - --NN 0/0/0/0/0 0/0 "POST /openam/sessionservice HTTP/1.1"
      Jan 12 13:59:56 localhost haproxy[19904]: 172.24.3.66:45259 [12/Jan/2017:13:59:56.504] fe be/perf-openam 0/0/1/15/16 200 693 - - --NN 0/0/0/0/0 0/0 "POST /openam/policyservice HTTP/1.1"
      Jan 12 13:59:56 localhost haproxy[19904]: 172.24.3.66:45260 [12/Jan/2017:13:59:56.523] fe be/perf-openam2 0/0/0/13/13 200 2473 - - --NN 0/0/0/0/0 0/0 "POST /openam/sessionservice HTTP/1.1"
      Jan 12 13:59:56 localhost haproxy[19904]: 172.24.3.66:45261 [12/Jan/2017:13:59:56.538] fe be/perf-openam 0/0/0/14/14 200 990 - - --NN 0/0/0/0/0 0/0 "POST /openam/policyservice HTTP/1.1"
      

        Attachments

          Issue Links

            Activity

              People

              Unassigned Unassigned
              richard.hruza Richard Hruza
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated: