Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10412

If we include a protected property in the whitelist then we can not modify a non-protected property

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.0.0-M9
    • Fix Version/s: 14.0.0
    • Component/s: None
    • Labels:
      None
    • Rank:
      1|hzsrtb:

      Description

      If I set up a whitelist to include a protected property and a non-protected property and I attempt to modify a non-protected property using a rest request then I get a 403 failure

      Setup
      _____

      Set Configure - Global Services - Session Property Whitelist Service to include "asdf" and "AuthLevel"

      Test Recreation Steps
      _____________________
      1) Create an admin session
      2) Create a user session
      3) Attempt to modify the asdf property

      Actual Behaviour
      ________________

      REQUEST
      {
      POST http://ed-am1.test.forgerock.com:18081/openam/json/sessions/?_action=updateSessionProperties&tokenId=AQIC5wM2LY4SfcySO88CGkbRVSiDSFfd2p_MnHjUNTERWiE.*AAJTSQACMDIAAlNLABQtNDgxMjE0OTc2NDEzNjc4MzUzNwACUzEAAjAx* HTTP/1.1
      Accept-Encoding: gzip,deflate
      Content-Type: application/json
      IPlanetDirectoryPro: AQIC5wM2LY4Sfcwlg0BVaVBJeeIxfIG0g_gGVuyCMdcQHbM.AAJTSQACMDIAAlNLABQtMzM4NjI3NzcyMjgyODgxOTY0MQACUzEAAjAx
      Content-Length: 15
      Host: ed-am1.test.forgerock.com:18081
      Connection: Keep-Alive
      User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

      {"asdf":"1"}

      }

      RESPONSE

      { "code": 403, "reason": "Forbidden", "message": "Forbidden" }

      EXPECTED RESPONSE
      {

      {"asdf": "1"}

      }

      The expected response can be seen if we modify the whitelist so that it only includes "asdf"

        Attachments

          Activity

            People

            Assignee:
            david.luna@forgerock.com David Luna
            Reporter:
            edward.barker edwardb
            QA Assignee:
              edwardb edwardb
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: