Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10587

Policy agent is not able to read a profile in AM using realm alias

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0
    • Fix Version/s: None
    • Component/s: j2ee agents, web agents
    • Labels:
    • Environment:
      OpenAM 14.0.0-M17 Build 880e2334bb (2017-February-05 21:01)
      WPA 4.1.0 for Apache 2.4 Linux 64bit

      Description

      Policy agent is not able to read a profile in AM using realm alias

      Steps to reproduce

      1.) Install AM and create new realm, in my case /r1 and /r1/r2
      2.) Set realm's alias, /r1/r2 = a2
      3.) Create an agent's profile in AM for /r1/r2 realm, apache24-sub
      4.) Install policy agent and during installation use realm alias(a2) for realm
      5.) Hit the protected page

      Observed result

      Policy agent can not read the agent profile. Error message:
      Permission to perform the read operation denied to id=apache24-sub,ou=agent,o=r2,o=r1,ou=services,dc=openam,dc=forgerock,dc=org

      ##################################
      T 10.1.4.66:33870 -> 172.24.3.65:8080 [AP]
        POST /openam/authservice HTTP/1.1..Host: riso-centos7.test.forgerock.com:999..User-Agent: OpenAM Web Agent/4.1.0..Accept: text/xml..Connection: Close..Content-Type: text/xml; charset=UTF-8..Content-Length: 275....<?xml version=
        "1.0" encoding="UTF-8"?><RequestSet vers="1.0" svcid="auth" reqid="0"><Request><![CDATA[<?xml version="1.0" encoding="UTF-8"?><AuthContext version="1.0"><Request authIdentifier="0"><NewAuthContext orgName="a2"/></Request></Auth
        Context>]]></Request></RequestSet>                                                                                                                                                                                                 
      ##
      T 172.24.3.65:8080 -> 10.1.4.66:33870 [AP]
        HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..X-Frame-Options: SAMEORIGIN..Set-Cookie: JSESSIONID=00315D12AB8DC6E586E557E616EA03CC; Path=/openam/; HttpOnly..Set-Cookie: amlbcookie=01; Domain=forgerock.com; Path=/..Content-Length:
         425..Date: Thu, 09 Feb 2017 14:36:43 GMT..Connection: close....<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<ResponseSet vers="1.0" svcid="auth" reqid="0">.<Response><![CDATA[<?xml version="1.0" encoding="UTF-8"?>.<
        AuthContext version="1.0"><Response authIdentifier="AQIC5wM2LY4Sfcxw5wuu-0ZHffwTfm1BVF7i69rQHLj5Shk.*AAJTSQACMDIAAlNLABMxNzc0MDExMDYxMTk5OTEyMjI3AAJTMQACMDE.*"><LoginStatus status="in_progress"></LoginStatus></Response></AuthCo
        ntext>]]></Response>.</ResponseSet>                                                                                                                                                                                                
      #######
      T 10.1.4.66:33871 -> 172.24.3.65:8080 [AP]
        POST /openam/authservice HTTP/1.1..Host: riso-centos7.test.forgerock.com:999..User-Agent: OpenAM Web Agent/4.1.0..Accept: text/xml..Connection: Close..Content-Type: text/xml; charset=UTF-8..Content-Length: 1006....<?xml version
        ="1.0" encoding="UTF-8"?><RequestSet vers="1.0" svcid="auth" reqid="0"><Request><![CDATA[<?xml version="1.0" encoding="UTF-8"?><AuthContext version="1.0"><Request authIdentifier="AQIC5wM2LY4Sfcxw5wuu-0ZHffwTfm1BVF7i69rQHLj5Shk.
        *AAJTSQACMDIAAlNLABMxNzc0MDExMDYxMTk5OTEyMjI3AAJTMQACMDE.*"><Login><IndexTypeNamePair indexType="moduleInstance"><IndexName>Application</IndexName></IndexTypeNamePair></Login></Request></AuthContext>]]></Request><Request><![CDA
        TA[<?xml version="1.0" encoding="UTF-8"?><AuthContext version="1.0"><Request authIdentifier="AQIC5wM2LY4Sfcxw5wuu-0ZHffwTfm1BVF7i69rQHLj5Shk.*AAJTSQACMDIAAlNLABMxNzc0MDExMDYxMTk5OTEyMjI3AAJTMQACMDE.*"><SubmitRequirements><Callb
        acks length="2"><NameCallback><Prompt>Enter application name.</Prompt><Value>apache24-sub</Value></NameCallback><PasswordCallback echoPassword="true"><Prompt>Enter secret string.</Prompt><Value>password</Value></PasswordCallbac
        k></Callbacks></SubmitRequirements></Request></AuthContext>]]></Request></RequestSet>                                                                                                                                              
      ##
      T 172.24.3.65:8080 -> 10.1.4.66:33871 [A]
        HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..X-Frame-Options: SAMEORIGIN..Set-Cookie: JSESSIONID=37877A9559A7F0037EEE13455697B14A; Path=/openam/; HttpOnly..Content-Length: 2502..Date: Thu, 09 Feb 2017 14:36:43 GMT..Connection: c
        lose....<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<ResponseSet vers="1.0" svcid="auth" reqid="0">.<Response><![CDATA[<?xml version="1.0" encoding="UTF-8"?>.<AuthContext version="1.0"><Response authIdentifier="AQIC
        5wM2LY4Sfcxw5wuu-0ZHffwTfm1BVF7i69rQHLj5Shk.*AAJTSQACMDIAAlNLABMxNzc0MDExMDYxMTk5OTEyMjI3AAJTMQACMDE.*"><GetRequirements><Callbacks length="2"><NameCallback><Prompt>Enter application name.</Prompt></NameCallback><PasswordCallba
        ck echoPassword="true"><Prompt>Enter secret string.</Prompt></PasswordCallback></Callbacks></GetRequirements></Response></AuthContext>]]></Response>.<Response><![CDATA[<?xml version="1.0" encoding="UTF-8"?>.<AuthContext version
        ="1.0"><Response authIdentifier="AQIC5wM2LY4Sfcw-A546UhI0A85TXByJaJo4IGWswfhsoL4.*AAJTSQACMDIAAlNLABQtMjM4OTIzODczMjk3MDgyNTUzMwACUzEAAjAx*"><LoginStatus status="success" ssoToken="AQIC5wM2LY4Sfcw-A546UhI0A85TXByJaJo4IGWswfhsoL
        4.*AAJTSQACMDIAAlNLABQtMjM4OTIzODczMjk3MDgyNTUzMwACUzEAAjAx*" successURL="/openam/console"><Subject>AQICoYadzXqjJ0Jpj82pEZ/PXx2rzgr0TwMSCC80oaEuyU5YP7DIVFzg/kmMVtpWw1SqHMRKfrbz6FjHvQzuYzbvuhswje/GHj8HyufAeD3f281IrbODdSlbJMVhI02
        e2Ce+pZiaWu5tZKz77uLDKdNh7E0nCRRMORic+EZbv2N96K03s9+c+MwW5bDti40VHeVfh4TI/OBvv3V99y7d2                                                                                                                                             
      #
      T 172.24.3.65:8080 -> 10.1.4.66:33871 [AP]
        cpwZh/ogYpqKpqrvluGUavNIgUtwRyXCnevy+PssaRRuk5RF2VqzGz8a9FenmeL5wCnFAUUGbX8HYEMwRcwwnnrTsLWTj1XsmH2LpV59MNAoKKbFRP/VpvZBIS2gjfI5OzN0jHGF/EbDZo/qoBajxpYYvq3APzvITyeoNAvwcTz2eznsJ721vuffuhJCb3GDemTLFCha9iZdg3eMOLgiItERNebuayayfi9
        D6SahED3nMyZ4Y/LeLSpC7QODewa4kkpt3i7LTu706oDbn/4FwX6VOmaNbl0FwYwYZTbYewBrRJszIuJWXv9k86gRmK8a00N7OtkKtmK8hdAND0F3PnNys0OWTVAzrftwn5Kr++8n2Ag48o5oxxZDi5WmnHLbQHObFm3qqkiuFrlcGzNFbTmTFGaD6u4OeNYJKNMOEjX1T4uLxyHg8iHYQj9vz139HbM+Xj
        ZuwbuxriXvPSUN3FRpAzHWM7vNJ2+kJeZoNFZAXmnAJL5K4JW0DnEdMQWr9+j+CseYwH76IhP6SRWJZ9LRgQQDxbjda2ioatTwZu83v/OuF+mbqRzBymM5+UxBWPPIR5wQwjta01X9H3Wg7Cbj2C4JVrRNcMNQ0mS+k6gq17OpNkBD06bTqclpE/TEM8xNj40GhZFf11bcSdjmbhTq7XmMTCcc86XzfYz1f
        mLzYoodK5LA90rkwndMdtUt0z81Ocv+gL/M+vbQCEOJSs3gFzsUZfF4KdFiZKRwC3Ju8+bN02aiMBmIEtG8f7KN0KoDbWGyzaA/eQKyM/ss/BOlfFBO1Mgy4iudRSagkiA++PWovXbgsa5YYy1oRx7RaWxxIGkR1Qvfrd/GhjIoTjw1dNK/dyCifSbA0UD/rIEeS2mppfWtAih2d+0WPWyfurDRZyfFR5f/
        XtnE2fMhm0ntyhtV5CssD7f8/fVXyhDNXKe4Q5Sd5Tt3zZPTyarP7AHgLDvxGn8EiHYjb7OU+0l5X+T8IC6jufxR2SFfziJO82Yqv/dojJn+j3eOt5d2JtLvzOfwG61xG8MQ2FnHvtZbG2arFiv6Negjzo8PmfChlK1GsZdDdUMs+GzwQ9+HhurekIvU+9tQ0jqmRzPRBQNR+U519OB0V0n2pKZDS61aw9t
        iAYPRTqsEA1wjwRirnS5Nh5P/4DQm0yH38p/WkvfPTW7z/5fXgiOzzximInGCzjl+5JQS/n9s68=</Subject></LoginStatus></Response></AuthContext>]]></Response>.</ResponseSet>                                                                         
      ########
      T 10.1.4.66:33872 -> 172.24.3.65:8080 [AP]
        GET /openam/identity/xml/read?name=apache24-sub&attributes_names=realm&attributes_values_realm=a2&attributes_names=objecttype&attributes_values_objecttype=Agent&admin=AQIC5wM2LY4Sfcw-A546UhI0A85TXByJaJo4IGWswfhsoL4.*AAJTSQACMDI
        AAlNLABQtMjM4OTIzODczMjk3MDgyNTUzMwACUzEAAjAx* HTTP/1.1..Host: riso-centos7.test.forgerock.com:999..User-Agent: OpenAM Web Agent/4.1.0..Accept: text/xml..Connection: Close....                                                    
      ##
      T 172.24.3.65:8080 -> 10.1.4.66:33872 [AP]
        HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..X-Frame-Options: SAMEORIGIN..Cache-Control: no-store, no-cache, must-revalidate, max-age=0..Pragma: no-cache..Content-Type: text/xml;charset=UTF-8..Transfer-Encoding: chunked..Date: T
        hu, 09 Feb 2017 14:36:43 GMT..Connection: close....e8..<?xml version='1.0' encoding='UTF-8'?><exception name="com.sun.identity.idsvcs.AccessDenied" message="Permission to perform the read operation denied to id=apache24-sub,ou=
        agent,o=r2,o=r1,ou=services,dc=openam,dc=forgerock,dc=org"/>..                                                                                                                                                                     
      #
      T 172.24.3.65:8080 -> 10.1.4.66:33872 [AP]
        0....                                                           
      

      The endpoint /openam/identity/xml/read is not able to handle realm aliases. I tried do this request with curl and change realm alias "a2" to realm name /r1/r2 and I get expected result. See example:

      curl -X GET "riso-centos7.test.forgerock.com:999/openam/identity/xml/read?name=apache24-sub&attributes_names=realm&attributes_values_realm=/r1/r2&attributes_names=objecttype&attributes_values_objecttype=Agent&admin=AQIC5wM2LY4SfcxsSd_ijqQa7kWTN56tv-gpcNmtGDlHeyk.*AAJTSQACMDIAAlNLABMxMDM0Mjc3MzgyNTQ4NzU3OTI1AAJTMQACMDE.*"
      

      OpenAM CoreSystem debug log

      amIdentityServices:02/09/2017 12:02:42:583 PM GMT: Thread[http-bio-8080-exec-9,5,main]: TransactionId[179814a5-513c-433a-8647-61f33dd16e35-2202]
      ERROR: IdentityServicesImpl:read
      Message:Permission to perform the read operation denied to id=apache24-sub,ou=agent,o=r2,o=r1,ou=services,dc=openam,dc=forgerock,dc=org
      
              at com.sun.identity.idm.server.IdServicesImpl.checkPermission(IdServicesImpl.java:2742)
              at com.sun.identity.idm.server.IdServicesImpl.getAttributes(IdServicesImpl.java:738)
              at com.sun.identity.idm.server.IdCachedServicesImpl.getAttributes(IdCachedServicesImpl.java:478)
              at com.sun.identity.idm.AMIdentity.getAttributes(AMIdentity.java:329)
              at com.sun.identity.idsvcs.opensso.IdentityServicesImpl.convertToIdentityDetails(IdentityServicesImpl.java:1300)
              at com.sun.identity.idsvcs.opensso.IdentityServicesImpl.read(IdentityServicesImpl.java:767)
              at com.sun.identity.idsvcs.opensso.IdentityServicesImpl.read(IdentityServicesImpl.java:708)
              at com.sun.identity.idsvcs.opensso.IdentityServicesImpl.read(IdentityServicesImpl.java:704)
              at sun.reflect.GeneratedMethodAccessor112.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at com.sun.identity.idsvcs.rest.IdentityServicesHandler$SecurityMethod.invoke(IdentityServicesHandler.java:744)
              at com.sun.identity.idsvcs.rest.IdentityServicesHandler$SecurityMethod.execute(IdentityServicesHandler.java:636)
              at com.sun.identity.idsvcs.rest.IdentityServicesHandler.service(IdentityServicesHandler.java:130)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:88)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
              at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
              at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
              at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
              at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:745)
      

      Workaround

      Use the full realm name instead of realm alias

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              richard.hruza Richard Hruza
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: