Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10931

IdentitySubject not adding isMember() result to cache after entry has changed.

    Details

    • Sprint:
      AM Sustaining Sprint 36, AM Sustaining Sprint 37
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      1. install openAM
      2. click [Subjects] - > [User] -> create "testuser01"
      3. click [Subjects] - > [Group] -> create "testgroup01" and "testgroup02"
      4. assign "testuser01" to "testgroup01"
      5. click [Authorization] -> [Policy Sets] -> click "+ Add a Policy"
      6. create a new policy "Test Policy00" with "Resource Type: URL"
      7. edit "Test Policy00" and "Save Changes"
      Actions : GET, POST = allow
      Subjects : "Type: Users & Groups" and "Group Subjects: testgroup01"
      8. get amadmin and testuser01's session ID

      curl --request POST --header "X-OpenAM-Username: testuser01/amadmin" --header "X-OpenAM-Password: cangetin" --header "Content-Type: application/json" --data "{}" "http://openam.example.com:18080/openam/json/authenticate
      

      9. put testuser01's subject evaluation result to cache

      curl --request POST \
      --header "Content-Type: application/json" \
      --header "iPlanetDirectoryPro: AQIC..* (amadmin session ID" \
      --data '{
          "resources": [
              "http://openam.example.com:38080/helloworld/index.html"
          ],
          "application": "iPlanetAMWebAgentService",
          "subject": { "ssoToken": "AQIC...* (testuser01 session ID)"}
      }' \
      "http://openam.example.com:18080/opensso/json/policies?_action=evaluate"
      

      10. click [Subjects] - > [Group] -> edit "testgroup02" and add a member.
      This will trigger SubjectEvaluationCache to be cleared

      Daemon Thread [Grizzly-worker(15)] (Suspended (breakpoint at line 1103 in DelegationPolicyImpl))	
      	owns: LdapConnectionFactory$ConnectionImpl$3  (id=11497)	
      	DelegationPolicyImpl.identityChanged(String) line: 1103	
      	IdRepoListener.objectChanged(String, IdType, int, Map) line: 185	
      	DJLDAPv3PersistentSearch$PSearchResultEntryHandler.handle(SearchResultEntry, String, Dn, PersistentSearchChangeType) line: 129
      

      11. run curl command used for step 9 twice. you will see that cache is not used no matter how many times you try until session token is destroyed:

      amPolicy:03/16/2017 03:27:20:447 PM EDT: Thread[http-apr-8443-exec-42,5,main]: TransactionId[3abf16c5-0863-4485-8fd2-567161a5b948-786]
      IdentitySubject:isMember():entry for id=testgroup01,ou=group,dc=openam,dc=forgerock,dc=com not in subject evaluation cache, so compute using IDRepo api
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                sachiko Sachiko Wallace
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: