Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10997

"Authentication by Module Instance" will fail in cluster

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0
    • Fix Version/s: 13.5.2
    • Component/s: policy
    • Labels:
    • Sprint:
      AM Sustaining Sprint 37, AM Sustaining Sprint 38, AM Sustaining Sprint 39
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      1. Create a policy with "Authentication by Module Instance" environment condition :
      Type : Authentication by Module Instance"
      Authentication Scheme : LDAP
      Application Idle Timeout Scheme : 30
      Application Name "iPlanetAMWebAgentService"
      2. User authenticates on one server (AM#1)
      3. User access protected site
      4. Policy Agent redirect the user to login page
      5. User goes through session upgrade on another server (AM#2)
      6. Policy Agent sends <PolicyRequest> to server (AM#2)
      7. Policy evaluation fails.

      Because user session's home server is AM#1, AuthSchemeCondition.setTokenProperty() call is routed to AM#1 and because "am.protected.policy.AppIdleTimesoutAt" is protected, this <SessionRequest> to set session property fails.

      Entitlement:03/31/2017 11:50:57:914 AM EDT: Thread[http-nio-8080-exec-53,5,main]: TransactionId[0d505da0-9089-4ecd-8f6b-b0b70fb0e936-920]
      ERROR: OpenSSOPrivilege.evaluate
      com.sun.identity.entitlement.EntitlementException: Condition evaluation fails.
              at org.forgerock.openam.entitlement.conditions.environment.AuthSchemeCondition.setTokenProperty(AuthSchemeCondition.java:272)
              at org.forgerock.openam.entitlement.conditions.environment.AuthSchemeCondition.evaluate(AuthSchemeCondition.java:237)
              at org.forgerock.openam.entitlement.CachingEntitlementCondition.evaluate(CachingEntitlementCondition.java:119)
              at com.sun.identity.entitlement.Privilege.doesConditionMatch(Privilege.java:695)
              at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.internalEvaluate(OpenSSOPrivilege.java:150)
              at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.access$000(OpenSSOPrivilege.java:63)
              at com.sun.identity.entitlement.opensso.OpenSSOPrivilege$1.run(OpenSSOPrivilege.java:105)
              at com.sun.identity.entitlement.opensso.OpenSSOPrivilege$1.run(OpenSSOPrivilege.java:99)
              at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:81)
              at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.evaluate(OpenSSOPrivilege.java:98)
      Caused by: com.iplanet.sso.SSOException: AQIC5...* No privilege to perform this operation.
              at com.iplanet.sso.providers.dpro.SSOTokenImpl.setProperty(SSOTokenImpl.java:363)
              at org.forgerock.openam.entitlement.conditions.environment.AuthSchemeCondition.setTokenProperty(AuthSchemeCondition.java:270)
              ... 51 more
      Caused by: com.iplanet.dpro.session.SessionException: AQIC5...* No privilege to perform this operation.
              at com.iplanet.dpro.session.Session.setProperty(Session.java:752)
              at com.iplanet.sso.providers.dpro.SSOTokenImpl.setProperty(SSOTokenImpl.java:359)
              ... 52 more
      Caused by: com.iplanet.dpro.session.SessionException: AQIC5...* No privilege to perform this operation.
              at com.iplanet.dpro.session.Requests.getSessionResponseWithRetry(Requests.java:132)
              at com.iplanet.dpro.session.Requests.sendRequestWithRetry(Requests.java:72)
              at com.iplanet.dpro.session.operations.strategies.RemoteOperations.setProperty(RemoteOperations.java:163)
              at com.iplanet.dpro.session.operations.strategies.CTSOperations.setProperty(CTSOperations.java:159)
              at com.iplanet.dpro.session.monitoring.MonitoredOperations.setProperty(MonitoredOperations.java:90)
              at com.iplanet.dpro.session.Session.setProperty(Session.java:749)
      

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              sachiko Sachiko Wallace
            • Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: