Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11005

SAMLv2 SSO with persistent mapping and stateless sessions fails with NPE

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Cannot Reproduce
    • Affects Version/s: 14.0.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:

      Description

      IdP initiated SSO with peristent mapping fails with internal server error after logging in to the SP when stateless sessions are used. The following exception can be observed in the Federation log on SP:

      libSAML2:04/04/2017 11:12:32:828 AM BST: Thread[http-nio-8080-exec-8,5,main]: TransactionId[871fa826-26c5-4c48-974b-b95884c74d9b-6358]
      ERROR: spAssertionConsumer.jsp: SSO failed.
      com.sun.identity.saml2.common.SAML2Exception: java.lang.NullPointerException
              at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1238)
              at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:337)
              at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
              at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:443)
              at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
              at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
              at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
              at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
              at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
              at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
              at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
              at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
              at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:783)
              at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
              at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:789)
              at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
              at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:745)
      Caused by: com.sun.identity.plugin.session.SessionException: java.lang.NullPointerException
              at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:217)
              at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1217)
              ... 41 more
      Caused by: com.sun.identity.authentication.spi.AuthLoginException: java.lang.NullPointerException
              at com.sun.identity.authentication.AuthContext.login(AuthContext.java:619)
              at com.sun.identity.authentication.AuthContext.login(AuthContext.java:586)
              at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:215)
              ... 42 more
      Caused by: com.iplanet.dpro.session.SessionException: java.lang.NullPointerException
              at org.forgerock.openam.session.cts.CtsSessionProvider.getSession(CtsSessionProvider.java:74)
              at com.sun.identity.authentication.AuthContext.login(AuthContext.java:617)
              ... 44 more
      Caused by: java.lang.NullPointerException
              at org.forgerock.guava.common.base.Preconditions.checkNotNull(Preconditions.java:210)
              at org.forgerock.guava.common.cache.LocalCache.get(LocalCache.java:3936)
              at org.forgerock.guava.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4739)
              at org.forgerock.openam.session.service.access.persistence.caching.InMemoryInternalSessionCacheStep.getFromCacheOrFind(InMemoryInternalSessionCacheStep.java:176)
              at org.forgerock.openam.session.service.access.persistence.caching.InMemoryInternalSessionCacheStep.getBySessionID(InMemoryInternalSessionCacheStep.java:85)
              at org.forgerock.openam.session.service.access.persistence.InternalSessionStoreChain$ChainIterator.getBySessionID(InternalSessionStoreChain.java:52)
              at org.forgerock.openam.session.service.access.persistence.TimeOutSessionFilterStep.getBySessionID(TimeOutSessionFilterStep.java:26)
              at org.forgerock.openam.session.service.access.persistence.InternalSessionStoreChain$ChainIterator.getBySessionID(InternalSessionStoreChain.java:52)
              at org.forgerock.openam.session.service.access.persistence.InternalSessionStoreChain.getBySessionID(InternalSessionStoreChain.java:32)
              at org.forgerock.openam.session.service.SessionAccessManager.getInternalSession(SessionAccessManager.java:84)
              at org.forgerock.openam.session.cts.InternalSessionWrapper.getSession(InternalSessionWrapper.java:319)
              at org.forgerock.openam.session.cts.InternalSessionWrapper.getRestriction(InternalSessionWrapper.java:99)
              at org.forgerock.openam.session.cts.CtsSessionProvider.getSession(CtsSessionProvider.java:67)
              ... 45 more
      

      To reproduce:

      1. deploy two OpenAM instances with default configuration in different domains
      2. configure one instance as IdP and the other one as SP
      3. enable stateless sessions on both instances
      4. initiate IdP SSO
      5. log in to IdP as demo/changeit
      6. log in to SP as demo/changeit
      7. observe the code 500

      NOTE: If the users on both instances are mapped before enabling stateless sessions, then after enabling them the SSO would work.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                n4al Nemanja Lukic
                QA Assignee:
                Nemanja Lukic
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: