Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11632

CDCServlet does not work with realm


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.1, 14.1.1, 14.5.0
    • Fix Version/s: 13.5.2, 14.5.0, 14.1.2
    • Component/s: cdsso
    • Labels:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      CDSSO does not work when the AM already logged in (have SSOToken). It is possible
      that the request to the resource lands on the AM profile page (everytime you try to
      access a resource URL). {for this case this is especially so if the /cdcservlet is passed in
      the "realm=/something" parameter.

      How to reproduce the issue

      Say the openam is a domain <COM> and the agent/web is an <NET>

      A: Baseline test
      1. Create a nested realm /a/b/c
      2. Install a webagent on this realm
      3. Configure CDSSO to this realm and set the /UI/Login?realm=/a/b/c
      and the CDSSO cookie to <NET> domain
      Make sure the CDCServlet uri has /cdcservlet?realm=/a/b/c
      4. Grant all access to the webagent to access some URL
      5. Try to test that this works for now to ensure the CDSSO web agent

      B Actual setup
      1. Now configure a PAP, you can use the sample-postauthentication plugin from FR github site and change onLoginSuccess with

      String NEWURL="http://i_do_no_exist.com:8122";       

      2. Now set the PAP to the ldapService chain in the /a/b/c realm
      3. Restart and test that when you login it goes to NEWURL
      4. Now we are ready. clear all <NET> , <COM> Cookies
      and access the webagent url for some request
      It is expected we should land to "NEWURL" after authetication

      5. Now Access the webagent URL again.
      It is expected we should not login and get do not need to reauthenticate
      and GET TO <PAGE>

      Expected behaviour
      PAGE; is the requested resource we set and the <NET> domain
      have the SSOToken cookie set
      Current behaviour
      PAGE=AM profile page. No <NET> CDSSO cookie set

      Work around

      The issue is that Classic seems to work.

      Code analysis

      checkForPolicyAdvice logic to determines sso tokenRealm and compared to the passed in
      realm /cdcservlet?realm=xxxx is wrong. Broken realm handling in CDCServlet. This mismatches causes redirect to authentication
      again. (and all this with say gotoURL issues may cause the page now to follow the CDSSO flow)

      The previous code that does tokenRealm is parsed to get the token's orgDN just a wrong logic.
      The fix is to use the DNMapper.orgNameToRealmName(orgDN) to make sure we get the correct
      realm (like what other routines do). So that if the tokenRealm is same as the cdcservlet realm
      there is no longer an addition reauthentication (and instead send the CDSSO lares)


          Issue Links



              • Assignee:
                chee-weng.chea C-Weng C
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: