Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11665

Improve debug logging when unable to login in XUI with users endpoint getting 404 due to KBA attribute issues

    Details

    • Sprint:
      AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47, AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51, AM Sustaining Sprint 52, AM Sustaining Sprint 53, AM Sustaining Sprint 54, AM Sustaining Sprint 55
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      For some account that is somehow errorneously created with IDM the users cannot be logged in XUI but the REST is fine and the SSO token is created.
      The issue is that the "users" endpoint fails

      curl 'http://openam.example.com:8080/openam/json/realms/root/realms/test/users/user%40example.com' -H 'Accept-API-Version: protocol=1.0,resource=2.0' -H 'Cookie: iPlanetDirectoryPro="AQIC5wM2LY4SfcyCrrmY5AqVWt8mH5PBPJJ8Tc6fXzC5uUc.*AAJTSQACMDEAAlNLABQtMzU0NDI4MTU4NTE5NzE4NzM5OAACUzEAAA..*"' -H 'Accept-Encoding: gzip, deflate' -H 'X-Password: anonymous' -H 'Accept-Language: en-US' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'X-Username: anonymous' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36' -H 'Content-Type: application/json' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Cache-Control: no-cache' -H 'Referer: http://openam.example.com:8080/openam/XUI/?realm=test' -H 'X-NoSession: true' --compressed
      
      {"code":404,"reason":"Not Found","message":"/"}
      

      The logs shows

      frRest:09/02/2017 11:28:38:567 AM UTC: Thread[http-nio-8080-exec-8,5,main]: TransactionId[a60c03a7-b7d3-4e2b-b81c-f7971e64d6d1-3671]
      ERROR: IdentityResource.readInstance() :: Cannot READ resourceId=user@example.com
      org.forgerock.json.JsonValueException: /
              at org.forgerock.openam.core.rest.IdentityRestUtils.identityDetailsToJsonValue(IdentityRestUtils.java:132)
              at org.forgerock.openam.core.rest.IdentityResourceV1.buildResourceResponse(IdentityResourceV1.java:1287)
              at org.forgerock.openam.core.rest.IdentityResourceV1.readInstance(IdentityResourceV1.java:1258)
              at org.forgerock.openam.core.rest.IdentityResourceV2.readInstance(IdentityResourceV2.java:1193)
              at org.forgerock.json.resource.InterfaceCollectionInstance.handleRead(InterfaceCollectionInstance.java:60)
              at org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:105)
              at org.forgerock.json.resource.Resources$CollectionInstanceIdContextFilter.filterRead(Resources.java:522)
              at org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:103)
      

      and nothing much

      How to reproduce the issue

      1. Setup a normal OpenAM (standard one)
      2. Create a new user. Test it works
      3. Create a kbaInfo with some entry a "test"
      4 You can use the same curl as above.
      5. On AM6, if you got to click on the Identity (the GUI FAILS to display)

      Alternatively it is mentioned that there is some code that user AM to do user provisioning and they have kbaInfo with an empty string (where kbaInfo is not validated to be correct) then it also fails

      curl \
       -s -k \
       -X PUT \
       -H 'X-Requested-With: XMLHttpRequest' \
       --header "iplanetdirectorypro: <ADMINTOKEN>" \
       --header "Content-Type: application/json" \
       -H "Accept-API-Version: resource=2.0, protocol=1.0" \
       -d '{ "username": "<newuser>", "userpassword": "<somepassword>", "kbaInfo": "abc" }' \
         "$URL/openam/json/users/<newuser>"
      
      Expected behaviour
      There should be a better error reporting in the CoreSystem logs to correct this or at least either decide how we deal with the kbaInfo
      

      The code should be more robust or provide more error reporting at least so the user can know how to correct the issue

      Current behaviour
      Cannot use XUI to login  as the users endpoint return 404. and the error very difficult to understand what when wrong when the authentication worked but the UI cannot login
      

      Work around

      Ensure the user attributes like kbaInfo is JSON correct

      Code analysis

      org.forgerock.openam.core.rest.IdentityRestUtils.identityDetailsToJsonValue(IdentityRestUtils.java:132)
      org.forgerock.openam.core.rest.IdentityRestUtils.identityDetailsToJsonValue(IdentityRestUtils.java:132) should handle the kbaInfo ignore it or provide more details on the error.
      

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: