Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12173

NumberFormatException for AuthLevel in OAuth2 logs

    Details

    • Sprint:
      AM Sustaining Sprint 53
    • Story Points:
      2
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      The following is seen:

      OAuth2Provider:12/04/2017 02:37:41:598 PM UTC: Thread[http-nio-8080-exec-2,5,mai
      n]: TransactionId[5a571db5-0739-4f5f-9bba-35de894c6992-24491]
      WARNING: Can't parse session auth level '/:300'
      java.lang.NumberFormatException: For input string: "/:300"
              at java.lang.NumberFormatException.forInputString(NumberFormatException.
      java:65)
              at java.lang.Integer.parseInt(Integer.java:569)
              at java.lang.Integer.valueOf(Integer.java:766)
              at org.forgerock.oauth2.core.ResourceOwnerSessionValidator.validate(Reso
      urceOwnerSessionValidator.java:220)
              at org.forgerock.oauth2.core.AuthorizationService.handlePostRequest(Auth
      orizationService.java:348)
              at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeRes
      ource.java:180)
              at sun.reflect.GeneratedMethodAccessor131.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
      sorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:520)
              at org.restlet.resource.ServerResource.post(ServerResource.java:1377)
      

       
      The exception here although caught and seems to have not visible impact. The problem seems to be that the authLevel is really 300 and not just a number. The problem is that the AuthLevel string is somewhere assigned to be "realm:<authlevel>".

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Deploy OpenID sample and setup as per needed
      2. Configure ACR on the OpenID Services 300=Level300chain, 200=Level200chain
      3. Define Level200chain with an auth module with level 200
      4. Define Level300chain with an auth module with level 300
      5. Access the Basic client, you may want to copy the authorize URL that
        the OpenID sample & the query parameter "add acr_values=200" so to
        use a ACR of 200
      6. Next repeat the above but with "acr_values=300" (both should ask for an authentication)
      7. Notice that on a session upgrade the above exception is seen

      Alternative testcase

      1. Create a realm /test
      2. Create a session whitelist for AuthLevel (so can check authlevel set)
      3. Create a OAuth2 client (with stateless OAuth2) with profile and using client_post (public client)
      4. Create a module that have authlevel=5
      5. Login to /test realm with default service
      6. Login again to /test realm but to the module (using &sessionUpgradeSSOTokenId=$oldSSOtoken)
        curl -s -k -X POST -H 'Content-Type: application/json' -H 'X-OpenAM-Username: demo' -H Accept-API-Version:protocol=2.0,resource=2.1 --data '{}' -H 'X-Requested-With: XMLHttpRequest' 'http://openam.example.com:8080/openam/json/authenticate?realm=/test&authIndexValue=l2&authIndexType=service&sessionUpgradeSSOTokenId=<previousSSOtoken>'
        
      1. Verify the session has AuthLevel set
        curl -s -k --request POST -H 'X-Requested-With: XMLHttpRequest' --header 'iplanetdirectorypro: <token>' --header 'Content-Type: application/json' 'http://openam.exampe.com:8080/openam/json/sessions/?_action=getSessionProperties&realm=/test'
        
      1. Use this session upgrade token to get an implicit grant
        curl -s -D - -k -X POST -H 'X-Requested-With: XMLHttpRequest' --header 'Content-Type: application/x-www-form-urlencoded' --cookie iPlanetDirectoryPro=<token> --data redirect_uri=http://someurl --data response_type=token --data client_id=myClientID --data csrf=<token> --data decision=allow 'http://openam.example.com:8080/openam/oauth2/authorize?response_type=token&client_id=myClientID&scope=profile&realm=/test'
        
      1. Check the access token value.
      Expected behaviour
      No exception since the AuthLevel is well defined
      
      Current behaviour
      Exception in logs for session upgrade on a ROCP flow
      

      Work around

      Does not seems to see any issue but the exceptions in the OAuth2Provider
      logs seems distracting

      Cause

      It seems that the sessionUpgrade call into AuthUtils.upgradeAuthLevel and this
      method will tag a "<realm>:" to the AuthLevel. Also one wonder if instead
      of doing token.getProperty(AUTH_LEVEL) in ResourceOwnerSessionValidator.java:220
      and instead do a token.getAuthLevel() which should avoid an NumberFormatException.

      	  at com.sun.identity.authentication.service.AuthUtils.upgradeAuthLevel(AuthUtils.java:1559)
      	  at com.sun.identity.authentication.service.LoginState.sessionUpgrade(LoginState.java:4421)
      	  at com.sun.identity.authentication.service.LoginState.setSessionProperties(LoginState.java:1201)
      	  at com.sun.identity.authentication.service.LoginState.produceSessionFromState(LoginState.java:1116)
      	  at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:594)
      	  at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586)
      	  at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:108)
      	  at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:168)
      	  at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:356)
      	  at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:213)
      	  at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:141)
      	  at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:165)
      	  at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-1)
      	  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	  at java.lang.reflect.Method.invoke(Method.java:498)
      	  at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:76)
      

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
              QA Assignee:
              Filip Kubáň [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 16h
                16h
                Remaining:
                Remaining Estimate - 16h
                16h
                Logged:
                Time Spent - Not Specified
                Not Specified