Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12418

Unable to access Forgerock OATH for users with Profile when caching disable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.4, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 5.5.1
    • Fix Version/s: 12.0.5, 13.5.3, 6.0.0, 14.1.2, 5.5.2
    • Component/s: authentication
    • Labels:
    • Environment:
      User data caching disabled
    • Sprint:
      AM Sustaining Sprint 48
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When using a module with FR OATH but all the AM caching is disabled. Accessing the FR OATH module throws:

       

      javax.security.auth.login.LoginException: java.lang.NullPointerException
              at org.forgerock.openam.core.rest.devices.UserDevicesDao.getDeviceProfil
      es(UserDevicesDao.java:82)
              at org.forgerock.openam.authentication.modules.fr.oath.OathMaker.getDevi
      ceProfiles(OathMaker.java:124)
              at org.forgerock.openam.authentication.modules.fr.oath.AuthenticatorOATH
      .getOathDeviceSettings(AuthenticatorOATH.java:752)
              at org.forgerock.openam.authentication.modules.fr.oath.AuthenticatorOATH
      .process(AuthenticatorOATH.java:274)
              at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLogin
      Module.java:1056)
              at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule
      .java:1224)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
      java:62)
      

       

      How to reproduce the issue

      1. Disable AM caching for user

      com.iplanet.am.sdk.caching.enabled=false
      com.sun.identity.idm.cache.enabled=false

      2. Create a new realm /2fa

      3. Create te datastore with naming authentication as mail, search alias = uid, Create a user with mail. Similarly do the same with an LDAP module with mail as te naming authenticatio ( REQUIRED). Create a new chain for the FROATH

      4. Login to LDAP module for realm /2fa and then later access the FROATH with the above user (which does not have the oath2device profile). The exception is seen

      Expected behaviour
      No exception and proceed to 2FA
      
      Current behaviour
      Auth module fails with server error
      

      Work around

      Enable back the IDM/user cache

      AMIdentity.java
      /**
       * Returns the values of the requested attribute. Returns an empty set, if
       * the attribute is not set in the object.
       *
       * This method is only valid for AMIdentity objects of type User, Agent,
       * Group, and Role.
       *
       * @param attrName
       *            Name of attribute
       * @return Set of attribute values.
      public Set getAttribute(String attrName) throws IdRepoException,
              SSOException {
      
          Set attrNames = new HashSet();
          attrNames.add(attrName);
          IdServices idServices = IdServicesFactory.getDataStoreServices();
          Map valMap = idServices.getAttributes(token, type, name, attrNames,
       orgName, univDN, true);
       return ((Set) valMap.get(attrName));
      }
      

      As the attribute is not found this cause a NPE on the UserDeviceDAO. The API contract suggest the call should not return null (but and empty collection) but it seems that all the other previous code idiom may do a null check too. (so some old code assumes null is possible)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: