Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12539

Device ID Match fails Error running server side scripts - "org.forgerock.json.JsonValue" is prohibited. (<Unknown source>#796)

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 5.5.1
    • None
    • authentication
    • Rank:
      1|hzvf3b:
    • Yes
    • No
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      Setting up Device ID Match using steps in Authentication and SSO Guide -
      https://backstage.forgerock.com/docs/am/5.5/authentication-guide/#authn-device-id-match
      fails when logging in again after logging out.

      This error is provided when the Device ID Match is reading the existing profile:

      Error running server side scripts
      
      javax.script.ScriptException: java.util.concurrent.ExecutionException: javax.script.ScriptException: Access to Java class "org.forgerock.json.JsonValue" is prohibited. (<Unknown source>#796) in <Unknown source> at line number 796 at col
      

      How to reproduce the issue

      Followed steps in documentation:
      https://backstage.forgerock.com/docs/am/5.5/authentication-guide/#device-id-match-hints

      1. step 1 - create auth chain
      2. step 2 - set DataStore - Requisite ---> Device ID Match - Sufficient ---> HOTP - Requisite . --> Device ID Save
      3. step 3 - Login to auth chain: http://ambate02.internal.forgerock.com:5510/openam/XUI/#login/&service=deviceid
      4. step 4 - type username that has email address
      5. step 5 - submit OTP
      6. step 6 - Select to Save Device Profile
      7. step 7 - Name Device - I named mine ChromeMac
      8. step 8 - Login
      9. step 9 - Logout
      10. step 10 - log back into Auth Chain: http://ambate02.internal.forgerock.com:5510/openam/XUI/#login/&service=deviceid
      11. step 11 - notice it asks for OTP instead of letting you into AM console

      This stack trace is thrown:

      DSAMECAllbackhandler...[Ljavax.security.auth.callback.Callback;@5f3c9700
      amScript:03/02/2018 04:54:42:090 PM PST: Thread[ScriptEvaluator-1,5,main]: TransactionId[5b9a3b32-33dc-4de2-afc3-7dc98f346c99-606]
      
      client devicePrint: {"screen":{"screenWidth":1680,"screenHeight":1050,"screenColourDepth":24},"timezone":{"timezone":480},"plugins":{"installedPlugins":"Flash Player.plugin;"},"fonts":{"installedFonts":"cursive;monospace;serif;sans-seri
      
      f;fantasy;default;Arial;Arial Black;Arial Narrow;Arial Rounded MT Bold;Comic Sans MS;Courier;Courier New;Georgia;Impact;Papyrus;Tahoma;Times;Times New Roman;Trebuchet MS;Verdana;"},"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.
      
      12; rv:58.0) Gecko/20100101 Firefox/58.0","appName":"Netscape","appCodeName":"Mozilla","appVersion":"5.0 (Macintosh)","buildID":"20180206200532","platform":"MacIntel","oscpu":"Intel Mac OS X 10.12","product":"Gecko","productSub":"201001
      
      01","language":"en-US","geolocation":{}}​
      amScript:03/02/2018 04:54:42:102 PM PST: Thread[http-bio-5510-exec-8,5,main]: TransactionId[5b9a3b32-33dc-4de2-afc3-7dc98f346c99-606]
      Error running server side scripts
      
      javax.script.ScriptException: java.util.concurrent.ExecutionException: javax.script.ScriptException: Access to Java class "org.forgerock.json.JsonValue" is prohibited. (<Unknown source>#796) in <Unknown source> at line number 796 at col
      
      umn number 0​
       at org.forgerock.openam.scripting.ThreadPoolScriptEvaluator.evaluateScript(ThreadPoolScriptEvaluator.java:90)
       at org.forgerock.openam.authentication.modules.scripted.Scripted.evaluateServerSideScript(Scripted.java:163)
       at org.forgerock.openam.authentication.modules.scripted.Scripted.process(Scripted.java:141)
       at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1082)
       at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1273)
       at sun.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:498)
       at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:218)
       at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:126)
       at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:530)
       at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586)
       at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:108)
       at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:168)
       at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:356)
       at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:213)
       at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:141)
       at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:165)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:498)
       at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:76)
       at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:64)
       at org.forgerock.http.routing.Router.handle(Router.java:100)
       at org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:59)
       at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
       at org.forgerock.http.routing.Router.handle(Router.java:100)
       at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:80)
       at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
       at org.forgerock.http.routing.Router.handle(Router.java:100)
       at org.forgerock.http.routing.Router.handle(Router.java:100)
       at org.forgerock.openam.rest.RealmRoutingFactory$ChfRealmRouter.handle(RealmRoutingFactory.java:139)
       at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
       at org.forgerock.openam.rest.RealmRoutingFactory$HostnameFilter.filter(RealmRoutingFactory.java:116)
       at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
       at org.forgerock.http.routing.Router.handle(Router.java:100)
       at org.forgerock.http.routing.Router.handle(Router.java:100)
       at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:59)
       at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
       at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:188)
       at org.forgerock.caf.authentication.framework.AuthenticationFramework.lambda$onValidateRequestSuccess$1(AuthenticationFramework.java:181)
       at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:252)
       at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:241)
       at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:144)
       at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:134)
       at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:84)
       at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
       at org.forgerock.openam.http.GuiceHandler.handle(GuiceHandler.java:51)
       at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:206)
       at org.forgerock.http.routing.Router.handle(Router.java:100)
       at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:88)
       at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
       at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:62)
       at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
       at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:139)
       at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
       at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:74)
       at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
       at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:75)
       at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
       at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:258)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at org.forgerock.openam.rest.ProtocolVersionFilter.doFilter(ProtocolVersionFilter.java:65)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
       at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
       at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
       at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
       at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
       at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
       at java.lang.Thread.run(Thread.java:748)
      Caused by: java.util.concurrent.ExecutionException: javax.script.ScriptException: Access to Java class "org.forgerock.json.JsonValue" is prohibited. (<Unknown source>#796) in <Unknown source> at line number 796 at column number 0
       at java.util.concurrent.FutureTask.report(FutureTask.java:122)
       at java.util.concurrent.FutureTask.get(FutureTask.java:192)
       at org.forgerock.openam.scripting.ThreadPoolScriptEvaluator.evaluateScript(ThreadPoolScriptEvaluator.java:84)
       ... 97 more
      Caused by: javax.script.ScriptException: Access to Java class "org.forgerock.json.JsonValue" is prohibited. (<Unknown source>#796) in <Unknown source> at line number 796 at column number 0
       at org.forgerock.openam.scripting.factories.RhinoScriptEngine.convertException(RhinoScriptEngine.java:206)
       at org.forgerock.openam.scripting.factories.RhinoScriptEngine.eval(RhinoScriptEngine.java:72)
       at org.forgerock.openam.scripting.factories.RhinoScriptEngine.eval(RhinoScriptEngine.java:54)
       at org.forgerock.openam.scripting.StandardScriptEvaluator.evaluateScript(StandardScriptEvaluator.java:86)
       at org.forgerock.openam.scripting.ThreadPoolScriptEvaluator$ScriptExecutorTask.call(ThreadPoolScriptEvaluator.java:215)
       at org.forgerock.openam.audit.context.AuditRequestContextPropagatingCallable.call(AuditRequestContextPropagatingCallable.java:32)
       at java.util.concurrent.FutureTask.run(FutureTask.java:266)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
       ... 1 more
      Caused by: org.mozilla.javascript.EvaluatorException: Access to Java class "org.forgerock.json.JsonValue" is prohibited. (<Unknown source>#796)
       at org.mozilla.javascript.DefaultErrorReporter.runtimeError(DefaultErrorReporter.java:77)
       at org.mozilla.javascript.Context.reportRuntimeError(Context.java:913)
       at org.mozilla.javascript.Context.reportRuntimeError(Context.java:969)
       at org.mozilla.javascript.Context.reportRuntimeError1(Context.java:932)
       at org.mozilla.javascript.JavaMembers.<init>(JavaMembers.java:35)
       at org.mozilla.javascript.JavaMembers.lookupClass(JavaMembers.java:807)
       at org.mozilla.javascript.NativeJavaObject.initMembers(NativeJavaObject.java:54)
       at org.mozilla.javascript.NativeJavaObject.<init>(NativeJavaObject.java:44)
       at org.mozilla.javascript.NativeJavaObject.<init>(NativeJavaObject.java:34)
       at org.mozilla.javascript.WrapFactory.wrapAsJavaObject(WrapFactory.java:115)
       at org.mozilla.javascript.WrapFactory.wrap(WrapFactory.java:72)
       at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:236)
       at org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1473)
       at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:815)
       at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:109)
       at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
       at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
       at org.mozilla.javascript.InterpretedFunction.exec(InterpretedFunction.java:120)
       at org.mozilla.javascript.Context.evaluateReader(Context.java:1110)
       at org.forgerock.openam.scripting.factories.RhinoScriptEngine.eval(RhinoScriptEngine.java:69)
       ... 8 more
      amLoginModule:03/02/2018 04:54:42:103 PM PST: Thread[http-bio-5510-exec-8,5,main]: TransactionId[5b9a3b32-33dc-4de2-afc3-7dc98f346c99-606]
      SETTING Failure Module name.... :deviceidmatch
      
      Expected behaviour

      Login without requiring OTP (One Time Password)

      Current behaviour

      It asks for OTP (One Time Password)

      even if you type in a new OTP - it gives you Authentication Failure

      Work around

      No wokaround

      Code analysis

      None

        Attachments

          Issue Links

            Activity

              People

              Unassigned Unassigned
              david.bate David Bate
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: