Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13031

Failed search for non-existent user in datastore when fetching session properties and user profile is set to ignore

    Details

    • Sprint:
      AM Sustaining Sprint 52, AM Sustaining Sprint 53
    • Story Points:
      5
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes

      Description

      Bug description

      A call to json/sessions results in a search on a datastore even though 'user profile' is set to ignore.
      Entitlement error level logging may put pressure on disk space.

      How to reproduce the issue

      1. Configure a module that allows authentication as 'demo'. An LDAP module pointing to an external store, for example.
      2. Set 'user profile' to ignored in the realm.
      3. Delete 'demo' from the embedded datastore.
      4. Add a group and assign one or more privileges.
      5. Add 'AuthLevel' in the session property whitelist.
      6. Authenticate as 'demo'.
      7. Call json/session getProperty to get AuthLevel

      curl --request POST --header 'Content-Type: application/json' --header 'iplanetDirectoryPro: AQIC5wM2LY4SfcwrnC8zCGGyRHa5W54iaAcDVRdOGUAOJXI.AAJTSQACMDEAAlNLABMyOTIwMTQwMjQxODgxNjU1NjExAAJTMQAA' -d '

      {"properties": ["AuthLevel"]}

      ' 'http://1351.fr.local:8080/openam/json/sessions/?_action=getProperty'

      {"AuthLevel":"0"}

       

       

      Also reproducible on 5.5.1 after following steps 1-4 and calling one of:

      http://am551.fr.local:8080/openam/json/realms/root/sessions?_action=validate

      http://am551.fr.local:8080/openam/json/realms/root/sessions/?_action=getSessionProperties

      http://am551.fr.local:8080/openam/json/realms/root/sessions/?_action=getSessionInfo

       

      Expected behaviour

      No errors logged.
      Arguably no search on the datastore as 'user profile' is set to ignored. But how else are group membership and privileges calculated?

      Current behaviour
      Entitlement:04/30/2018 02:22:53:493 PM BST: Thread[http-bio-8080-exec-45,5,main]: TransactionId[83c5053a-4547-4ed4-9397-7c10f93b0aa3-2013]
      ERROR: OpenSSOPrivilege.evaluate
      com.sun.identity.entitlement.EntitlementException: Subject evaluation fails.
      	at com.sun.identity.entitlement.opensso.PolicySubject.evaluate(PolicySubject.java:225)
      	at com.sun.identity.entitlement.Privilege.doesSubjectMatch(Privilege.java:669)
      	at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.internalEvaluate(OpenSSOPrivilege.java:140)
      	at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.access$000(OpenSSOPrivilege.java:63)
      	at com.sun.identity.entitlement.opensso.OpenSSOPrivilege$1.run(OpenSSOPrivilege.java:105)
      	at com.sun.identity.entitlement.opensso.OpenSSOPrivilege$1.run(OpenSSOPrivilege.java:99)
      	at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:81)
      	at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.evaluate(OpenSSOPrivilege.java:98)
      	at com.sun.identity.entitlement.PrivilegeEvaluator$PrivilegeTask.run(PrivilegeEvaluator.java:423)
      	at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:337)
      	at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:250)
      	at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:219)
      	at com.sun.identity.policy.PolicyEvaluator.getPolicyDecision(PolicyEvaluator.java:771)
      	at com.sun.identity.policy.PolicyEvaluator.getPolicyDecision(PolicyEvaluator.java:719)
      	at com.sun.identity.delegation.plugins.DelegationPolicyImpl.isAllowed(DelegationPolicyImpl.java:542)
      	at com.sun.identity.delegation.DelegationEvaluatorImpl.isAllowed(DelegationEvaluatorImpl.java:219)
      	at org.forgerock.openam.rest.router.DelegationEvaluatorProxy.isAllowed(DelegationEvaluatorProxy.java:59)
      	at org.forgerock.openam.rest.authz.PrivilegeAuthzModule.evaluate(PrivilegeAuthzModule.java:201)
      	at org.forgerock.openam.rest.authz.PrivilegeAuthzModule.authorizeAction(PrivilegeAuthzModule.java:156)
      	at org.forgerock.openam.core.rest.session.AnyOfAuthzModule.authorizeAction(AnyOfAuthzModule.java:189)
      	at org.forgerock.openam.rest.authz.LoggingAuthzModule.authorizeAction(LoggingAuthzModule.java:117)
      	at org.forgerock.authz.filter.crest.AuthorizationFilters$AuthorizationFilter.filterAction(AuthorizationFilters.java:232)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.json.resource.FilterChain.handleAction(FilterChain.java:207)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:59)
      	at org.forgerock.openam.rest.fluent.AuditFilter.filterAction(AuditFilter.java:89)
      	at org.forgerock.openam.rest.fluent.AuditFilterWrapper.filterAction(AuditFilterWrapper.java:60)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.openam.rest.fluent.CrestLoggingFilter.filterAction(CrestLoggingFilter.java:74)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.openam.rest.ContextFilter.filterAction(ContextFilter.java:57)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.openam.rest.AuthenticationEnforcer.filterAction(AuthenticationEnforcer.java:137)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.json.resource.FilterChain.handleAction(FilterChain.java:207)
      	at org.forgerock.json.resource.Router.handleAction(Router.java:241)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:59)
      	at org.forgerock.openam.rest.ContextFilter.filterAction(ContextFilter.java:57)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.json.resource.FilterChain.handleAction(FilterChain.java:207)
      	at org.forgerock.json.resource.InternalConnection.actionAsync(InternalConnection.java:33)
      	at org.forgerock.json.resource.http.RequestRunner.visitActionRequest(RequestRunner.java:127)
      	at org.forgerock.json.resource.http.RequestRunner.visitActionRequest(RequestRunner.java:73)
      	at org.forgerock.json.resource.Requests$ActionRequestImpl.accept(Requests.java:185)
      	at org.forgerock.json.resource.http.RequestRunner.handleResult(RequestRunner.java:119)
      	at org.forgerock.json.resource.http.HttpAdapter$2.apply(HttpAdapter.java:566)
      	at org.forgerock.json.resource.http.HttpAdapter$2.apply(HttpAdapter.java:563)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244)
      	at org.forgerock.json.resource.http.HttpAdapter.doRequest(HttpAdapter.java:562)
      	at org.forgerock.json.resource.http.HttpAdapter.doAction(HttpAdapter.java:505)
      	at org.forgerock.json.resource.http.HttpAdapter.handle(HttpAdapter.java:171)
      	at org.forgerock.http.filter.OptionsFilter.filter(OptionsFilter.java:77)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.openam.rest.CrestProtocolEnforcementFilter.filter(CrestProtocolEnforcementFilter.java:61)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:86)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:68)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:168)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152)
      	at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485)
      	at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
      	at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:555)
      	at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:477)
      	at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:468)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:146)
      	at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.openam.http.HandlerProvider.handle(HandlerProvider.java:50)
      	at org.forgerock.openam.http.HttpRoute$3.handle(HttpRoute.java:142)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:60)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:227)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
      	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: com.sun.identity.policy.PolicyException: AMIdentitySubject - can not check membership for user uid=demo,ou=People,dc=example,dc=com and subject id=realmadmins,ou=group,o=openam
      Identity demo of type user not found.
      Identity demo of type user not found.
      	at com.sun.identity.policy.plugins.AMIdentitySubject.isMember(AMIdentitySubject.java:428)
      	at com.sun.identity.entitlement.opensso.PolicySubject.evaluate(PolicySubject.java:219)
      	... 117 more
      
      

      Work around

      Delete all datastores from the realm.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                andrew.dunn Andrew Dunn [X] (Inactive)
                QA Assignee:
                Filip Kubáň [X] (Inactive)
              • Votes:
                3 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: