Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13031

Failed search for non-existent user in datastore when fetching session properties and user profile is set to ignore

    XMLWordPrintable

    Details

    • AM Sustaining Sprint 52, AM Sustaining Sprint 53
    • 5
    • Yes

      Description

      Bug description

      A call to json/sessions results in a search on a datastore even though 'user profile' is set to ignore.
      Entitlement error level logging may put pressure on disk space.

      How to reproduce the issue

      1. Configure a module that allows authentication as 'demo'. An LDAP module pointing to an external store, for example.
      2. Set 'user profile' to ignored in the realm.
      3. Delete 'demo' from the embedded datastore.
      4. Add a group and assign one or more privileges.
      5. Add 'AuthLevel' in the session property whitelist.
      6. Authenticate as 'demo'.
      7. Call json/session getProperty to get AuthLevel

      curl --request POST --header 'Content-Type: application/json' --header 'iplanetDirectoryPro: AQIC5wM2LY4SfcwrnC8zCGGyRHa5W54iaAcDVRdOGUAOJXI.AAJTSQACMDEAAlNLABMyOTIwMTQwMjQxODgxNjU1NjExAAJTMQAA' -d '

      {"properties": ["AuthLevel"]}

      ' 'http://1351.fr.local:8080/openam/json/sessions/?_action=getProperty'

      {"AuthLevel":"0"}

       

       

      Also reproducible on 5.5.1 after following steps 1-4 and calling one of:

      http://am551.fr.local:8080/openam/json/realms/root/sessions?_action=validate

      http://am551.fr.local:8080/openam/json/realms/root/sessions/?_action=getSessionProperties

      http://am551.fr.local:8080/openam/json/realms/root/sessions/?_action=getSessionInfo

       

      Expected behaviour

      No errors logged.
      Arguably no search on the datastore as 'user profile' is set to ignored. But how else are group membership and privileges calculated?

      Current behaviour
      Entitlement:04/30/2018 02:22:53:493 PM BST: Thread[http-bio-8080-exec-45,5,main]: TransactionId[83c5053a-4547-4ed4-9397-7c10f93b0aa3-2013]
      ERROR: OpenSSOPrivilege.evaluate
      com.sun.identity.entitlement.EntitlementException: Subject evaluation fails.
      	at com.sun.identity.entitlement.opensso.PolicySubject.evaluate(PolicySubject.java:225)
      	at com.sun.identity.entitlement.Privilege.doesSubjectMatch(Privilege.java:669)
      	at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.internalEvaluate(OpenSSOPrivilege.java:140)
      	at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.access$000(OpenSSOPrivilege.java:63)
      	at com.sun.identity.entitlement.opensso.OpenSSOPrivilege$1.run(OpenSSOPrivilege.java:105)
      	at com.sun.identity.entitlement.opensso.OpenSSOPrivilege$1.run(OpenSSOPrivilege.java:99)
      	at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:81)
      	at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.evaluate(OpenSSOPrivilege.java:98)
      	at com.sun.identity.entitlement.PrivilegeEvaluator$PrivilegeTask.run(PrivilegeEvaluator.java:423)
      	at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:337)
      	at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:250)
      	at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:219)
      	at com.sun.identity.policy.PolicyEvaluator.getPolicyDecision(PolicyEvaluator.java:771)
      	at com.sun.identity.policy.PolicyEvaluator.getPolicyDecision(PolicyEvaluator.java:719)
      	at com.sun.identity.delegation.plugins.DelegationPolicyImpl.isAllowed(DelegationPolicyImpl.java:542)
      	at com.sun.identity.delegation.DelegationEvaluatorImpl.isAllowed(DelegationEvaluatorImpl.java:219)
      	at org.forgerock.openam.rest.router.DelegationEvaluatorProxy.isAllowed(DelegationEvaluatorProxy.java:59)
      	at org.forgerock.openam.rest.authz.PrivilegeAuthzModule.evaluate(PrivilegeAuthzModule.java:201)
      	at org.forgerock.openam.rest.authz.PrivilegeAuthzModule.authorizeAction(PrivilegeAuthzModule.java:156)
      	at org.forgerock.openam.core.rest.session.AnyOfAuthzModule.authorizeAction(AnyOfAuthzModule.java:189)
      	at org.forgerock.openam.rest.authz.LoggingAuthzModule.authorizeAction(LoggingAuthzModule.java:117)
      	at org.forgerock.authz.filter.crest.AuthorizationFilters$AuthorizationFilter.filterAction(AuthorizationFilters.java:232)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.json.resource.FilterChain.handleAction(FilterChain.java:207)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:59)
      	at org.forgerock.openam.rest.fluent.AuditFilter.filterAction(AuditFilter.java:89)
      	at org.forgerock.openam.rest.fluent.AuditFilterWrapper.filterAction(AuditFilterWrapper.java:60)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.openam.rest.fluent.CrestLoggingFilter.filterAction(CrestLoggingFilter.java:74)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.openam.rest.ContextFilter.filterAction(ContextFilter.java:57)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.openam.rest.AuthenticationEnforcer.filterAction(AuthenticationEnforcer.java:137)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.json.resource.FilterChain.handleAction(FilterChain.java:207)
      	at org.forgerock.json.resource.Router.handleAction(Router.java:241)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:59)
      	at org.forgerock.openam.rest.ContextFilter.filterAction(ContextFilter.java:57)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:57)
      	at org.forgerock.json.resource.FilterChain.handleAction(FilterChain.java:207)
      	at org.forgerock.json.resource.InternalConnection.actionAsync(InternalConnection.java:33)
      	at org.forgerock.json.resource.http.RequestRunner.visitActionRequest(RequestRunner.java:127)
      	at org.forgerock.json.resource.http.RequestRunner.visitActionRequest(RequestRunner.java:73)
      	at org.forgerock.json.resource.Requests$ActionRequestImpl.accept(Requests.java:185)
      	at org.forgerock.json.resource.http.RequestRunner.handleResult(RequestRunner.java:119)
      	at org.forgerock.json.resource.http.HttpAdapter$2.apply(HttpAdapter.java:566)
      	at org.forgerock.json.resource.http.HttpAdapter$2.apply(HttpAdapter.java:563)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244)
      	at org.forgerock.json.resource.http.HttpAdapter.doRequest(HttpAdapter.java:562)
      	at org.forgerock.json.resource.http.HttpAdapter.doAction(HttpAdapter.java:505)
      	at org.forgerock.json.resource.http.HttpAdapter.handle(HttpAdapter.java:171)
      	at org.forgerock.http.filter.OptionsFilter.filter(OptionsFilter.java:77)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.openam.rest.CrestProtocolEnforcementFilter.filter(CrestProtocolEnforcementFilter.java:61)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:86)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:68)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:168)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152)
      	at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485)
      	at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
      	at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:555)
      	at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:477)
      	at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:468)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:146)
      	at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.openam.http.HandlerProvider.handle(HandlerProvider.java:50)
      	at org.forgerock.openam.http.HttpRoute$3.handle(HttpRoute.java:142)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:60)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:227)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
      	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: com.sun.identity.policy.PolicyException: AMIdentitySubject - can not check membership for user uid=demo,ou=People,dc=example,dc=com and subject id=realmadmins,ou=group,o=openam
      Identity demo of type user not found.
      Identity demo of type user not found.
      	at com.sun.identity.policy.plugins.AMIdentitySubject.isMember(AMIdentitySubject.java:428)
      	at com.sun.identity.entitlement.opensso.PolicySubject.evaluate(PolicySubject.java:219)
      	... 117 more
      
      

      Work around

      Delete all datastores from the realm.

        Attachments

          Issue Links

            Activity

              People

              sachiko Sachiko Wallace
              andrew.dunn Andrew Dunn [X] (Inactive)
              Filip Kubáň [X] Filip Kubáň [X] (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: