Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13162

Policy evaluation returns 403 with expired stateless app token

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1
    • Fix Version/s: 6.0.0.3, 6.5.0, 5.5.2
    • Component/s: policy
    • Labels:
    • Sprint:
      AM Sustaining Sprint 52, AM Sustaining Sprint 53
    • Story Points:
      3
    • Support Ticket IDs:
    • Needs QA verification:
      No

      Description

      Bug description
      With an expired stateful application token, making a policy evaluation request returns 401. If the expired application token is stateless, a similar test returns 403.

       

      How to reproduce the issue
      1. Create a policyAdmin user in a policy group and add all privileges
      2. Give policyAdmin a session service with low "Maximum Session Time".
      3. Get tokens for policyAdmin and 'demo' user.
      4. Wait for the policyAdmin token to expire.
      5. Request a policy evaluation with the two tokens.
      6. Change to stateless sessions and repeat the test.

       

      EXPECTED BEHAVIOUR
      The same error response on both tests.

      curl --request POST --header 'iPlanetDirectoryPro: <policyAdmin token>' --header 'Content-Type: application/json' --data '{
      "resources": ["http://am551.fr.local/sec/sso.html"],
      "subject": { "ssoToken": "<demo user token>" },
      "application": "iPlanetAMWebAgentService"
      }' 'http://am551.fr.local:8080/openam/json/realms/root/policies?_action=evaluate'
      {"code":401,"reason":"Unauthorized","message":"Access Denied"}

       

      CURRENT BEHAVIOUR
      Stateful app token:
      {"code":401,"reason":"Unauthorized","message":"Access Denied"}

      Stateless:
      {"code":403,"reason":"Forbidden","message":"No valid session in request."}

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                andrew.dunn Andrew Dunn [X] (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: