Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13530

Datastore Decision node removes username from shared state when it is not found

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0.4
    • Fix Version/s: 6.0.1, 6.5.0, 5.5.3
    • Component/s: trees
    • Labels:
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 55, AM Sustaining Sprint 56
    • Story Points:
      3
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When a username is not found in the Datastore, the Datastore decision node removes it from the shared state.

      That makes the following popular use case complex to implement: group of users belonging to different identity stores, but authenticating to the same tree, without having to provide their credentials more than once.

      With chains you would simply have a sufficient authN module followed by a required authN module and set up some shared-state and tryFirstPass options on the modules. That way, when a user could not authN to the first module, the chain would reuse the same credentials to check the subsequent module.

      That is no longer easily done with trees.

      Same behaviour is observed with the LDAP decision node (see OPENAM-13531)

      How to reproduce the issue

      1. Install default AM instance
      2. Set debug level to message
      3. Access the Example tree: http://openam.example.com:18080/openam/XUI/?service=Example#login
      4. Insert a username that does not exist (and any password)
      5. Check the authentication debug log
      Expected behaviour
      The shared state before and after failing to authN contains the username
      Current behaviour

      The shared state after the failure has removed the username:

      amAuthInternalSMModule:09/06/2018 01:15:21:344 PM BST: <SKIP>
      SMSAuthModule::login() From shared state: Username: user.10 Password: <present>
      amAuthInternalSMModule:09/06/2018 01:15:21:344 PM BST: <SKIP>
      SMSAuthModule::login() For authentication: Username: user.10 Password: <present>
      amAuth:09/06/2018 01:15:21:344 PM BST: <SKIP>
      WARNING: invalid username error
      amAuth:09/06/2018 01:15:21:344 PM BST: <SKIP>
      newSharedState {realm=/, authLevel=0}

      Code analysis

      DataStoreDecisionNode.java
      } catch (IdentityNotFoundException e) {
          logger.warn("invalid username error");
          newState.remove(USERNAME);
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                nathalie.hoet Nathalie Hoet
              • Votes:
                2 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: