Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13786

REST policy evaluation throws 500 Internal Error due to stateless ssotoken encryption alg conflict


    • Sprint:
      AM Sustaining Sprint 56
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      REST policy evaluation throws 500 Internal Error when stateless ssotoken encryption alg was changed and if the request was made with alg before the change

      How to reproduce the issue

      1. install AM
      2. login to admin console and create a new realm "testrealm001"
      3. select "testrealm001" from [REALMS] menu
      4. click [Authentication] -> [Settings] -> [General] -> enable "Use Client-based Sessions" and save the change.
      5. click [Applications] -> [Agents] -> [Java] -> [+ Add Java Agent]
        Agent ID : J2EEAgent
        Agent URL: http://openam.example.com:38080/agentapp
        Server URL: http://openam.example.com:18080/opensso
      6. click [Authorization] -> [Policy Sets] -> [+ New Policy Set]
        Id : PEP policy set
        Name : PEP policy set
        Resource Types : URL
      7. click [Authorization] -> [Policy Sets] -> "PEP policy set" -> [+ Add a Policy]
        Name : TestPolicy001
        ResourceType: URL
        Resources : http://openam.example.com:28080/helloworld/*
        Actions : allow POST/GET etc
        Subjects : Authenticated Users
      8. check stateless session's encryption algorithm by clicking [CONFIGURE] -> [GLOBAL SERVICES] -> [Session] -> [Client-based Sessions] -> "Encryption Algorithm : Direct AES encryption"
      9. get policy admin's token
        curl --request POST --header "X-OpenAM-Username: J2EEAgent" --header "X-OpenAM-Password: <password>" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/realms/testrealm001/authenticate?authIndexType=module&authIndexValue=Application"
      10. get user's token
        curl --request POST --header "X-OpenAM-Username: demo" --header "X-OpenAM-Password: <password>" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/realms/testrealm001/authenticate"
      11. change stateless session's encryption algorithm by clicking [CONFIGURE] -> [GLOBAL SERVICES] -> [Session] -> [Client-based Sessions] -> change to "Encryption Algorithm : NONE" and save
      12. request policy evaluation with old stateless session
        curl --request POST -v \
        --header "Content-Type: application/json" \
        --header "Accept-API-Version:protocol=1.0,resource=2.1" \
        --header "iPlanetDirectoryPro: <admin token>" \
        --data '{
            "resources": [
            "application": "PEP policy set",
            "subject": { "ssoToken": "<user token>"}
        }' \

      NOTE: type of Agents can be anything.

      Expected behaviour
      AM should check JWT header's encryption method against it's configuration and return UNAUTHORIZED rather than Internal Error.
      Current behaviour

      You will receive response code 500 with the following error message:

      {"code":500,"reason":"Internal Server Error","message":"An error occurred whilst trying to use restricted token.","detail":{"failureReasons":[{"exception":"An error occurred whilst trying to use restricted token."}]},"cause":{"message":"An error occurred whilst trying to use restricted token."}}

      Work around


      Code analysis

      It seems like LocalSSOTokenSessionModule#validateRequest doesn't have fine grained exception handling.

              try {
                  if (requester != null) {
                      SSOToken requesterToken = getFactory().getTokenFromId(requester);
                      if (getFactory().isTokenValid(requesterToken)) {
                          return RestrictedTokenContext.doUsing(requesterToken,
                                  new RestrictedTokenAction<Promise<AuthStatus, AuthenticationException>>() {
                                      public Promise<AuthStatus, AuthenticationException> run() throws Exception {
                                          return validate(request, messageInfo, clientSubject);
                  return validate(request, messageInfo, clientSubject);
              } catch (SSOUnavailableException ex) {
                  return newExceptionPromise(new AuthenticationException(new ServiceUnavailableException()));
              } catch (Exception ex) {
                  return newExceptionPromise(
                          new AuthenticationException("An error occurred whilst trying to use restricted token."));

      Attaching stacktrace for reference :

      "http-bio-18080-exec-4@13713" daemon prio=5 tid=0xb8 nid=NA runnable
        java.lang.Thread.State: RUNNABLE
          at com.iplanet.dpro.session.operations.ServerSessionOperationStrategy.getOperation(ServerSessionOperationStrategy.java:70)
          at com.iplanet.dpro.session.service.SessionService.getSession(SessionService.java:162)
          at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:115)
          at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:207)
          at com.iplanet.sso.SSOTokenManager.retrieveValidTokenWithoutResettingIdleTime(SSOTokenManager.java:429)
          at org.forgerock.openam.rest.SSOTokenFactory.getTokenFromId(SSOTokenFactory.java:65)
          at org.forgerock.openam.rest.LocalSSOTokenSessionModule.validate(LocalSSOTokenSessionModule.java:208)
          at org.forgerock.openam.rest.LocalSSOTokenSessionModule.validateRequest(LocalSSOTokenSessionModule.java:166)
          at org.forgerock.caf.authentication.framework.AuthModules$WrappedAuthModule.validateRequest(AuthModules.java:515)




            • Assignee:
              sachiko Sachiko Wallace
              sachiko Sachiko Wallace
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: