REST policy evaluation result is different when switching between stateful and stateless session
- install AM
- login to admin console and create a new realm "testrealm001"
- select "testrealm001" from [REALMS] menu
- click [Applications] -> [Agents] -> [Java] -> [+ Add Java Agent]
Agent ID : J2EEAgent
Agent URL: http://openam.example.com:38080/agentapp
Server URL: http://openam.example.com:18080/opensso
- click [Authorization] -> [Policy Sets] -> [+ New Policy Set]
Id : PEP policy set
Name : PEP policy set
Resource Types : URL
- click [Authorization] -> [Policy Sets] -> "PEP policy set" -> [+ Add a Policy]
Name : TestPolicy001
Resources : http://openam.example.com:28080/helloworld/*
Actions : allow POST/GET etc
Subjects : Authenticated Users
- get policy admin's token
- get user's token
- click [Authentication] -> [Settings] -> [General] -> enable "Use Client-based Sessions" and save the change.
- request policy evaluation with old stateless session
- check that you will get "HTTP/1.1 200 OK"
- repeat the same steps with starting with retrieving stateless token, changing [Authentication] -> [Settings] -> [General] -> disable "Use Client-based Sessions" then send policy evaluation request.
- check that you will get "HTTP/1.1 401 Unauthorized"
NOTE: type of Agents can be anything.
StatelessOperations.isValid() checks if realm's session category/type is the same as requested session but CtsOperations doesn't.