Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13806

REST policy evaluation result is different when switching between stateful and stateless session

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.0.0, 14.5.0, 6.0.0
    • Fix Version/s: 7.0.0
    • Component/s: rest, session
    • Labels:
    • Target Version/s:

      Description

      Bug description

      REST policy evaluation result is different when switching between stateful and stateless session

      How to reproduce the issue

      1. install AM
      2. login to admin console and create a new realm "testrealm001"
      3. select "testrealm001" from [REALMS] menu
      4. click [Applications] -> [Agents] -> [Java] -> [+ Add Java Agent]
        Agent ID : J2EEAgent
        Agent URL: http://openam.example.com:38080/agentapp
        Server URL: http://openam.example.com:18080/opensso
      5. click [Authorization] -> [Policy Sets] -> [+ New Policy Set]
        Id : PEP policy set
        Name : PEP policy set
        Resource Types : URL
      6. click [Authorization] -> [Policy Sets] -> "PEP policy set" -> [+ Add a Policy]
        Name : TestPolicy001
        ResourceType: URL
        Resources : http://openam.example.com:28080/helloworld/*
        Actions : allow POST/GET etc
        Subjects : Authenticated Users
      7. get policy admin's token
        curl --request POST --header "X-OpenAM-Username: J2EEAgent" --header "X-OpenAM-Password: <password>" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/realms/testrealm001/authenticate?authIndexType=module&authIndexValue=Application"
        
      8. get user's token
        curl --request POST --header "X-OpenAM-Username: demo" --header "X-OpenAM-Password: <password>" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/realms/testrealm001/authenticate"
        
      9. click [Authentication] -> [Settings] -> [General] -> enable "Use Client-based Sessions" and save the change.
      10. request policy evaluation with old stateless session
        curl --request POST -v \
        --header "Content-Type: application/json" \
        --header "Accept-API-Version:protocol=1.0,resource=2.1" \
        --header "iPlanetDirectoryPro: <admin token>" \
        --data '{
            "resources": [
                "http://openam.example.com:28080/helloworld/index.html"
            ],
            "application": "PEP policy set",
            "subject": { "ssoToken": "<user token>"}
        }' \
        "http://openam.example.com:18080/openam/json/realms/root/realms/testrealm001/policies?_action=evaluate"
        
      11. check that you will get "HTTP/1.1 200 OK"
      12. repeat the same steps with starting with retrieving stateless token, changing [Authentication] -> [Settings] -> [General] -> disable "Use Client-based Sessions" then send policy evaluation request.
      13. check that you will get "HTTP/1.1 401 Unauthorized"

      NOTE: type of Agents can be anything.

      Expected behaviour
      Users shouldn't get different response code when changing between stateful <-> stateless
      
      Current behaviour
      When "Use Client-based Sessions" is disabled and if valid stateless session was used, "HTTP/1.1 401 Unauthorized" but not the other way around.
      

      Work around

      None

      Code analysis

      StatelessOperations.isValid() checks if realm's session category/type is the same as requested session but CtsOperations doesn't.

      org.forgerock.openam.session.stateless.StatelessOperations.java
         private boolean isValid(StatelessSession session) throws SessionException {
              try {
                  Realm realm = Realms.of(session.getProperty(com.sun.identity.shared.Constants.ORGANIZATION));
                  if (!SESSION_CATEGORY.equals(sessionCategorySelector.getSessionCategory(
                          realm, session.getProperty(ISAuthConstants.PRINCIPAL)))) {
                      return false;
                  }
      
      "http-bio-18080-exec-9@14843" daemon prio=5 tid=0xc7 nid=NA runnable
        java.lang.Thread.State: RUNNABLE
      	  at org.forgerock.openam.session.stateless.StatelessOperations.isValid(StatelessOperations.java:182)
      	  at org.forgerock.openam.session.stateless.StatelessOperations.validate(StatelessOperations.java:174)
      	  at com.iplanet.dpro.session.monitoring.MonitoredOperations.lambda$validate$3(MonitoredOperations.java:108)
      	  at com.iplanet.dpro.session.monitoring.MonitoredOperations$$Lambda$628.1141204726.run(Unknown Source:-1)
      	  at com.iplanet.dpro.session.monitoring.MonitoredOperations.time(MonitoredOperations.java:239)
      	  at com.iplanet.dpro.session.monitoring.MonitoredOperations.validate(MonitoredOperations.java:108)
      	  at com.iplanet.dpro.session.service.SessionService.validate(SessionService.java:330)
      	  at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:117)
      	  at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:207)
      	  at com.iplanet.sso.SSOTokenManager.retrieveValidTokenWithoutResettingIdleTime(SSOTokenManager.java:429)
      	  at org.forgerock.openam.rest.SSOTokenFactory.getTokenFromId(SSOTokenFactory.java:65)
      	  at org.forgerock.openam.rest.LocalSSOTokenSessionModule.validate(LocalSSOTokenSessionModule.java:214)
      	  at org.forgerock.openam.rest.LocalSSOTokenSessionModule.validateRequest(LocalSSOTokenSessionModule.java:170)
      

        Attachments

          Activity

            People

            • Assignee:
              david.luna@forgerock.com David Luna
              Reporter:
              sachiko Sachiko Wallace
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: