Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14290

Caching issue for 'users' REST endpoint

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 7.0.0
    • None
    • rest
    • Oracle JDK 1.8.0_151-b12
      Apache Tomcat/9.0.8

      AM 7.0.0.0-SNAPSHOT (commit hash 8ad772ba492198c8abd934409510e7447f24d7d3)
    • Rank:
      1|hzxgp3:

      Description

      Bug description

      payload for identity resource is incorrectly returned

      How to reproduce the issue

      1. configure AM with embedded identity store
      2. leave default data store authentication
      3. create identity 'jdoe' (see below)
      4. set 'sun-idrepo-ldapv3-config-users-search-attribute=cn' for embedded identity store (see below)
      5. perform REST based auth for user 'amadmin' to retrieve 'administrative token'
        curl --request POST --header "Content-Type: application/json" --header "X-OpenAM-Username: jdoe" --header "X-OpenAM-Password: AMADMIN_PASSWORD" --header "Accept-API-Version: resource=2.0, protocol=1.0" --data "{}" "http://ammaster.test.xyz:8080/am/json/realms/root/authenticate?authIndexType=service&authIndexValue=adminconsoleservice
        
      1. perform REST based identity read using administrative token and wrong ID (it's not the value of the attribute set for 'sun-idrepo-ldapv3-config-users-search-attribute')
        curl --header "iPlanetDirectoryPro: $TOKENID" --header "Content-Type: application/json" http://ammaster.test.xyz:8080/am/json/realms/root/users/jdoe
        
      1. perform REST based auth for user 'jdoe'
        curl --request POST --header "Content-Type: application/json" --header "X-OpenAM-Username: jdoe" --header "X-OpenAM-Password: password" --header "Accept-API-Version: resource=2.0, protocol=1.0" --data "{}" http://ammaster.test.xyz:8080/am/json/realms/root/authenticate
        
      1. perform REST based identity read using administrative token and wrong ID AGAIN
        curl --header "iPlanetDirectoryPro: $TOKENID" --header "Content-Type: application/json" http://ammaster.test.xyz:8080/am/json/realms/root/users/jdoe
        
      Expected behaviour
      HTTP response '404' should always be returned
      
      Current behaviour
      HTTP response '200' is returned with payload
      {
        "_id": "jdoe",
        "_rev": "436554600",
        "username": "jdoe",
        "realm": "/",
        "mail": [
          "jdoe@localhost"
        ],
        "givenName": [
          "John"
        ],
        "objectClass": [
          "iplanet-am-managed-person",
          "inetuser",
          "sunFMSAML2NameIdentifier",
          "inetorgperson",
          "devicePrintProfilesContainer",
          "iplanet-am-user-service",
          "iPlanetPreferences",
          "pushDeviceProfilesContainer",
          "forgerock-am-dashboard-service",
          "organizationalperson",
          "top",
          "kbaInfoContainer",
          "person",
          "sunAMAuthAccountLockout",
          "oathDeviceProfilesContainer",
          "webauthnDeviceProfilesContainer",
          "iplanet-am-auth-configuration-service"
        ],
        "dn": [
          "uid=jdoe,ou=people,dc=openam,dc=forgerock,dc=org"
        ],
        "cn": [
          "John Doe"
        ],
        "employeeNumber": [
          "0"
        ],
        "modifyTimestamp": [
          "20190122110106Z"
        ],
        "createTimestamp": [
          "20190122110047Z"
        ],
        "uid": [
          "jdoe"
        ],
        "universalid": [
          "id=jdoe,ou=user,dc=openam,dc=forgerock,dc=org"
        ],
        "inetUserStatus": [
          "Active"
        ],
        "sn": [
          "Doe"
        ],
        "iplanet-am-user-auth-config": [
          "[Empty]"
        ]
      }
      
      is returned for the second call.
      
      important identity store settings
      ssoadm show-datastore -u amadmin -f PATH_TO_PWDFILE -e / -m embedded
      
      sun-idrepo-ldapv3-config-users-search-attribute=cn
      sun-idrepo-ldapv3-config-auth-naming-attr=uid
      
      Identity entry
      dn: uid=jdoe,ou=people,dc=openam,dc=forgerock,dc=org
      cn: John Doe
      mail: jdoe@localhost
      sn: Doe
      uid: jdoej
      

        Attachments

          Activity

            People

            Unassigned Unassigned
            bthalmayr Bernhard Thalmayr
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: