Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14707

ConsentRequiredResource class does not reuse value in Base url source service


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1,
    • Fix Version/s: 6.5.2, 6.0.1, 7.0.0, 5.5.2
    • Component/s: None
    • Labels:
    • Environment:
      Patch OPENAM-11157 has been applied
    • Sprint:
      AM Sustaining Sprint 62, AM Sustaining Sprint 63
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      Customer want to rewrite using /openam into /cwa.

      The base_URL_source service has been configured.

      However, OpenAM still fails after oauth 's consent page

      How to reproduce the issue

      1. Setup up OpenAM 5.5.1 using Tomcat 8.5 ( must use this 8.5 version for case reproduction OPENAM-14695  )

      2. Set the following flag in the setenv.sh file

      export CATALINA_OPTS="$CATALINA_OPTS -XX:+UseConcMarkSweepGC -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true"

      3. setup a subrealm /online

      4. setup a base URL source service :  fixed value with /cwa

      5. deployed openid.war

      6. modify the common.js  with the following entries

      var openam = "/cwa";
      var authorize = "/oauth2/realms/root/realms/online/authorize";
      var access = "/oauth2/realms/root/realms/online/access_token";
      var info = "/oauth2/realms/root/realms/online/userinfo";
      // This application's URI, client_id, client_secret.
      var openid = "/openid";
      var client_id = "myClientID";
      var client_secret = "password";
      var client_realm = "/";

      7. setup an proxy server apache 2.4 with the following settings

      <VirtualHost _default_:7443>
       ProxyPreserveHost On
       ServerName http://lb.internal.example.com
       Header always set X-Frame-Options "sameorigin"
      RequestHeader set host: lb.internal.example.com:7443
      <LocationMatch /cwa/oauth2>
      RequestHeader set host: lb.internal.example.com:7443
       ProxyPass /openid http://openam.internal.example.com:8080/openid
      ProxyPass /cwa/oauth2/realms/root/realms/online/authorize http://openam.internal.example.com:8080/openam/oauth2/realms/root/realms/online/authorize
      ProxyPass /cwa/json/ http://openam.internal.example.com:8080/openam/json/
      ProxyPass /cwa/oauth2/realms/root/realms/online/access_token http://openam.internal.example.com:8080/openam/oauth2/realms/root/realms/online/access_token
      ProxyPass /cwa/oauth2/realms/root/realms/online/userinfo http://openam.internal.example.com:8080/openam/oauth2/realms/root/realms/online/userinfo
      ProxyPass /cwa/oauth2/realms/root/realms/online/tokeninfo http://openam.internal.example.com:8080/openam/oauth2/realms/root/realms/online/tokeninfo
      ProxyPass /cwa/oauth2/realms/root/realms/online/token/revoke http://openam.internal.example.com:8080/openam/oauth2/realms/root/realms/online/token/revoke
      ProxyPass /cwa/XUI/ http://openam.internal.example.com:8080/openam/XUI/
       ProxyPass /cwa/UI/ http://openam.internal.example.com:8080/openam/UI/
      ProxyPassReverse /cwa/XUI/ http://openam.internal.example.com:8080/openam/XUI/
       ProxyPassReverse /cwa/XUI/ http://lb.internal.example.com:7443/openam/XUI/
      ProxyPassReverse /cwa/UI/ http://openam.internal.example.com:8080/openam/UI/
       ProxyPassReverse /cwa/UI/ http://lb.internal.example.com:7443/openam/UI/
      ProxyPassReverse /cwa/json/ http://lb.internal.example.com:7443/openam/json/
      <Files "*">
       Header add Access-Control-Allow-Origin "*"
       Header add Access-Control-Allow-Methods "GET, OPTIONS"
       Header add Access-Control-Allow-Headers "Authorization, X-Requested-With, Content-Type, Origin, Accept"
       Header add Access-Control-Allow-Credentials "true"

      8. access lb.internal.example.com:7443/openid and access "Basic Client Profile"

      9.  Start authorization


      10.  Proceed from consent page (  patch OPENAM-11157  was applied in this test case  )

      11. Noticed that the request fails with /openam/oauth2 ( instead of /cwa/oauth2 )


      Expected behaviour
      the context root should have been replaced the "/openam" with "/cwa" 
      Current behaviour
      the URL was still using "/openam" instead of "/cwa"

      Work around

      Use apache 's  substitute module to replace the contents of the form


      <LocationMatch /cwa/oauth2> 
      RequestHeader set host: lb.internal.example.com:7443 
      AddOutputFilterByType SUBSTITUTE text/html 
      Substitute "s|/openam/oauth2/realms/root/realms/online/authorize|/cwa/oauth2/realms/root/realms/online/authorize|ni" 



      Code analysis

      ConsentRequiredResource.java at line 77
       String target = resRef.getPath();  <=== it is not reusing the base url source 's fixed value 




            • Assignee:
              lawrence.yarham Lawrence Yarham
              sam.phua Sam Phua
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: