Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14707

ConsentRequiredResource class does not reuse value in Base url source service

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.5.0.1
    • Fix Version/s: 6.5.2, 6.0.1, 7.0.0, 5.5.2
    • Component/s: None
    • Labels:
    • Environment:
      Patch OPENAM-11157 has been applied
    • Sprint:
      AM Sustaining Sprint 62, AM Sustaining Sprint 63
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Customer want to rewrite using /openam into /cwa.

      The base_URL_source service has been configured.

      However, OpenAM still fails after oauth 's consent page

      How to reproduce the issue

      1. Setup up OpenAM 5.5.1 using Tomcat 8.5 ( must use this 8.5 version for case reproduction OPENAM-14695  )

      2. Set the following flag in the setenv.sh file

      export CATALINA_OPTS="$CATALINA_OPTS -XX:+UseConcMarkSweepGC -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true"

      3. setup a subrealm /online

      4. setup a base URL source service :  fixed value with /cwa

      5. deployed openid.war

      6. modify the common.js  with the following entries

      var openam = "/cwa";
      var authorize = "/oauth2/realms/root/realms/online/authorize";
      var access = "/oauth2/realms/root/realms/online/access_token";
      var info = "/oauth2/realms/root/realms/online/userinfo";
      
      // This application's URI, client_id, client_secret.
      var openid = "/openid";
      var client_id = "myClientID";
      var client_secret = "password";
      var client_realm = "/";
      

      7. setup an proxy server apache 2.4 with the following settings

      <VirtualHost _default_:7443>
       ProxyPreserveHost On
       ServerName http://lb.internal.example.com
       Header always set X-Frame-Options "sameorigin"
      
      RequestHeader set host: lb.internal.example.com:7443
      
      <LocationMatch /cwa/oauth2>
      
      RequestHeader set host: lb.internal.example.com:7443
      </LocationMatch>
       ProxyPass /openid http://openam.internal.example.com:8080/openid
      ProxyPass /cwa/oauth2/realms/root/realms/online/authorize http://openam.internal.example.com:8080/openam/oauth2/realms/root/realms/online/authorize
      ProxyPass /cwa/json/ http://openam.internal.example.com:8080/openam/json/
      ProxyPass /cwa/oauth2/realms/root/realms/online/access_token http://openam.internal.example.com:8080/openam/oauth2/realms/root/realms/online/access_token
      ProxyPass /cwa/oauth2/realms/root/realms/online/userinfo http://openam.internal.example.com:8080/openam/oauth2/realms/root/realms/online/userinfo
      ProxyPass /cwa/oauth2/realms/root/realms/online/tokeninfo http://openam.internal.example.com:8080/openam/oauth2/realms/root/realms/online/tokeninfo
      ProxyPass /cwa/oauth2/realms/root/realms/online/token/revoke http://openam.internal.example.com:8080/openam/oauth2/realms/root/realms/online/token/revoke
      ProxyPass /cwa/XUI/ http://openam.internal.example.com:8080/openam/XUI/
      
       ProxyPass /cwa/UI/ http://openam.internal.example.com:8080/openam/UI/
       
      ProxyPassReverse /cwa/XUI/ http://openam.internal.example.com:8080/openam/XUI/
       ProxyPassReverse /cwa/XUI/ http://lb.internal.example.com:7443/openam/XUI/
      ProxyPassReverse /cwa/UI/ http://openam.internal.example.com:8080/openam/UI/
       ProxyPassReverse /cwa/UI/ http://lb.internal.example.com:7443/openam/UI/
      ProxyPassReverse /cwa/json/ http://lb.internal.example.com:7443/openam/json/
      
      
      </VirtualHost>
      <Files "*">
       Header add Access-Control-Allow-Origin "*"
       Header add Access-Control-Allow-Methods "GET, OPTIONS"
       Header add Access-Control-Allow-Headers "Authorization, X-Requested-With, Content-Type, Origin, Accept"
       Header add Access-Control-Allow-Credentials "true"
      </Files>
      

      8. access lb.internal.example.com:7443/openid and access "Basic Client Profile"

      9.  Start authorization

      http://lb.internal.example.com:7443/cwa/XUI/?realm=%2Fonline&goto=http%3A%2F%2Flb.internal.example.com%3A7443%2Fcwa%2Foauth2%2Frealms%2Froot%2Frealms%2Fonline%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3DmyClientID%26realm%3D%252F%26scope%3Dopenid%2520profile%26redirect_uri%3Dhttp%253A%252F%252Flb.internal.example.com%253A7443%252Fopenid%252Fcb-basic.html%26state%3Daf0ifjsldkj#login/

      10.  Proceed from consent page (  patch OPENAM-11157  was applied in this test case  )

      11. Noticed that the request fails with /openam/oauth2 ( instead of /cwa/oauth2 )

       

      Expected behaviour
      the context root should have been replaced the "/openam" with "/cwa" 
      
      Current behaviour
      the URL was still using "/openam" instead of "/cwa"
      

      Work around

      Use apache 's  substitute module to replace the contents of the form

       

      <LocationMatch /cwa/oauth2> 
      
      RequestHeader set host: lb.internal.example.com:7443 
      
      AddOutputFilterByType SUBSTITUTE text/html 
      
      Substitute "s|/openam/oauth2/realms/root/realms/online/authorize|/cwa/oauth2/realms/root/realms/online/authorize|ni" 
      
      </LocationMatch>
      

       

       

      Code analysis

      ConsentRequiredResource.java at line 77
       String target = resRef.getPath();  <=== it is not reusing the base url source 's fixed value 
      

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              sam.phua Sam Phua
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: