Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14867

AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0,,,,,, 6.5.0,,, 6.5.1
    • Fix Version/s: 6.0.1, 5.5.2, 7.0.0, 6.5.3
    • Component/s: session
    • Labels:
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 64, AM Sustaining Sprint 65
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      When using Authentication tree, the session property does not have AuthType and getAuthType() returns an SSOException and logs an error as

      ERROR: Can't get token authentication type

      How to reproduce the issue

      There are a few places in the code that assumes that session.getAuthType() returns a value. In fact it cannot return null or throws an Exception for some of these. These includes the CDCServlet, any code that does getAuthType() when now using Nodes, and AnyKnownUserAuthzModule that is used for any authenticated users policy.

      1. You can try to use a session created with both auth module and auth tree to compare the result on a normal user
        curl -H "iPlanetDirectoryPro: $ssoToken" \
        -H "X-Requested-With: IE" \
      1. You will notice the exception and that the former works but the auth tree does not
      Expected behaviour
      AuthType (when on Tree) should not have different behaviour. In fact, one wonder if the the AuthType should have a value for tree. Anyway because AuthType is not existent it may cause Exception for components that assume this from AuthModule and now not work.

      Should a Tree have some values for AuthType (cannot be null from Unit test but it would seems should it) or should getting this causes SSOException for AuthTree(). It would be good to ensure we avoid issues and correct this for Trees.

      Current behaviour
      Some REST call fails due to them assuming AuthType exists. In fact the Unit test suggest that AuthType if not present throws "SSOException". The API contract is not so clear on that it says  
      ```if the SSOToken is not <code>VALID</code> or if there are errors in getting the authentication method. Does not existent means and error.```

      Work around


      Code analysis

      have code that does either assume AuthType will always return a value (and not throw Exception or is not null)


          Issue Links



              • Assignee:
                lawrence.yarham Lawrence Yarham
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: