Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15858

Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 6.5.0.1, 6.0.0.7, 6.5.1, 6.5.0.2, 6.5.2, 6.5.2.1, 6.5.2.2
    • Fix Version/s: 6.5.2.3, 7.0.0, 6.5.3
    • Component/s: trees
    • Labels:
    • Sprint:
      AM Sustaining Sprint 71, AM Sustaining Sprint 72
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      jBug description

      Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used

      How to reproduce the issue

      1. Configure 'CTS' as authentication session state management scheme
      2. Use Postman (or curl) to perform REST authentication for 'Example' Auth Tree (AM_URL/json/authenticate?authIndexType=service&authIndexValue=Example)
      3. Wait for 4 minutes before submitting the first callback (NameCallback)
      Expected behaviour
      Next callback (PasswordCallback) should be returned
      
      Current behaviour
      error 
      
      {
       "code": 401,
       "reason": "Unauthorized",
       "message": "Login failure"
      }
      
      is returned
      
      excerpt from AM 6.5.2.2 debug logs
      ERROR: Unable to construct an appropriate auth session
      org.forgerock.openam.core.rest.authn.exceptions.RestAuthException: Failed to create session
              at org.forgerock.openam.core.rest.authn.trees.AuthTrees.constructAuthSession(AuthTrees.java:452)
              at org.forgerock.openam.core.rest.authn.trees.AuthTrees.invokeTree(AuthTrees.java:227)
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:229)
      

      Code analysis

      org.forgerock.openam.core.rest.authn.trees.AuthTrees.java
      ...
          private Session constructAuthSession(String sessionId, Realm realm) throws RestAuthException {
              try {
                  if (sessionId != null && !sessionId.isEmpty()) {
                      return sessionServiceProvider.get().getSession(new SessionID(sessionId));
                  } else {
                      SessionBuilder builder = sessionServiceProvider.get().
                              getSessionBuilder(DelegatedAuthenticationOperations.SESSION_CATEGORY, realm.asDN());
                      builder.setMaxSessionTime(getAuthenticationMaxDuration(realm.asPath()));
      
                      return builder.withSessionCategory(getAuthenticationSessionCategory(realm.asPath())).build();
                  }
              } catch (SessionException e) {
                  throw new RestAuthException(INTERNAL_SERVER_ERROR.getCode(), "Failed to create session", e);
              }
          }
      ...
      

      Only 'MaxSessionTime' time is set , 'MaxIdleTime' will be used from SessionService

      coreTokenExpirationDate LDAP attribute is set as

          public long getExpirationTime(final TimeUnit timeUnit) {
              return Math.min(
                      getMaxIdleExpirationTime(timeUnit),
                      getMaxSessionExpirationTime(timeUnit));
          }
      

      --> Authentication token is reaped before 'Max duration (minutes)' is reached

        Attachments

          Activity

            People

            Assignee:
            joe.starling Joe Starling
            Reporter:
            bthalmayr Bernhard Thalmayr
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: