Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15905

Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.2,,
    • Fix Version/s: 6.0.1, 7.0.0, 6.5.3
    • Component/s: authentication, session
    • Labels:
    • Environment:
      The realm has a Post authenticated Plugin PAP.
    • Sprint:
      AM Sustaining Sprint 72
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      When there is a Post Authentication plugin PAP and say there is a login failure and the user when doing the authenticated waited a long time (near the Page session timeout), then if the code evaluates the session and it is expired by then the following NPE exception happens:


      Caused by: java.lang.NullPointerException
      at com.iplanet.dpro.session.service.SessionService.setProperty(SessionService.java:242)
      at com.sun.identity.authentication.service.LoginState.setPostLoginInstancesProperty(LoginState.java:4755)
      at com.sun.identity.authentication.service.LoginState.postProcess(LoginState.java:4588)
      at com.sun.identity.authentication.service.AMLoginContext.postProcessOnFail(AMLoginContext.java:1904)
      at com.sun.identity.authentication.service.AMLoginContext.getStatus(AMLoginContext.java:1027)
      at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:591)
      at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:108)
      at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:168)
      at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:491)

       and this may cause 500 Internal error response.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Set the short login time for the overall  page session https://backstage.forgerock.com/knowledge/kb/article/a23597700   
        com.iplanet.am.session.invalidsessionmaxtime=[minutes] or in Servers > Sessions Limit Invalidate Session Max Time : 3 to 1 to wait 1 min
      2. Add a PAP  Post Authn Plugin to the Realm for the Authentication. Note the PAP class needs to be there in AM. Restart AM needed
      3. Start AM in debug an breakpoint at org.forgerock.openam.session.authentication.AuthenticationSessionStore.cullSessionIfNecessary(org.forgerock.openam.session.Session)
      4. Run an authentication request with an invalid password
      5. When the breakpoint hit, wait for the timeout set on above before continue the breakpoint
      6. Check the CoreSystem logs for the error
      Expected behaviour
      PAP should not cause exception and 500 error
      Current behaviour
      Having the PAP cause exception when the authenticated session are timed out and 500 error
      IMPACT: REST calls return 500 error.

      Work around

      No PAP or just ignore this (although for failure case this may cause REST 500 error) since the user is already did not complete the Auth session in a timely manner

      Code analysis


      4740    private void setPostLoginInstancesProperty(Set<String> postLoginClassSet) {
      4741        postLoginClassSet.remove("");
      4742        String value = StringUtils.join(postLoginClassSet, '|');
      4744        if (!Utils.isNullOrEmpty(value) && !isNoSession()) {
      4745            try {
      4746                SessionService sessionService = AuthD.getSessionService();
      4747                Session session;
      4749                if (isTransactionalAuth() || forceAuth) {
      4750                    session = sessionService.getSession(oldSessionReference);
      4751                } else {
      4752                    session = sessionService.getSession(finalSessionId);
      4753                }
      4755                AuthD.getSessionService().setProperty(session, ISAuthConstants.POST_AUTH_PROCESS_INSTANCE, value);

      the session could be NULL due to AuthenticationSession being null from an expiry

      Fix: simply if session is null return and do nothing. As if the PAP did not exists.




            • Assignee:
              chee-weng.chea C-Weng C
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              5 Start watching this issue


              • Created: