Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15905

Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.2, 6.5.2.1, 6.5.2.2
    • Fix Version/s: 6.0.1, 7.0.0, 6.5.3
    • Component/s: authentication, session
    • Labels:
    • Environment:
      The realm has a Post authenticated Plugin PAP.
    • Sprint:
      AM Sustaining Sprint 72
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When there is a Post Authentication plugin PAP and say there is a login failure and the user when doing the authenticated waited a long time (near the Page session timeout), then if the code evaluates the session and it is expired by then the following NPE exception happens:

       

      Caused by: java.lang.NullPointerException
      
      at com.iplanet.dpro.session.service.SessionService.setProperty(SessionService.java:242)
      
      at com.sun.identity.authentication.service.LoginState.setPostLoginInstancesProperty(LoginState.java:4755)
      
      at com.sun.identity.authentication.service.LoginState.postProcess(LoginState.java:4588)
      
      at com.sun.identity.authentication.service.AMLoginContext.postProcessOnFail(AMLoginContext.java:1904)
      
      at com.sun.identity.authentication.service.AMLoginContext.getStatus(AMLoginContext.java:1027)
      
      at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:591)
      
      at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:108)
      
      at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:168)
      
      at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:491)
      

       and this may cause 500 Internal error response.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Set the short login time for the overall  page session https://backstage.forgerock.com/knowledge/kb/article/a23597700   
        com.iplanet.am.session.invalidsessionmaxtime=[minutes] or in Servers > Sessions Limit Invalidate Session Max Time : 3 to 1 to wait 1 min
      2. Add a PAP  Post Authn Plugin to the Realm for the Authentication. Note the PAP class needs to be there in AM. Restart AM needed
      3. Start AM in debug an breakpoint at org.forgerock.openam.session.authentication.AuthenticationSessionStore.cullSessionIfNecessary(org.forgerock.openam.session.Session)
      4. Run an authentication request with an invalid password
      5. When the breakpoint hit, wait for the timeout set on above before continue the breakpoint
      6. Check the CoreSystem logs for the error
      Expected behaviour
      PAP should not cause exception and 500 error
      
      Current behaviour
      Having the PAP cause exception when the authenticated session are timed out and 500 error
      
      IMPACT: REST calls return 500 error.
      

      Work around

      No PAP or just ignore this (although for failure case this may cause REST 500 error) since the user is already did not complete the Auth session in a timely manner

      Code analysis

       

      LoginState.java
      4740    private void setPostLoginInstancesProperty(Set<String> postLoginClassSet) {
      4741        postLoginClassSet.remove("");
      4742        String value = StringUtils.join(postLoginClassSet, '|');
      4743
      4744        if (!Utils.isNullOrEmpty(value) && !isNoSession()) {
      4745            try {
      4746                SessionService sessionService = AuthD.getSessionService();
      4747                Session session;
      4748
      4749                if (isTransactionalAuth() || forceAuth) {
      4750                    session = sessionService.getSession(oldSessionReference);
      4751                } else {
      4752                    session = sessionService.getSession(finalSessionId);
      4753                }
      4754
      4755                AuthD.getSessionService().setProperty(session, ISAuthConstants.POST_AUTH_PROCESS_INSTANCE, value);
      

      the session could be NULL due to AuthenticationSession being null from an expiry

      Fix: simply if session is null return and do nothing. As if the PAP did not exists.

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: