Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16157

Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.5.3, 6.0.1, 6.5.3, 7.1.0, 7.0.1
    • UI
    • Rank:
    • AM Sustaining Sprint 74, AM Sustaining Sprint 75, AM Sustaining Sprint 76, AM Sustaining Sprint 77, AM Sustaining Sprint 78
    • 5
    • Yes
    • Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)


      Session Property Whitelist Service is not validating the list of Property Names during entry or Save Changes, allowing "mail, MAIL, maiL, ..." but only storing the latest one on the DS Server (which is not case sensitive).

      How to reproduce the issue

      1. Add the Session Property Whitelist Service to any realm (use FR DS, but any DS should act similar).
      2. Update the Session Property Whitelist Service with Property Names in variant representations: 
        eg. mail MAIL mAiL and Save Changes
      3. Check what was saved via the Service on the LDAP Server (DS).
      Expected behaviour
      The field used by Whitelisted Session Property Names will evaluate 
      the entries in the list to ensure there are no malformed duplicates.
      Current behaviour
      All attr variants are saved via the AM Console, and AM will only send 
      the last version of the attr to DS.

      Work around

      Be sure to enter the Property Name entered is exactly how it will appear or be called from DS (which is case sensitive).

      See case for more details but this was causing grief in the whole deployment model because the user would never know just by making the change in the console... unless they were double-checking in DS to confirm the same, and report this discrepancy.  Which is misleading in the subsequent deploy, because only the last or latest iteration of the attr is stored.

      [ahale@ashmanMMXX bin]$ ldapsearch -h ashmanMMXX -p 51389 -D "cn=Directory Manager" -w cangetinam -b "ou=default,ou=OrganizationConfig,ou=1.0,ou=SessionPropertyWhitelistService,ou=services,dc=openam,dc=forgerock,dc=org"
      # extended LDIF
      # LDAPv3
      # base <ou=default,ou=OrganizationConfig,ou=1.0,ou=SessionPropertyWhitelistService,ou=services,dc=openam,dc=forgerock,dc=org> with scope subtree
      # filter: (objectclass=*)
      # requesting: ALL
      ## default, OrganizationConfig, 1.0, SessionPropertyWhitelistService, services, 
      dn: ou=default,ou=OrganizationConfig,ou=1.0,ou=SessionPropertyWhitelistService
      objectClass: top
      objectClass: sunServiceComponent
      objectClass: organizationalUnit
      ou: default
      sunKeyValue: forgerock-session-property-whitelist=MAil
      sunKeyValue: forgerock-session-property-whitelist=am.protected.mail
      sunKeyValue: forgerock-session-property-whitelist=AMCtxId
      sunKeyValue: forgerock-session-property-whitelist=am.protected.user.mail# search result
      search: 2
      result: 0 Success# numResponses: 2
      # numEntries: 1



          Issue Links



              lawrence.yarham Lawrence Yarham
              ashley.hale Ashley Hale
              1 Vote for this issue
              12 Start watching this issue