Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16233

Policy evaluation fails when subject not found (even in ignore profile)


    • Sprint:
      AM Sustaining Sprint 75, AM Sustaining Sprint 76
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:


      Bug description

      Say you enter

      curl -v -s --request POST -H 'X-Requested-With: curl' -H 'Cookie: iPlanetDirectoryPro=<somessotoken>' --header 'Content-Type: application/json' --data '{}' 'http://am.example.com:8080/openam/json/authenticate?resource=true&ForceAuth=true&resourceURL=http://website.example.com:80/index.html&authIndexType=resource&authIndexValue=true'

      or claims Eg: http://yaunap.blogspot.com/2016/07/fun-with-openam13-authz-policies-over.html

      curl --request POST --header "iPlanetDirectoryPro: AQIC5…*” --header "Content-Type: application/json" --data '{"resources":["customers"],"application":"api","subject":{"claims":{"sub":"","iss":"http://as.uma.com:8080/openam/oauth2/ScopeAz"}}}' http://as.uma.com:8080/openam/json/ScopeAz/policies?_action=evaluate 

      issues like this happens

      Caused by: java.lang.NullPointerException
              at com.sun.identity.entitlement.PrivilegeEvaluator.isSubjectActive(PrivilegeEvaluator.java:418)
              at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:279)
              at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:263)
              at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:198)
              at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:153)
              at org.forgerock.openam.entitlement.rest.EntitlementEvaluatorFactory$EntitlementEvaluatorWrapper.evaluateBatch(EntitlementEvaluatorFactory.java:58)
              at org.forgerock.openam.entitlement.rest.model.json.BatchPolicyRequest.dispatch(BatchPolicyRequest.java:46)

      Also there is a search for the user on the subject using "" on the realm (performance issue too).

      So cases like

      • Realm ignore profile is not consider
      • If one do not use profile for policy evaluation but passes the claims and other, the usecase is totally broken. Eg: login thru external ldap but datastore does not have such user (still want to realm to use profile if available.)
      • Resource based login fails too (which needs subject is null)

      How to reproduce the issue

      1. Create a test realm
      2. Create a Policy say to grant all, Authenticatedusers, ACTION=POST/GET
      3. Enter the above URL (using resouce login) for example. See it fails 500 (TEST #1 where subject is NULL path)
      4. Repeat with policy evaluation (example 2) with authenticate session where user is not existent (say thru a LDAP) or use a claims or JWT type policy evaluation. (TEST#2 where subject comes from claims)
      5. Repeat the test with ignore profile realm but the ssotoken. exists.
      Expected behaviour
      Somehow old stuff should work.
      - Resource based login works
      - Ignore profile in realm works
      Current behaviour
      Get 500 failure for resource based login and also if using policy evaluation on other subject that does not exists may fail

      Work around


      Code analysis

      • Happens on 5.5.2 (not in 5.5.1)


          Issue Links



              • Assignee:
                pete.rogers Pete Rogers
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                5 Start watching this issue


                • Created: