Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16258

Resource login fails to work to Authenticate to Module instance

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.2, 6.5.2.1, 6.5.2.2, 6.5.2.3, 5.5.2, 7.0.0
    • Fix Version/s: None
    • Component/s: authentication
    • Labels:
    • Rank:
      1|i010lr:

      Description

      Bug description

      Resource login does not work when used with Authenticate to Module instance. (Steps like OPENAM-13879). This used to work before 5.5.2 and 6.5.2.

      How to reproduce the issue

      1. Create a Policy on Root realm

      {"name":"PushResource","active":true,"description":"","applicationName":"iPlanetAMWebAgentService","actionValues":{"HEAD":true,"POST":true,"GET":true},"resources":["http://www.example.com:8080/index.html"],"subject":{"type":"OR","subjects":[{"type":"NOT","subject":{"type":"NONE"}},{"type":"AuthenticatedUsers"}]},"condition":{"type":"AuthScheme","authScheme":["Push"],"applicationIdleTimeout":0},"resourceTypeUuid":"76656a38-5f8e-401b-83aa-4ccb74ce88d2","lastModifiedBy":"id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org","lastModifiedDate":"2020-05-20T05:21:08.955Z","createdBy":"id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org","creationDate":"2020-05-20T05:20:21.576Z"}
      

      2. Create a Authentication Module for FR Push named "Push"

      3. Restart AM due to OPENAM-11780

      4. Use a browser to access
      http://openam.example.com:8080/openam/XUI/?resource=true&resourceURL=http://www.example.com:8080/index.html&realm=/#login

      5. Alternatively

       curl \
        -s -k \
        -D - \
        -X 'POST' \
        -H 'Content-Length: 0' \
        -H 'Cache-Control: no-cache' \
        -H 'Accept-API-Version: protocol=1.0,resource=2.1' \
        -H 'Content-Type: application/json' \
        -H 'Accept: application/json, text/javascript, */*; q=0.01' \
        -H 'X-Requested-With: XMLHttpRequest' \
         'http://openam.example.com:8080/openam/json/realms/root/authenticate?resource=true&resourceURL=http://www.example.com:8080/index.html&authIndexType=resource&authIndexValue=true' 
      
      Expected behaviour
      - See the Push UI
      - Or Push authId REST response payload
      
      Current behaviour
      - Module not found. "dc=openam,dc=forgerock,dc=org:Push"
      - Authentication REST error
      
      HTTP/1.1 404 Not Found
      Server: Apache-Coyote/1.1
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Cache-Control: no-cache, no-store, must-revalidate
      Content-API-Version: resource=2.1
      Expires: 0
      Pragma: no-cache
      Content-Type: application/json
      Content-Length: 78
      Date: Wed, 20 May 2020 07:31:10 GMT
      
      {"code":404,"reason":"Not Found","message":"Authentication Module Not Found."}
      

      Work around

      -

      Code analysis

      The code requested for a Advice for the module "dc=openam,dc=forgerock,dc=org:Push"

      AuthSchemeCondition.java
      // getRealmAwareScheme assume realm is "/...." but the calling part
      for the above realm is a DN value. (organization).
      

      It seems that com.sun.identity.policy.PolicyEvaluator.getPolicyDecision()
      is passing orgName instead of realm Line 654

                      List<Entitlement> entitlements = eval.evaluate(
                              orgName, sbj, resourceName, envParameters, false);
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              chee-weng.chea C-Weng C
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: