Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16357

enabling Restricted Token (com.sun.identity.enableUniqueSSOTokenCookie=true) causes error when AM checks property value

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • 6.0.0.7
    • None
    • session
    • Rank:
      1|i017if:
    • No
    • No
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      when uniqueSSOToken is enabled and a property value is checked (for example agent is using profile attribute processing), an error occurs in the Policy:

       

       

      _amPolicy:02/14/2020 11:13:24:920 AM CST: Thread[ajp-nio-1.0.0.0-8009-exec-9,5,main]: TransactionId[00000000-000001-4515-9437-cfdd87200ca8-1378]
 PolicyRequestHandler.processPolicyRequest(): respAttrs=[departmentNumber]
 amPolicy:02/14/2020 11:13:24:921 AM CST: Thread[ajp-nio-1.0.0.0-8009-exec-9,5,main]: TransactionId[00000000-000001-4515-9437-cfdd87200ca8-1378]
 ERROR: PolicyRequestHandler.getResponseAttributeValues: bad sso token
 com.iplanet.sso.SSOException: Illegal attempt to use a restricted token.
         at com.iplanet.sso.providers.dpro.SessionSsoToken.getPropertyInternal(SessionSsoToken.java:274)
         at com.iplanet.sso.providers.dpro.SessionSsoToken.getProperty(SessionSsoToken.java:288)
         at com.sun.identity.policy.remote.PolicyRequestHandler.getResponseAttributeValues(PolicyRequestHandler.java:478)
         at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyRequest(PolicyRequestHandler.java:400)
         at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyServiceRequest(PolicyRequestHandler.java:250)
         at com.sun.identity.policy.remote.PolicyRequestHandler.processRequest(PolicyRequestHandler.java:204)
         at com.sun.identity.policy.remote.PolicyRequestHandler.process(PolicyRequestHandler.java:141)
         at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:202)
         at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:140)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)_

       

       

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1.  Setup Agent w/ Cookie Hijacking which includes enableUniqueSSOTokenCookie
      2. Setup Policy for said Agent protected resource
      3. Add profile attribute processing to Agent (such as uid and mail)
      4. Go to Agent resource
      5. It will send you to AM to authenticate, and back to the Agent
      6. Check Policy logs for this error_ERROR: PolicyRequestHandler.getResponseAttributeValues: bad sso token com.iplanet.sso.SSOException: Illegal attempt to use a restricted token._
      Expected behaviour
      No error , it will allow restricted tokens
      Current behaviour
      Agent gives 403 error

       

      Workaround

       Upgrade the agents to 5.x to make use of REST calls to sessions, instead of the legacy PLL calls.

        Attachments

          Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. AMAGENTS-2116 Illegal attempt to use a restricted token when configured profile attribute fetching

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              kamal.sivanandam@forgerock.com Kamal Sivanandam
              david.bate David Bate
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: