Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16357

enabling Restricted Token (com.sun.identity.enableUniqueSSOTokenCookie=true) causes error when AM checks property value


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s:
    • Fix Version/s: None
    • Component/s: session
    • Labels:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      when uniqueSSOToken is enabled and a property value is checked (for example agent is using profile attribute processing), an error occurs in the Policy:



      _amPolicy:02/14/2020 11:13:24:920 AM CST: Thread[ajp-nio-,5,main]: TransactionId[00000000-000001-4515-9437-cfdd87200ca8-1378]
       PolicyRequestHandler.processPolicyRequest(): respAttrs=[departmentNumber]
       amPolicy:02/14/2020 11:13:24:921 AM CST: Thread[ajp-nio-,5,main]: TransactionId[00000000-000001-4515-9437-cfdd87200ca8-1378]
       ERROR: PolicyRequestHandler.getResponseAttributeValues: bad sso token
       com.iplanet.sso.SSOException: Illegal attempt to use a restricted token.
               at com.iplanet.sso.providers.dpro.SessionSsoToken.getPropertyInternal(SessionSsoToken.java:274)
               at com.iplanet.sso.providers.dpro.SessionSsoToken.getProperty(SessionSsoToken.java:288)
               at com.sun.identity.policy.remote.PolicyRequestHandler.getResponseAttributeValues(PolicyRequestHandler.java:478)
               at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyRequest(PolicyRequestHandler.java:400)
               at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyServiceRequest(PolicyRequestHandler.java:250)
               at com.sun.identity.policy.remote.PolicyRequestHandler.processRequest(PolicyRequestHandler.java:204)
               at com.sun.identity.policy.remote.PolicyRequestHandler.process(PolicyRequestHandler.java:141)
               at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:202)
               at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:140)
               at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
               at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)_



      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1.  Setup Agent w/ Cookie Hijacking which includes enableUniqueSSOTokenCookie
      2. Setup Policy for said Agent protected resource
      3. Add profile attribute processing to Agent (such as uid and mail)
      4. Go to Agent resource
      5. It will send you to AM to authenticate, and back to the Agent
      6. Check Policy logs for this error_ERROR: PolicyRequestHandler.getResponseAttributeValues: bad sso token com.iplanet.sso.SSOException: Illegal attempt to use a restricted token._
      Expected behaviour
      No error , it will allow restricted tokens
      Current behaviour
      Agent gives 403 error



       Upgrade the agents to 5.x to make use of REST calls to sessions, instead of the legacy PLL calls.


          Issue Links



              • Assignee:
                kamal.sivanandam@forgerock.com Kamal Sivanandam
                david.bate David Bate
              • Votes:
                1 Vote for this issue
                6 Start watching this issue


                • Created: