[OPENAM-16357] enabling Restricted Token (com.sun.identity.enableUniqueSSOTokenCookie=true) causes error when AM checks property value - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Won't Fix
Affects Version/s: 6.0.0.7
Fix Version/s: None
Component/s: session
Labels:
- EDISON

Rank:
1|i017if:

Needs backport:

No

Support Ticket IDs:

Needs QA verification:

No
Functional tests:

No
Are the reproduction steps defined?:

Yes and I used the same an in the description

Description

Bug description

when uniqueSSOToken is enabled and a property value is checked (for example agent is using profile attribute processing), an error occurs in the Policy:

_amPolicy:02/14/2020 11:13:24:920 AM CST: Thread[ajp-nio-1.0.0.0-8009-exec-9,5,main]: TransactionId[00000000-000001-4515-9437-cfdd87200ca8-1378]
 PolicyRequestHandler.processPolicyRequest(): respAttrs=[departmentNumber]
 amPolicy:02/14/2020 11:13:24:921 AM CST: Thread[ajp-nio-1.0.0.0-8009-exec-9,5,main]: TransactionId[00000000-000001-4515-9437-cfdd87200ca8-1378]
 ERROR: PolicyRequestHandler.getResponseAttributeValues: bad sso token
 com.iplanet.sso.SSOException: Illegal attempt to use a restricted token.
         at com.iplanet.sso.providers.dpro.SessionSsoToken.getPropertyInternal(SessionSsoToken.java:274)
         at com.iplanet.sso.providers.dpro.SessionSsoToken.getProperty(SessionSsoToken.java:288)
         at com.sun.identity.policy.remote.PolicyRequestHandler.getResponseAttributeValues(PolicyRequestHandler.java:478)
         at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyRequest(PolicyRequestHandler.java:400)
         at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyServiceRequest(PolicyRequestHandler.java:250)
         at com.sun.identity.policy.remote.PolicyRequestHandler.processRequest(PolicyRequestHandler.java:204)
         at com.sun.identity.policy.remote.PolicyRequestHandler.process(PolicyRequestHandler.java:141)
         at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:202)
         at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:140)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)_

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

Setup Agent w/ Cookie Hijacking which includes enableUniqueSSOTokenCookie
Setup Policy for said Agent protected resource
Add profile attribute processing to Agent (such as uid and mail)
Go to Agent resource
It will send you to AM to authenticate, and back to the Agent
Check Policy logs for this error_ERROR: PolicyRequestHandler.getResponseAttributeValues: bad sso token com.iplanet.sso.SSOException: Illegal attempt to use a restricted token._

Expected behaviour

No error , it will allow restricted tokens

Current behaviour

Agent gives 403 error

Workaround

Upgrade the agents to 5.x to make use of REST calls to sessions, instead of the legacy PLL calls.

Attachments

Issue Links

duplicates

AMAGENTS-2116 Illegal attempt to use a restricted token when configured profile attribute fetching

Resolved

Activity

People

Assignee:

Kamal Sivanandam

Reporter:

David Bate

Votes:

1 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

10/Jun/20 8:27 PM

Updated:

21/Nov/20 11:03 PM

Resolved:

21/Aug/20 4:26 PM