Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16484

sessions endpoint triggers checkPermission to check agent type

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.0.0, 6.5.0, 6.5.2
    • Fix Version/s: None
    • Component/s: rest, session
    • Labels:
      None

      Description

      Bug description

      Checking AgentType with user token triggers permission check.

      How to reproduce the issue

      1. setup OpenAM 6.5.2.2 or 6.5.2.3
      2. use gatling or some load testing tool to hit /sessions endpoint
      3. take couple of thread dump

      You will see stacktrace which is trying to get Agent type :

      "default task-110" #501 prio=5 os_prio=0 tid=0x00000000055cd000 nid=0x6e72 runnable [0x00007fcb6a628000]
         java.lang.Thread.State: TIMED_WAITING (parking)
              at sun.misc.Unsafe.park(Native Method)
              - parking to wait for  <0x000000060af35518> (a java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
              at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:215)
              at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2078)
              at java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:467)
              at org.forgerock.opendj.ldif.ConnectionEntryReader.getNextResponse(ConnectionEntryReader.java:379)
              at org.forgerock.opendj.ldif.ConnectionEntryReader.hasNext(ConnectionEntryReader.java:212)
              at com.sun.identity.sm.ldap.SearchResultIterator.hasNext(SearchResultIterator.java:70)
              at com.sun.identity.entitlement.opensso.SmsPolicyDataService.search(SmsPolicyDataService.java:350)
              at com.sun.identity.entitlement.opensso.OpenSSOIndexStore$SearchTask.run(OpenSSOIndexStore.java:348)
              at com.sun.identity.entitlement.SequentialThreadPool.submit(SequentialThreadPool.java:38)
              at com.sun.identity.entitlement.opensso.OpenSSOIndexStore.search(OpenSSOIndexStore.java:246)
              at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:279)
              at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:259)
              at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:196)
              at com.sun.identity.policy.PolicyEvaluator.getPolicyDecision(PolicyEvaluator.java:654)
              at com.sun.identity.policy.PolicyEvaluator.getPolicyDecision(PolicyEvaluator.java:604)
              at com.sun.identity.delegation.plugins.DelegationPolicyImpl.isAllowed(DelegationPolicyImpl.java:550)
              at com.sun.identity.delegation.DelegationEvaluatorImpl.isAllowed(DelegationEvaluatorImpl.java:219)
              at com.sun.identity.idm.server.IdServicesImpl.checkPermission(IdServicesImpl.java:2575)
              at com.sun.identity.idm.server.IdServicesImpl.getAttributes(IdServicesImpl.java:620)
              at com.sun.identity.idm.server.IdCachedServicesImpl.getAttributes(IdCachedServicesImpl.java:400)
              at com.sun.identity.idm.AMIdentity.getAttribute(AMIdentity.java:463)
              at org.forgerock.openam.core.rest.session.action.AbstractSessionPropertiesActionHandler.isAgent(AbstractSessionPropertiesActionHandler.java:87)
              at org.forgerock.openam.core.rest.session.action.AbstractSessionPropertiesActionHandler.getSessionProperties(AbstractSessionPropertiesActionHandler.java:59)
              at org.forgerock.openam.core.rest.session.action.GetSessionInfoActionHandler$1.run(GetSessionInfoActionHandler.java:71)
              at org.forgerock.openam.core.rest.session.action.GetSessionInfoActionHandler$1.run(GetSessionInfoActionHandler.java:65)
              at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:81)
              at org.forgerock.openam.core.rest.session.action.GetSessionInfoActionHandler.handle(GetSessionInfoActionHandler.java:64)
              at org.forgerock.openam.core.rest.session.SessionResourceV2.internalHandleAction(SessionResourceV2.java:318)
              at org.forgerock.openam.core.rest.session.SessionResourceV2.actionCollection(SessionResourceV2.java:304) 
      Expected behaviour
      AbstractSessionPropertiesActionHandler.isAgent can avoid invoking permission check as the main purpose of /sessions endpoint is to retrieve session property and not check if caller token has permission to read it's profile to check agent type.
      
      Current behaviour
      isAgent() invokes permission check
      

      Work around

      N/A

      Code analysis

      This is similar to OPENAM-16334. IdentityUtils.isCASPAorJASPA() method exited in AbstractSessionPropertiesActionHandler and now it's moved to AgentConfiguration.isIntegrationAgent() via AME-16239.  It's still using caller SSOToken to retrieve AMIdentity and check for agent type can be optimized slightly as well. Also, we should merge IdentityUtils.isCASPAorJASPA() and call the same method for future maintenance point of view.

      com.sun.identity.common.configuration.AgentConfiguration.java
          /**
           * @param agentType The agentType to check
           * @return true if the agentType is a Web/J2EE or IG agent
           */
          public static boolean isIntegrationAgent(final String agentType) {
              return (AGENT_TYPE_J2EE.equalsIgnoreCase(agentType) || AGENT_TYPE_WEB.equalsIgnoreCase(agentType)
                      || AGENT_TYPE_IDENTITY_GATEWAY.equalsIgnoreCase(agentType));
          }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                sachiko Sachiko Wallace
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: