Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-2244

J2EE profile attribute mapper cannot handle identities with special chars in universal ID

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Expired
    • None
    • None
    • J2EE Agents
    • OpenAM 10, J2EE Policy Agent 3.0.3 for Tomcat
    • XAR-993-43977

      Description

      create an identity in the data store which has a 'plus sign' in the attribute configured as the naming attribute in the data store config, e.g. use following LDIF:

      dn: uid=foo+bar,ou=people,dc=opensso,dc=java,dc=net
      objectClass: iplanet-am-auth-configuration-service
      objectClass: sunIdentityServerLibertyPPService
      objectClass: sunAMAuthAccountLockout
      objectClass: sunFederationManagerDataStore
      objectClass: iplanet-am-managed-person
      objectClass: iPlanetPreferences
      objectClass: sunFMSAML2NameIdentifier
      objectClass: person
      objectClass: inetorgperson
      objectClass: organizationalperson
      objectClass: inetuser
      objectClass: iplanet-am-user-service
      objectClass: top
      givenName:: RnLDqWTDqXJpYw==
      inetUserStatus: Active
      cn:: RnLDqWTDqXJpYyBNYXV6aW4=
      sn: Mauzin
      userPassword: password
      mail: foo+bar@forgerock.org
      uid: foo+bar

      Configure agent profile to fetch profile attributes ...

      excerpt from agent profile ..
      com.sun.identity.agents.config.profile.attribute.fetch.mode=HTTP_HEADER
      com.sun.identity.agents.config.profile.attribute.mapping[mail]=CUSTOM-EMAIL

      I intentionally tried to fetch an attribute which does not have the plus sign.

      The agent will deny access because of the following exception.

      ERROR: AmFilter: Error while delegating to inbound handler: Profile Attribute Task Handler, access will be denied
      [AgentException Stack]
      com.sun.identity.agents.arch.AgentException: Unable to obtain attributes:

      {mail=CUSTOM-EMAIL}

      , for user: id=foo+bar,ou=user,dc=opensso,dc=java,dc=net
      at com.sun.identity.agents.common.ProfileAttributeHelper.getAttributeMap(ProfileAttributeHelper.java:141)
      at com.sun.identity.agents.common.ProfileAttributeHelper.getAttributeMap(ProfileAttributeHelper.java:157)
      at com.sun.identity.agents.filter.ProfileAttributeTaskHandler.getUserAttributes(ProfileAttributeTaskHandler.java:68)
      at com.sun.identity.agents.filter.AttributeTaskHandler.process(AttributeTaskHandler.java:82)
      at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:191)
      at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:154)
      at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:71)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
      at java.lang.Thread.run(Thread.java:619)
      --------
      Message:Illegal universal identifier id=foo+bar,ou=user,dc=opensso,dc=java,dc=net.

      at com.sun.identity.idm.IdUtils.getIdentity(IdUtils.java:292)
      at com.sun.identity.idm.IdUtils.getIdentity(IdUtils.java:271)
      at com.sun.identity.idm.IdUtils.getIdentity(IdUtils.java:241)
      at com.sun.identity.agents.common.ProfileAttributeHelper.getAttributeMap(ProfileAttributeHelper.java:125)
      at com.sun.identity.agents.common.ProfileAttributeHelper.getAttributeMap(ProfileAttributeHelper.java:157)
      at com.sun.identity.agents.filter.ProfileAttributeTaskHandler.getUserAttributes(ProfileAttributeTaskHandler.java:68)
      at com.sun.identity.agents.filter.AttributeTaskHandler.process(AttributeTaskHandler.java:82)
      at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:191)
      at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:154)
      at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:71)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
      at java.lang.Thread.run(Thread.java:619)

      amFilter:11/13/2012 01:14:28:248 PM CET: Thread[http-8080-1,5,main]
      AmFilter: result =>

      -----------------------------------------------------------
      FilterResult:
      Status : FORBIDDEN
      ProcessResponse : false
      RedirectURL : null
      RequestURL : null
      RequestHelper:
      null

      Data:
      null

      -----------------------------------------------------------

        Attachments

          Issue Links

            Activity

              People

              peter.major Peter Major [X] (Inactive)
              bthalmayr Bernhard Thalmayr
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: