Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4192

Minor unexpected behaviours surrounding referral policies during certain edge-cases

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Expired
    • Affects Version/s: 11.0.1
    • Fix Version/s: None
    • Component/s: policy
    • Labels:
    • Rank:
      1|hzojrj:
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      No (add reasons in the comment)

      Description

      Test setup used:

      Install OpenAM 11.0.1, embedded datastore, default configuration, apache agent for testing

      • OpenAM host: openam.example.com:8080/openam
      • Apache host: rock.example.com:80

      Steps to reproduce:

      1. Add subrealm 'SubRealm'
      2. Add referral policy in root realm with no rules, refer to Subrealm

      3. Attempt to access test URL: http://rock.example.com/jira/secure/foo?bar=lion?tiger

      Forbidden page will be given (expected).

      4. Restart OpenAM

      5. Attempt to access test URL. This is the first unexpected behaviour. Agent will throw an internal server error, caused by this in OpenAM logs:

      PolicyRequesthandler.process caught PolicyEvaluationException:
      com.sun.identity.policy.remote.PolicyEvaluationException(1):Evaluation error.
      com.sun.identity.policy.PolicyException(2):null
      com.sun.identity.policy.PolicyException
      	at com.sun.identity.policy.PolicyEvaluator.getResourceResultsE(PolicyEvaluator.java:1484)
      	at com.sun.identity.policy.PolicyEvaluator.getResourceResults(PolicyEvaluator.java:1390)
      	at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyRequest(PolicyRequestHandler.java:420)
      	at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyServiceRequest(PolicyRequestHandler.java:229)
      	at com.sun.identity.policy.remote.PolicyRequestHandler.processRequest(PolicyRequestHandler.java:184)
      	at com.sun.identity.policy.remote.PolicyRequestHandler.process(PolicyRequestHandler.java:126)
      	at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:183)
      	at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:136)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
      

      This is basically misconfiguration in OpenAM, but I think it is reasonable to expect slightly more graceful behaviour (i.e forbidden instead of error).

      6. Now go into the root referral policy and add a rule to it for

      'http://*.example.com/*?*?*'

      - Save.
      7. Add policy in SubRealm to allow all authenticated users access to

      'http://*.example.com/jira/*?*?*'

      8. Re-attempt to access test URL, should go through successfully (expected).

      9. Now go add another rule to the root referral policy to allow:

      'http://*.example.com/*?*'

      - Save.

      10. Re-attempt to access test URL, should now give forbidden (unexpected).

      11. Restart OpenAM.

      12. Re-attempt to access test URL, should now go through (expected).

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ian.packer Ian Packer [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: