Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4621

Access is denied while the policy allows access

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Expired
    • Affects Version/s: Agents-3.3.0, 11.0.0
    • Fix Version/s: None
    • Component/s: policy, web agents
    • Labels:
    • Environment:
      OpenAM 11, Apache 2.2 Web agents 3.3.0, Tomcat 7.0.52, Oracle JDK 7.0.51., CentOS 6.5 64 bits boxes
    • Rank:
      1|hzorhr:
    • Needs backport:
      No
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      No (add reasons in the comment)

      Description

      I've a simple policy that allows POST and GET accesses to this URL for users belonging to some LDAP groups:

      http://www.myapp.com/SSOProtected/*

      But when I try to access http://www.myapp.com/SSOProtected/index.html, the agent denies access:

      2014-10-02 18:08:48.776 MaxDebug 1277:7f5335335b10 AM_POLICY_SERVICE: am_policy_compare_urls: Comparison of "http://www.myapp.com:80/SSOProtected/index.html" and "http://www.myapp.com:80/SSOProtected/index.html" returned AM_EXACT_MATCH (usePatterns=true)^M
      2014-10-02 18:08:48.777 MaxDebug 1277:7f5335335b10 AM_POLICY_SERVICE: am_policy_compare_urls: Comparison of "http://www.myapp.com:80/SSOProtected/index.html" and "http://www.myapp.com:80/SSOProtected/index.html" returned AM_EXACT_MATCH (usePatterns=true)^M
      2014-10-02 18:08:48.777 MaxDebug 1277:7f5335335b10 AM_POLICY_SERVICE: am_policy_compare_urls: Comparison of "http://www.myapp.com:80/SSOProtected/index.html" and "http://www.myapp.com:80/SSOProtected/index.html" returned AM_EXACT_MATCH (usePatterns=true)^M
      2014-10-02 18:08:48.777 MaxDebug 1277:7f5335335b10 ServiceEngine: Attribute value for myappSsoAppUid0 found in ldap = 49178191^M
      2014-10-02 18:08:48.777 MaxDebug 1277:7f5335335b10 ServiceEngine: Attribute value for myappSsoProfile found in ldap = 2^M
      2014-10-02 18:08:48.777 MaxDebug 1277:7f5335335b10 ServiceEngine: Attribute value for myappSsoSiren found in ldap = 413045071^M
      2014-10-02 18:08:48.777 MaxDebug 1277:7f5335335b10 ServiceEngine: Attribute value for cn found in ldap = 49178191^M
      2014-10-02 18:08:48.777 MaxDebug 1277:7f5335335b10 ServiceEngine: Attribute value for userPassword found in ldap =

      {SSHA}

      MQsl/AbZMZODKTwBrevE20GyZWJlBHuOpr7g4w==^M
      2014-10-02 18:08:48.777 Debug 1277:7f5335335b10 ServiceEngine: Service::getPolicyResult(): No advice string created.^M
      2014-10-02 18:08:48.777 Warning 1277:7f5335335b10 all: am_web_is_access_allowed()(http://www.myapp.com:80/SSOProtected/index.html, POST) denying access: status = access denied^M
      2014-10-02 18:08:48.778 Info 1277:7f5335335b10 all: am_web_is_access_allowed()(http://www.myapp.com:80/SSOProtected/index.html, POST) returning status: access denied.^M
      2014-10-02 18:08:48.778 Info 1277:7f5335335b10 all: process_request(): Access check for URL http://www.myapp.com/SSOProtected/index.html returned access denied.

      The URL http://www.myapp.com/SSOProtected/index.html triggers CDSSO as expected, I authenticate successfully but then I get a 403 from the agent in the browser.

      The browser traces show the following request and error:

      http://www.myapp.com/SSOProtected/index.html

      POST /SSOProtected/index.html HTTP/1.1
      Host: www.myapp.com
      User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en,en-us;q=0.8,fr-fr;q=0.5,fr;q=0.3
      Accept-Encoding: gzip, deflate
      Referer: http://sso.mydomain.com/opensso/cdcservlet?TARGET=http%3A%2F%2Fwww.myapp.com%2FSSOProtected%2Findex.html&gotoOnFail=http%3A%2F%2Fwww.myapp.com%3A80%2Findex.aspx%3Fret%3D1&RequestID=1673284245&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fp-ssorp01.mydomain.com%3A8080%2Famagent%3FRealm%3Dmydomain1&IssueInstant=2014-10-08T15%3A38%3A51Z
      Cookie: iPlanetDirectoryPro=
      Connection: keep-alive
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 3560

      HTTP/1.1 403 Forbidden
      Date: Wed, 08 Oct 2014 13:38:55 GMT
      Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy3_GOo0Pz5ZPmHwGte7cghCUyNr_4PIgk.AAJTSQACMDIAAlNLABMxOTM5MDQ1Mzg3NzAzNzU5OTgxAAJTMQACMDE.;Domain=www.myapp.com;Path=/
      Set-Cookie: iPlanetDirectoryPro=;Domain=www.myapp.com;Path=/
      Content-Length: 306
      Connection: close
      Content-Type: text/html; charset=iso-8859-1

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              cgrosjean Cyril Grosjean
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: