[OPENAM-5234] AuthLevel policy condition does not work with pol. agents when result code 403 is expected - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 12.0.0
Fix Version/s: 11.0.4, 12.0.3
Component/s: entitlements, policy
Labels:
- EDISON
- release-notes
Environment:
OpenAM: Centos6 64-bit / Oracle JDK 1.8.0_25 / Tomcat 6.0.37 / OpenAM 12.0.0-RC2 Build 11626 (2014-December-03 17:12)

Target Version/s:

12.0.3

Sprint:
Sprint 82 - Sustaining, Sprint 83 - Sustaining, Sprint 84 - Sustaining, Sustaining Sprint 10

Support Ticket IDs:

Verified Version/s:

12.0.3

Description

AuthLevel policy condition does not work with pol. agents when is expected 403. I tested this case with Jboss 7 J2EE(3.3.0) agent, but I reproduced this case with IIS8 (3.3.3) and Tomcat7 (trunk) agents.

PRECONDITIONS:

default installation of AM
PA installed (J2EE or WPA)
agent profile with default configuration created

STEPS TO REPRODUCE:
1.) Create a policy with Env. condition AuthLevel 1 (pol. rule = "star://star:star/star" , subject Authenticated Users)
2.) Hit the resource enforced by agent
http://perf-openam2.internal.forgerock.com:8080/frqa/index.jsp
3.) Login as user
Observed result: Redirecting loop
Expected result: 403 - Forbidden

I observed in openam Policy log:
WARNING: UserSelfCheckCondition.getConditionDecision Invalid attribute set in env params
Here is log:

amPolicy:12/05/2014 04:09:14:757 PM GMT: Thread[http-8080-4,5,main]
Evaluating policies at org o=sunamhiddenrealmdelegationservicepermissions,ou=services,dc=openam,dc=forgerock,dc=org
amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
Policy Manager constructed with SSO token  for organization: o=sunamhiddenrealmdelegationservicepermissions,ou=services,dc=openam,dc=forgerock,dc=org
amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition:setProperties: NotAttributes are empty
amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition.setProperties():attributes, notAttributes = [*],null
amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition.getConditionDecision: called with Token: id=bjensen,ou=user,dc=openam,dc=forgerock,dc=org, requestedResourcename: [sms://dc=openam,dc=forgerock,dc=org/sunIdentityRepositoryService/1.0/application/user/bjensen]
amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition.getConditionDecision: attributeCheckOk:true
amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition.getConditionDecision: attributes check:true
amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition.getConditionDecision: name: sms://dc=openam,dc=forgerock,dc=org/sunIdentityRepositoryService/1.0/application/user/bjensen resource: [sms://dc=openam,dc=forgerock,dc=org/sunIdentityRepositoryService/1.0/application/user/bjensen]
amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition.getConditionDecision: returning true
amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
Policy Manager constructed with SSO token  for organization: o=sunamhiddenrealmdelegationservicepermissions,ou=services,dc=openam,dc=forgerock,dc=org
amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
Policy Manager constructed with SSO token  for organization: o=sunamhiddenrealmdelegationservicepermissions,ou=services,dc=openam,dc=forgerock,dc=org
amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition:setProperties: NotAttributes are empty
amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition.setProperties():attributes, notAttributes = [mail, telephonenumber, preferredlocale, iplanet-am-user-password-reset-question-answer, postaladdress, description, sunIdentityServerDeviceKeyValue, cn, iplanet-am-user-password-reset-options, userpassword, givenname, sunIdentityServerDeviceStatus, sn],null
amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition.getConditionDecision: called with Token: id=bjensen,ou=user,dc=openam,dc=forgerock,dc=org, requestedResourcename: [sms://dc=openam,dc=forgerock,dc=org/sunIdentityRepositoryService/1.0/application/user/bjensen]
amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition.getConditionDecision: attributeCheckOk:false
amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
WARNING: UserSelfCheckCondition.getConditionDecision Invalid attribute set in env params
amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
UserSelfCheckCondition.getConditionDecision: attributes check:false
amPolicy:12/05/2014 04:09:15:094 PM GMT: Thread[http-8080-8,5,main]

I attached the response from Live HTTP Header.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

LiveHTTPHeader.txt
36 kB
05/Dec/14 4:20 PM

Issue Links

is duplicated by

OPENAM-7415 XUI redirects infinitely when attempting to follow condition advice to a chain

Resolved

is related to

OPENAM-4296 XUI does not support Session Upgrade

Resolved

Activity

People

Assignee:

Sachiko Wallace

Reporter:

Richard Hruza

QA Assignee:

Richard Hruza

Votes:

2 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

05/Dec/14 4:20 PM

Updated:

20/Nov/16 12:30 PM

Resolved:

27/Jul/15 9:34 PM

Time Tracking

Estimated:

Remaining:

Logged: