Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5234

AuthLevel policy condition does not work with pol. agents when result code 403 is expected

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.0
    • Fix Version/s: 11.0.4, 12.0.3
    • Component/s: entitlements, policy
    • Environment:
      OpenAM: Centos6 64-bit / Oracle JDK 1.8.0_25 / Tomcat 6.0.37 / OpenAM 12.0.0-RC2 Build 11626 (2014-December-03 17:12)
    • Sprint:
      Sprint 82 - Sustaining, Sprint 83 - Sustaining, Sprint 84 - Sustaining, Sustaining Sprint 10
    • Support Ticket IDs:

      Description

      AuthLevel policy condition does not work with pol. agents when is expected 403. I tested this case with Jboss 7 J2EE(3.3.0) agent, but I reproduced this case with IIS8 (3.3.3) and Tomcat7 (trunk) agents.

      PRECONDITIONS:

      • default installation of AM
      • PA installed (J2EE or WPA)
      • agent profile with default configuration created

      STEPS TO REPRODUCE:
      1.) Create a policy with Env. condition AuthLevel 1 (pol. rule = "star://star:star/star" , subject Authenticated Users)
      2.) Hit the resource enforced by agent
      http://perf-openam2.internal.forgerock.com:8080/frqa/index.jsp
      3.) Login as user
      Observed result: Redirecting loop
      Expected result: 403 - Forbidden

      I observed in openam Policy log:
      WARNING: UserSelfCheckCondition.getConditionDecision Invalid attribute set in env params
      Here is log:

      amPolicy:12/05/2014 04:09:14:757 PM GMT: Thread[http-8080-4,5,main]
      Evaluating policies at org o=sunamhiddenrealmdelegationservicepermissions,ou=services,dc=openam,dc=forgerock,dc=org
      amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
      Policy Manager constructed with SSO token  for organization: o=sunamhiddenrealmdelegationservicepermissions,ou=services,dc=openam,dc=forgerock,dc=org
      amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition:setProperties: NotAttributes are empty
      amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition.setProperties():attributes, notAttributes = [*],null
      amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition.getConditionDecision: called with Token: id=bjensen,ou=user,dc=openam,dc=forgerock,dc=org, requestedResourcename: [sms://dc=openam,dc=forgerock,dc=org/sunIdentityRepositoryService/1.0/application/user/bjensen]
      amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition.getConditionDecision: attributeCheckOk:true
      amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition.getConditionDecision: attributes check:true
      amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition.getConditionDecision: name: sms://dc=openam,dc=forgerock,dc=org/sunIdentityRepositoryService/1.0/application/user/bjensen resource: [sms://dc=openam,dc=forgerock,dc=org/sunIdentityRepositoryService/1.0/application/user/bjensen]
      amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition.getConditionDecision: returning true
      amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
      Policy Manager constructed with SSO token  for organization: o=sunamhiddenrealmdelegationservicepermissions,ou=services,dc=openam,dc=forgerock,dc=org
      amPolicy:12/05/2014 04:09:14:758 PM GMT: Thread[http-8080-4,5,main]
      Policy Manager constructed with SSO token  for organization: o=sunamhiddenrealmdelegationservicepermissions,ou=services,dc=openam,dc=forgerock,dc=org
      amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition:setProperties: NotAttributes are empty
      amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition.setProperties():attributes, notAttributes = [mail, telephonenumber, preferredlocale, iplanet-am-user-password-reset-question-answer, postaladdress, description, sunIdentityServerDeviceKeyValue, cn, iplanet-am-user-password-reset-options, userpassword, givenname, sunIdentityServerDeviceStatus, sn],null
      amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition.getConditionDecision: called with Token: id=bjensen,ou=user,dc=openam,dc=forgerock,dc=org, requestedResourcename: [sms://dc=openam,dc=forgerock,dc=org/sunIdentityRepositoryService/1.0/application/user/bjensen]
      amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition.getConditionDecision: attributeCheckOk:false
      amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
      WARNING: UserSelfCheckCondition.getConditionDecision Invalid attribute set in env params
      amPolicy:12/05/2014 04:09:14:759 PM GMT: Thread[http-8080-4,5,main]
      UserSelfCheckCondition.getConditionDecision: attributes check:false
      amPolicy:12/05/2014 04:09:15:094 PM GMT: Thread[http-8080-8,5,main]
      

      I attached the response from Live HTTP Header.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                richard.hruza Richard Hruza
                QA Assignee:
                Richard Hruza
              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 6h
                  6h
                  Remaining:
                  Time Spent - 2h Remaining Estimate - 4h
                  4h
                  Logged:
                  Time Spent - 2h Remaining Estimate - 4h
                  2h