Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5321

Cross realm session upgrade not handled properly by XUI

    Details

    • Sprint:
      Sprint 97 - Team Tesla, Sprint 98 - Team Tesla
    • Support Ticket IDs:

      Description

      Original behaviour of the session upgrade with realms is described in more detail here: OPENAM-4089. In short, no upgrade should occur and OpenAM should warn the user that, in order to establish a session with second realm, the first session has to be destroyed. Apart from the warning, the user should be presented with a choice screen.

      However, in RC5, the XUI behaviour is as follows:

      1. log in to realm1
      2. open the login URL for realm2
      3. observe "forbidden request error", "unauthorized access or session timeout" errors
      4. the original session is destroyed

      Here is the HTTP session starting with the 2nd step:

      http://saml-sp1.cdsso.rck.me:8080/openam/json/subrealm1/serverinfo/*
      
      GET /openam/json/subrealm1/serverinfo/* HTTP/1.1
      Host: saml-sp1.cdsso.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/json
      Accept-API-Version: protocol=1.0,resource=1.1
      X-Requested-With: XMLHttpRequest
      Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
      Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
      Connection: keep-alive
      If-None-Match: "-62414625"
      
      HTTP/1.1 304 Not Modified
      Server: Apache-Coyote/1.1
      Cache-Control: no-cache
      Date: Mon, 15 Dec 2014 16:18:14 GMT
      ----------------------------------------------------------
      http://saml-sp1.cdsso.rck.me:8080/openam/json/authenticate?realm=%2Fsubrealm1&sessionUpgradeSSOTokenId=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
      
      POST /openam/json/authenticate?realm=%2Fsubrealm1&sessionUpgradeSSOTokenId=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3* HTTP/1.1
      Host: saml-sp1.cdsso.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/json
      Accept-API-Version: protocol=1.0,resource=2.0
      X-Requested-With: XMLHttpRequest
      Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
      Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      Content-Length: 0
      
      HTTP/1.1 200 OK
      Content-API-Version: protocol=1.0,resource=2.0
      Date: Mon, 15 Dec 2014 16:18:14 GMT
      Accept-Ranges: bytes
      Server: Restlet-Framework/2.1.7
      Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
      Cache-Control: no-cache, no-store, must-revalidate
      Pragma: no-cache
      Expires: 0
      Content-Type: application/json;charset=UTF-8
      Content-Length: 139
      ----------------------------------------------------------
      http://saml-sp1.cdsso.rck.me:8080/openam/json/subrealm1/users?_action=idFromSession
      
      POST /openam/json/subrealm1/users?_action=idFromSession HTTP/1.1
      Host: saml-sp1.cdsso.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: protocol=1.0,resource=2.0
      X-Requested-With: XMLHttpRequest
      Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
      Content-Length: 2
      Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      {}
      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Cache-Control: no-cache
      Content-API-Version: protocol=1.0,resource=2.0
      Content-Type: application/json;charset=UTF-8
      Content-Length: 195
      Date: Mon, 15 Dec 2014 16:18:14 GMT
      ----------------------------------------------------------
      http://saml-sp1.cdsso.rck.me:8080/openam/json/subrealm1/users/demo
      
      GET /openam/json/subrealm1/users/demo HTTP/1.1
      Host: saml-sp1.cdsso.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/json
      Cache-Control: no-cache
      Accept-API-Version: protocol=1.0,resource=2.0
      X-Requested-With: XMLHttpRequest
      Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
      Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
      Connection: keep-alive
      If-None-Match: "0"
      
      HTTP/1.1 403 Forbidden
      Server: Apache-Coyote/1.1
      Cache-Control: no-cache
      Content-Type: application/json;charset=UTF-8
      Content-Length: 166
      Date: Mon, 15 Dec 2014 16:18:14 GMT
      ----------------------------------------------------------
      http://saml-sp1.cdsso.rck.me:8080/openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=validate
      
      POST /openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=validate HTTP/1.1
      Host: saml-sp1.cdsso.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/json
      Accept-API-Version: protocol=1.0,resource=1.1
      X-Requested-With: XMLHttpRequest
      Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
      Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      Content-Length: 0
      
      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Cache-Control: no-cache
      Content-API-Version: protocol=1.0,resource=1.1
      Content-Type: application/json;charset=UTF-8
      Content-Length: 48
      Date: Mon, 15 Dec 2014 16:18:14 GMT
      ----------------------------------------------------------
      http://saml-sp1.cdsso.rck.me:8080/openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=validate
      
      POST /openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=validate HTTP/1.1
      Host: saml-sp1.cdsso.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/json
      Accept-API-Version: protocol=1.0,resource=1.1
      X-Requested-With: XMLHttpRequest
      Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
      Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      Content-Length: 0
      
      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Cache-Control: no-cache
      Content-API-Version: protocol=1.0,resource=1.1
      Content-Type: application/json;charset=UTF-8
      Content-Length: 48
      Date: Mon, 15 Dec 2014 16:18:15 GMT
      ----------------------------------------------------------
      http://saml-sp1.cdsso.rck.me:8080/openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=logout
      
      POST /openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=logout HTTP/1.1
      Host: saml-sp1.cdsso.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: protocol=1.0,resource=1.1
      X-Requested-With: XMLHttpRequest
      Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
      Content-Length: 2
      Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      {}
      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Cache-Control: no-cache
      Content-API-Version: protocol=1.0,resource=1.1
      Content-Type: application/json;charset=UTF-8
      Content-Length: 36
      Date: Mon, 15 Dec 2014 16:18:15 GMT
      ----------------------------------------------------------
      http://saml-sp1.cdsso.rck.me:8080/openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=logout
      
      POST /openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=logout HTTP/1.1
      Host: saml-sp1.cdsso.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: protocol=1.0,resource=1.1
      X-Requested-With: XMLHttpRequest
      Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
      Content-Length: 2
      Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      {}
      HTTP/1.1 401 Unauthorized
      Server: Apache-Coyote/1.1
      Content-Type: application/json;charset=UTF-8
      Content-Length: 62
      Date: Mon, 15 Dec 2014 16:18:15 GMT
      

      To reproduce:

      • create two realms: realm1 and realm2
      • log out form OpenAM and clear your browser cache
      1. log in to: /openam/XUI/#login/realm1 as demo/changeit
      2. user profile is shown
      3. go to: /openam/XUI/#login/realm2
      4. error messages observed and sessions destroyed

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                joe.bandenburg Joe Bandenburg [X] (Inactive)
                Reporter:
                n4al Nemanja Lukic
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: