Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5383

CTS Reaper fails if simple paged control is not present in response

    Details

    • Sprint:
      Sprint 76 - Sustaining, Sprint 77 - Sustaining
    • Support Ticket IDs:

      Description

      The CTS reaper runs a periodic search to find tokens to clean up. The search uses a simple paged results control in the request.

      When OpenDJ responds to this search, it does not necessarily include the corresponding control data in the response. For example, if the user has a size-limit of 1000 and requests a page size of 1000, OpenDJ drops the control on the response as it is not needed.

      The reaper assumes that it will always get a paged control object in the response and does not have any error handling for this. This results in a NPE if the above scenario occurs:

      Caused by: java.lang.NullPointerException
              at org.forgerock.openam.cts.impl.query.QueryBuilder.executeRawResults(QueryBuilder.java:206)
              at org.forgerock.openam.cts.impl.query.QueryPageIterator.queryPage(QueryPageIterator.java:65)
              at org.forgerock.openam.cts.impl.query.QueryPageIterator.next(QueryPageIterator.java:96)
              at org.forgerock.openam.cts.reaper.CTSReaper.run(CTSReaper.java:114)
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
              at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
              at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
              at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
      

      The page size the reaper uses is not configurable:

              // Controls the size of pages requested for CTS Reaper
              cleanupPageSize = 1000;
      

      This combined with the default OpenDJ size-limit of 1000 means that anyone who uses a non administrative user for their CTS connection is likely to encounter this problem.

      Steps to reproduce:

      1) Setup vanilla OpenAM 11 with SFO/CTS enabled on a vanilla external OpenDJ
      2) Observe normal operation / token cleanup.
      3) Change CTS bind user to a plain user with no special permissions except read/delete/search on the tokens suffix.
      4) Observe the problem.
      5) Change user's size-limit to 1001
      6) Problem no longer occurs.

      There are probably some other scenarios that lead to the same behaviour that don't revolve around the size-limit issue.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kamal.sivanandam@forgerock.com Kamal Sivanandam
                Reporter:
                ian.packer Ian Packer [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: