Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5508

REST with Realm/DNS Aliases causes unexpected results

    Details

    • Sprint:
      Sprint 79 - Team Tesla, Sprint 80 - Team Tesla, Sprint 81 - Team Tesla, Sprint 82 - Team Tesla
    • Support Ticket IDs:

      Description

      Steps to reproduce:

      • Create a vanilla install of OpenAM 11.0.2 with embedded config and data stores
      • Set up a subrealm called "Customers"
      • In the "Customers" subrealm, remove the embedded user datastore and replace with a different user datastore, e.g. OpenDJ
      • In the "Customers" subrealm, add a Realm/DNS Alias of customers.example.com
      • In OpenDJ, add "testuser1"
      • Upgrade to OpenAM 12 (this is required to create test case 3 below - the other two examples occur from a vanilla OpenAM 12 install)
      • Use REST to test the following commands...

      Test 1
      Using the user from OpenDJ, authenticate into the Customers subrealm with testuser1, using the DNS Alias "customers.example.com" and "/json/authenticate?realm=customers" in the URL:

      $ curl --request POST --header "X-OpenAM-Username:testuser1" --header "X-OpenAM-Password:password" --header "Content-Type: application/json" --data "{}" "http://customers.example.com:8080/openam/json/authenticate?realm=customers"
      {"code":400,"reason":"Bad Request","message":"Invalid realm, Customerscustomers"}
      

      Test 2
      Using the user from OpenDJ, authenticate into the Customers subrealm with testuser1, using the DNS Alias "customers.example.com" and "json/customers/authenticate" in the URL:

      $ curl --request POST --header "X-OpenAM-Username:testuser1" --header "X-OpenAM-Password:password" --header "Content-Type: application/json" --data "{}" "http://customers.example.com:8080/openam/json/customers/authenticate"
      {"code":400,"reason":"Bad Request","message":"Invalid realm, Customers/customers"}
      

      Test 3
      Using the user from OpenDJ, attempt to authenticate into the / (Top Level Realm) with testuser1, using the DNS Alias "customers.example.com" - user should not have access to this realm:

      $ curl --request POST --header "X-OpenAM-Username:testuser1" --header "X-OpenAM-Password:password" --header "Content-Type: application/json" --data "{}" "http://customers.example.com:8080/openam/json/authenticate?realm=/"
      {"tokenId":"AQIC5wM2LY4Sfcwb114pUEw6F55OCi-lWklVgiOFRJZTC5M.*AAJTSQACMDEAAlNLABM0NzE2Mzk5OTMzNjg3MDU4Njcy*","successUrl":"/openam/console"}
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                phillcunnington Phill Cunnington
                Reporter:
                mark.powell Mark Powell
                QA Assignee:
                Nemanja Lukic
              • Votes:
                2 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: