Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5865

AuthLevelCondition will not retrieve request auth level for a capital-letter realm.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 11.0.0, 11.0.2, 12.0.0
    • Fix Version/s: 13.5.2, 6.0.0, 14.1.2, 5.5.2
    • Component/s: policy
    • Labels:
    • Environment:
      Ubuntu 12.04 64 -bit, Apache 2.2, OpenJDK 1.6.0_31, OpenAM 11.0.2, OpenDJ 2.6, WebAgent 4.0
    • Sprint:
      AM Sustaining Sprint 43
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      SETUP:
      Created a new realm with capital letters (e.g., US). Revised LDAP authentication module to connect to external OpenDJ and set its AuthLevel to "2".
      Installed agent and configured it for the top realm. Set a referral policy for US realm and created the policy on the US realm that projects a static Apache page, say "/index.html". Added required configuration and under conditions, chose "Auth Level (greater or equal)" and chose realm=/US and level=2.

      OBSERVATION:
      Trying accessing protected resource, the browser is prompted two times for LDAP authentication, where one time LDAP authentication is expected.

      ROOT CAUSE:
      The AuthLevelCondition.getMaxRequestAuthLevel() compares the condition-configured "realm" with the request "realm" using String.equals(). While the former comes capital, the latter may be a lower-case representation and this will cause problem the first time policy is run against a privileged ssoToken.

      SOLUTION:
      There are two places in the AuthLevelCondition.java code where "authRealm.equals(...)" should be replaced by "authRealm.equalsIgnoreCase(...)"

        Attachments

          Activity

            People

            • Assignee:
              joe.starling Joe Starling
              Reporter:
              hahmadi hadi hahmadi [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 4h
                4h
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 4h
                4h