Affects Version/s: 11.0.0, 11.0.2, 12.0.0
Environment:Ubuntu 12.04 64 -bit, Apache 2.2, OpenJDK 1.6.0_31, OpenAM 11.0.2, OpenDJ 2.6, WebAgent 4.0
Created a new realm with capital letters (e.g., US). Revised LDAP authentication module to connect to external OpenDJ and set its AuthLevel to "2".
Installed agent and configured it for the top realm. Set a referral policy for US realm and created the policy on the US realm that projects a static Apache page, say "/index.html". Added required configuration and under conditions, chose "Auth Level (greater or equal)" and chose realm=/US and level=2.
Trying accessing protected resource, the browser is prompted two times for LDAP authentication, where one time LDAP authentication is expected.
The AuthLevelCondition.getMaxRequestAuthLevel() compares the condition-configured "realm" with the request "realm" using String.equals(). While the former comes capital, the latter may be a lower-case representation and this will cause problem the first time policy is run against a privileged ssoToken.
There are two places in the AuthLevelCondition.java code where "authRealm.equals(...)" should be replaced by "authRealm.equalsIgnoreCase(...)"