Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6340

XUI needs to support DNS/Alias behaviour for subrealms as per OPENAM-5508

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 12.0.1, 13.0.0
    • Fix Version/s: None
    • Component/s: XUI
    • Labels:
    • Support Ticket IDs:

      Description

      Please have a look at OPENAM-5508 for detailed discussion.

      The setup is as follows:

      • OpenAM has a top-level realm and a sub-realm named "Customers" (ft-oam.test.forgerock.com in this example is the top-level realm)
      • Sub-realm has DNS/Alias mapped to it (sub-realm is mapped to ft-oam.test.rck.me)
      • Server configuration includes FQDN mappings (com.sun.identity.server.fqdnMap[ft-oam.test.rck.me]=ft-oam.test.rck.me and {{com.sun.identity.server.fqdnMap[ft-oam.test.forgerock.com]=ft-oam.test.forgerock.com }})
      • sub-realm uses external datastore for user authentication
      • Configure->Global Services->Platform->Cookie Domains must contain both cookie domains (test.forgerock.com and test.rck.me )

      Case 1

      With query parameter only: http://ft-oam.test.rck.me:8080/openam?realm=customers

      Expected successful login.

      Error message:

      Login/Password combination invalid.
      

      Live HTTP headers:

      http://ft-oam.test.rck.me:8080/openam/json/authenticate?realm=customers
      
      POST /openam/json/authenticate?realm=customers HTTP/1.1
      Host: ft-oam.test.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,sr;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: protocol=1.0,resource=2.0
      X-Password: anonymous
      X-Username: anonymous
      X-NoSession: true
      X-Requested-With: XMLHttpRequest
      Referer: http://ft-oam.test.rck.me:8080/openam/XUI/
      Content-Length: 717
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      {"authId":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogIjNrbjdycTNjbHY3aXFkN3M4cDJmcmNxdmgxIiwgInJlYWxtIjogIm89Y3VzdG9tZXJzLG91PXNlcnZpY2VzLGRjPW9wZW5hbSxkYz1mb3JnZXJvY2ssZGM9b3JnIiwgInNlc3Npb25JZCI6ICJBUUlDNXdNMkxZNFNmY3pnRlc0cG14SWpSTGU0UkJEaHZncmdzUi1rRi1zOFlXQS4qQUFKVFNRQUNNREVBQWxOTEFCTTNNell3TXpreE5EWTVOamswT1RjM09UWXkqIiB9.UiMffR6vuFQqNKVl8TcmsOBgJP0PbMohzdvGIrjjhwI","template":"","stage":"DataStore1","header":"Sign in to OpenAM","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"User Name:"}],"input":[{"name":"IDToken1","value":"testuser1"}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Password:"}],"input":[{"name":"IDToken2","value":"password"}]}]}
      HTTP/1.1 200 OK
      Set-Cookie: amlbcookie=01; Domain=.test.forgerock.com; Path=/
      Content-API-Version: protocol=1.0,resource=2.0
      Date: Thu, 09 Jul 2015 09:29:10 GMT
      Accept-Ranges: bytes
      Server: Restlet-Framework/2.1.7
      Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
      Cache-Control: no-cache, no-store, must-revalidate
      Pragma: no-cache
      Expires: 0
      Content-Type: application/json;charset=UTF-8
      Content-Length: 143
      ----------------------------------------------------------
      http://ft-oam.test.rck.me:8080/openam/json/users?_action=idFromSession&realm=customers
      
      POST /openam/json/users?_action=idFromSession&realm=customers HTTP/1.1
      Host: ft-oam.test.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,sr;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: protocol=1.0,resource=2.0
      X-Password: anonymous
      X-Username: anonymous
      X-NoSession: true
      X-Requested-With: XMLHttpRequest
      Referer: http://ft-oam.test.rck.me:8080/openam/XUI/
      Content-Length: 2
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      {}
      HTTP/1.1 401 Unauthorized
      Server: Apache-Coyote/1.1
      Content-Type: application/json;charset=UTF-8
      Content-Length: 62
      Date: Thu, 09 Jul 2015 09:29:10 GMT
      

      Case 2

      With URL parameter: http://ft-oam.test.rck.me:8080/openam/XUI/#login/customers/

      This is correct. The realm is not supposed to exist since it is looking for /customers/customers

      Error message:

      Realm does not exist.
      

      Case 3

      With query parameter: http://ft-oam.test.rck.me:8080/openam/XUI/#login/&realm=/

      This is not supposed to work since you should not be able to authenticate to top-level realm from subrealm.

      Error Message:

      Login/password combination is invalid.
      

      Live HTTP Headers:

      http://ft-oam.test.rck.me:8080/openam/json/authenticate?realm=/
      
      POST /openam/json/authenticate?realm=/ HTTP/1.1
      Host: ft-oam.test.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,sr;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: protocol=1.0,resource=2.0
      X-Password: anonymous
      X-Username: anonymous
      X-NoSession: true
      X-Requested-With: XMLHttpRequest
      Referer: http://ft-oam.test.rck.me:8080/openam/XUI/
      Content-Length: 685
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      {"authId":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogImc2NnU5b2huamYxbjNsYmNzcWE2ZnFqcXNvIiwgInJlYWxtIjogImRjPW9wZW5hbSxkYz1mb3JnZXJvY2ssZGM9b3JnIiwgInNlc3Npb25JZCI6ICJBUUlDNXdNMkxZNFNmY3g2bzFFM01TXzZMcEQ1VmNkQUpVdm5Oa3FLTnBDMU9oVS4qQUFKVFNRQUNNREVBQWxOTEFCSTFOVEU0TnpFMk9UUTFORFExTURnek1UTS4qIiB9.D4hrSqh6ctR76RVT1LcsZdsdCY7rURQVU-jEGhn0DOA","template":"","stage":"DataStore1","header":"Sign in to OpenAM","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"User Name:"}],"input":[{"name":"IDToken1","value":"testuser1"}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Password:"}],"input":[{"name":"IDToken2","value":"password"}]}]}
      HTTP/1.1 401 Unauthorized
      Content-API-Version: protocol=1.0,resource=2.0
      Date: Thu, 09 Jul 2015 09:40:48 GMT
      Accept-Ranges: bytes
      Server: Restlet-Framework/2.1.7
      Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
      Content-Type: application/json;charset=UTF-8
      Content-Length: 72
      ----------------------------------------------------------
      http://ft-oam.test.rck.me:8080/openam/json/authenticate?realm=%2F
      
      POST /openam/json/authenticate?realm=%2F HTTP/1.1
      Host: ft-oam.test.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,sr;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Content-Type: application/json
      Accept-API-Version: protocol=1.0,resource=2.0
      X-Password: anonymous
      X-Username: anonymous
      X-NoSession: true
      X-Requested-With: XMLHttpRequest
      Referer: http://ft-oam.test.rck.me:8080/openam/XUI/
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      Content-Length: 0
      
      HTTP/1.1 200 OK
      Set-Cookie: amlbcookie=01; Domain=.test.forgerock.com; Path=/
      Content-API-Version: protocol=1.0,resource=2.0
      Date: Thu, 09 Jul 2015 09:40:48 GMT
      Accept-Ranges: bytes
      Server: Restlet-Framework/2.1.7
      Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
      Cache-Control: no-cache, no-store, must-revalidate
      Pragma: no-cache
      Expires: 0
      Content-Type: application/json;charset=UTF-8
      Content-Length: 674
      ----------------------------------------------------------
      
      curl --request POST --header X-OpenAM-Username:testuser1 --header X-OpenAM-Password:password --header Content-Type: application/json --data {} http://ft-oam.test.rck.me:8080/openam/json/authenticate?realm=/
      {"code":401,"reason":"Unauthorized","message":"Authentication Failed!!"}
      

      Case 4

      With query parameter:http://ft-oam.test.rck.me:8080/openam/XUI/#login/&realm=/customers

      Successful login is expected.

      Error Message:

      Login/password combination is invalid.
      
      http://ft-oam.test.rck.me:8080/openam/json/authenticate?realm=/customers
      
      POST /openam/json/authenticate?realm=/customers HTTP/1.1
      Host: ft-oam.test.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,sr;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: protocol=1.0,resource=2.0
      X-Password: anonymous
      X-Username: anonymous
      X-NoSession: true
      X-Requested-With: XMLHttpRequest
      Referer: http://ft-oam.test.rck.me:8080/openam/XUI/
      Content-Length: 717
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      {"authId":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogInIzOHQzNmNtMDR1ZWJiaHNpb3JwZnRvaXY0IiwgInJlYWxtIjogIm89Y3VzdG9tZXJzLG91PXNlcnZpY2VzLGRjPW9wZW5hbSxkYz1mb3JnZXJvY2ssZGM9b3JnIiwgInNlc3Npb25JZCI6ICJBUUlDNXdNMkxZNFNmY3pWSmFfTHlSTXdQYk8yTldUTmFGNGltSWlyeFBJaUVYay4qQUFKVFNRQUNNREVBQWxOTEFCTTBOVEl3TURjME56UTVPRFUxTkRreU9UazIqIiB9.JJCMUTD95eWTNdktJOVFSfT0J7MX5a3SUfY7SoMGIa4","template":"","stage":"DataStore1","header":"Sign in to OpenAM","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"User Name:"}],"input":[{"name":"IDToken1","value":"testuser1"}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Password:"}],"input":[{"name":"IDToken2","value":"password"}]}]}
      HTTP/1.1 200 OK
      Content-API-Version: protocol=1.0,resource=2.0
      Date: Thu, 09 Jul 2015 09:49:13 GMT
      Accept-Ranges: bytes
      Server: Restlet-Framework/2.1.7
      Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
      Cache-Control: no-cache, no-store, must-revalidate
      Pragma: no-cache
      Expires: 0
      Content-Type: application/json;charset=UTF-8
      Content-Length: 139
      ----------------------------------------------------------
      http://ft-oam.test.rck.me:8080/openam/json/users?_action=idFromSession&realm=/customers
      
      POST /openam/json/users?_action=idFromSession&realm=/customers HTTP/1.1
      Host: ft-oam.test.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
      Accept: application/json, text/javascript, */*; q=0.01
      Accept-Language: en-US,sr;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: protocol=1.0,resource=2.0
      X-Password: anonymous
      X-Username: anonymous
      X-NoSession: true
      X-Requested-With: XMLHttpRequest
      Referer: http://ft-oam.test.rck.me:8080/openam/XUI/
      Content-Length: 2
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      {}
      HTTP/1.1 401 Unauthorized
      Server: Apache-Coyote/1.1
      Content-Type: application/json;charset=UTF-8
      Content-Length: 62
      Date: Thu, 09 Jul 2015 09:49:13 GMT
      ----------------------------------------------------------
      http://ft-oam.test.rck.me:8080/openam/XUI/images/span_error.png?v=1.1.10-1
      
      GET /openam/XUI/images/span_error.png?v=1.1.10-1 HTTP/1.1
      Host: ft-oam.test.rck.me:8080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
      Accept: image/png,image/*;q=0.8,*/*;q=0.5
      Accept-Language: en-US,sr;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Referer: http://ft-oam.test.rck.me:8080/openam/XUI/
      Connection: keep-alive
      
      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Cache-Control: public, max-age=2592000
      Accept-Ranges: bytes
      Etag: W/"1527-1434985434000"
      Last-Modified: Mon, 22 Jun 2015 15:03:54 GMT
      Content-Type: image/png
      Content-Length: 1527
      Date: Thu, 09 Jul 2015 09:49:13 GMT
      ----------------------------------------------------------
      
      

      Case 5

      With url and query parameter together: http://ft-oam.test.rck.me:8080/openam/XUI/#login/customers/?realm=customers

      XUI does not load.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                n4al Nemanja Lukic
                QA Assignee:
                Nemanja Lukic
              • Votes:
                1 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated: