Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6468

InvalidClassException with certauth after #201505-01 patch

    Details

    • Sprint:
      Sustaining Sprint 10
    • Support Ticket IDs:

      Description

      After installing the #201505 security patches for OpenAM 11.0.3 certificate authentication towards the DAS is no longer working.

      The following stacktrace is printed in the Authentication debug log on the CAS with every certificate login attempt:

      amAuthXMLUtils:07/27/2015 02:51:59:018 PM CEST: Thread[http-8443-11,5,main] 
      ERROR: Unable to deserialize request object 
      java.io.InvalidClassException: java.security.cert.Certificate$CertificateRep; Requested ObjectStreamClass was not in the whitelist of allowed classes 
      at org.forgerock.openam.utils.IOUtils$WhitelistObjectInputStream.resolveClass(IOUtils.java:276) 
      at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1611) 
      at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1516) 
      at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1770) 
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349) 
      at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1705) 
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1343) 
      at java.io.ObjectInputStream.readObject(ObjectInputStream.java:369) 
      at java.util.HashMap.readObject(HashMap.java:1047) 
      at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source) 
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
      at java.lang.reflect.Method.invoke(Method.java:622) 
      at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1001) 
      at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1892) 
      at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1797) 
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349) 
      at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989) 
      at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1914) 
      at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1797) 
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349) 
      at java.io.ObjectInputStream.readObject(ObjectInputStream.java:369) 
      at org.forgerock.openam.utils.IOUtils.deserialise(IOUtils.java:205) 
      at org.forgerock.openam.utils.IOUtils.deserialise(IOUtils.java:182) 
      at com.sun.identity.authentication.share.AuthXMLUtils.deserializeToObject(AuthXMLUtils.java:1683) 
      at com.sun.identity.authentication.share.AuthXMLUtils.getRemoteRequest(AuthXMLUtils.java:322) 
      at com.sun.identity.authentication.server.AuthXMLRequestParser.parseXML(AuthXMLRequestParser.java:238) 
      at com.sun.identity.authentication.server.AuthXMLRequest.parseXML(AuthXMLRequest.java:146) 
      at com.sun.identity.authentication.server.AuthXMLHandler.processRequest(AuthXMLHandler.java:238) 
      at com.sun.identity.authentication.server.AuthXMLHandler.process(AuthXMLHandler.java:144) 
      at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:182) 
      at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:135) 
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) 
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) 
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) 
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) 
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100) 
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
      at com.avlesh.web.filter.responseheaderfilter.ResponseHeaderManagerFilter.doFilter(ResponseHeaderManagerFilter.java:191) 
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) 
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:558) 
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) 
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555) 
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) 
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) 
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) 
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) 
      at java.lang.Thread.run(Thread.java:701)
      

      Workaround:
      Configuration -> Servers and Sites -> Default Server Settings -> Security -> Object Deserialisation Class Whitelist
      Add the following two classes -

      java.security.cert.Certificate

      and

      java.security.cert.Certificate$CertificateRep

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                mark.powell Mark Powell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: