Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6532

Unable to add a Rest STS instance with a value of "/" in the --subconfigname/-g option using ssoadm - NullPointerException - needs to be URL encoded

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 12.0.0, 12.0.1
    • Fix Version/s: None
    • Component/s: CLI
    • Labels:
    • Sprint:
      Sustaining Sprint 11
    • Support Ticket IDs:

      Description

      When one attempts to create an instance of STS on a sub realm, if the "/" is not url encoded (-g "customers/noescapeSTS") it will provide
      a "Exception in thread "main" java.lang.NullPointerException"

      The --subonfigname/-g has to be realm-name/subconfig-name in encoded format. Any other format would not work

      [root@host1 bin]# ./ssoadm create-sub-cfg -s RestSecurityTokenService -g "customers/noescapeSTS" -b serverconfig -v -d -u amadmin -f /home/forgerock/password.txt -e /customers -D sts.txt

      Process Request ...
      Constructing Request Context...
      Validating mandatory options...
      Processing Sub Command ...

      Executing class, com.sun.identity.cli.schema.AddSubConfiguration.
      Authenticating...
      Authenticated.
      Exception in thread "main" java.lang.NullPointerException
      at com.sun.identity.cli.schema.AddSubConfiguration.addSubConfig(AddSubConfiguration.java:227)
      at com.sun.identity.cli.schema.AddSubConfiguration.addSubConfigToRealm(AddSubConfiguration.java:130)
      at com.sun.identity.cli.schema.AddSubConfiguration.handleRequest(AddSubConfiguration.java:102)
      at com.sun.identity.cli.SubCommand.execute(SubCommand.java:291)
      at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:212)
      at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:134)
      at com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:573)
      at com.sun.identity.cli.CommandManager.<init>(CommandManager.java:170)
      at com.sun.identity.cli.CommandManager.main(CommandManager.java:147)

      If I add "/" to the --subconfigname/-g option
      then it is successfully added:

      [root@host1 bin]# ./ssoadm create-sub-cfg -s RestSecurityTokenService -g "customers/noescapeSTS" -b serverconfig -u amadmin -f /home/forgerock/password.txt -e /customers -D sts.txt

      Sub Configuration customers/noescapeSTS was added to realm /customers

      After the above, when I go to:
      http://host1.example.com:8383/openam/rest-sts-publish/publish/customers/noescapeSTS

      we see that it is configured:
      {

      "customers/openam": "{ \"issuer-name\": \"host1.example.com\", \"saml2-config\": { \"saml2-name-id-format\": \"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\", \"saml2-token-lifetime-seconds\": \"60000\", \"saml2-custom-conditions-provider-class-name\": null, \"saml2-custom-subject-provider-class-name\": null, \"saml2-custom-attribute-statements-provider-class-name\": null, \"saml2-custom-attribute-mapper-class-name\": null, \"saml2-custom-authn-context-mapper-class-name\": null, \"saml2-custom-authentication-statements-provider-class-name\": null, \"saml2-custom-authz-decision-statements-provider-class-name\": null, \"saml2-sign-assertion\": \"false\", \"saml2-encrypt-assertion\": \"false\", \"saml2-encrypt-attributes\": \"false\", \"saml2-encrypt-nameid\": \"false\", \"saml2-encryption-algorithm\": \"http://www.w3.org/2001/04/xmlenc#aes128-cbc\", \"saml2-encryption-algorithm-strength\": \"128\", \"saml2-attribute-map\":

      { \"idm:userID\": \"uid\" }

      , \"saml2-keystore-filename\": null, \"saml2-keystore-password\": null, \"saml2-sp-acs-url\": null, \"saml2-sp-entity-id\": \"ExampleCustomersSP\", \"saml2-signature-key-alias\": null, \"saml2-signature-key-password\": null, \"saml2-encryption-key-alias\": null }, \"deployment-config\": { \"deployment-url-element\": \"openam\", \"deployment-realm\": \"customers\", \"deployment-auth-target-mappings\": { }, \"deployment-offloaded-two-way-tls-header-key\": null, \"deployment-tls-offload-engine-hosts\": [ ] }, \"supported-token-transforms\": [

      { \"inputTokenType\": \"OPENAM\", \"outputTokenType\": \"SAML2\", \"invalidateInterimOpenAMSession\": false }

      ] }"

      }

      In my ssoadm command, i have specified both the -d and -v options. You can see that it's executing the class com.sun.identity.cli.schema.AddSubConfiguration
      it is authenticating and is successful and then the Null Pointer happens when it actually trying to add the subconfig.

      the -e option allows for a "/" that isn't URL encoded. Why does the -g parameter require it?

      I have the ssoadm debug logs, as well as OpenAM's audit and debug log directories with debug set to Message. But there is no references to NullPointerException
      in the ssoadm or am logs. It errors out at the client as it's executing it.

      I reproduced this in OpenAM 12.0.1

      Steps to reproduce.

      1. In OpenAM 12.0.0 or 12.0.1 create a new realm "/customers".

      2. Run this command with the attached sts.txt file - adjust URL's accordingly

      ./ssoadm create-sub-cfg -s RestSecurityTokenService -g "customers/newSTS" -b serverconfig -v -d -u amadmin -f /home/forgerock/password.txt -e /customers -D sts.txt

      3. New STS instance is NOT created and ssoadm command line shows this null pointer:
      Exception in thread "main" java.lang.NullPointerException
      at com.sun.identity.cli.schema.AddSubConfiguration.addSubConfig(AddSubConfiguration.java:227)

        Attachments

        1. AMdebug_ssoadmSubConfig.tar.gz
          88 kB
        2. AMlog_ssoadmSubConfig.tar.gz
          0.9 kB
        3. debug_ssoadmSubConfig.tar
          90 kB
        4. log_ssoadmSubConfig.tar
          10 kB
        5. sts.txt
          1 kB

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              david.bate David Bate
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: