Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7746

Authentication in sub-realm fails if DNS alias is used and persistence can not be guaranteed

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 13.0.0
    • Fix Version/s: None
    • Component/s: authentication
    • Environment:
      OpenAM 12.0.2, Apache Tomcat, Loadalancer in front of OpenAM
    • Support Ticket IDs:

      Description

      Here are the steps to reproduce the issue consistently

      Create 2 HAProxy configs, pointing to each OpenAM instance individually,
      e.g.

      haproxy openam1
      listen roundrobin_balancer localhost:8080
       mode http
       option httplog
       balance roundrobin
       server app1 localhost:8081
      
      haproxy openam1
      listen roundrobin_balancer localhost:8080
       mode http
       option httplog
       balance roundrobin
       server app2 localhost:8082
      

      Configure 2 OpenAM instance
      Config OpenAM site
      Create sub-realm and specify LDAP-auth-module as realm-authenticator, choose 'mail' as the search attribute (to distinguish it from the root realm).
      Move the FQDN used for the primary site URL from the default realm to the sub-realm.

      1) Start Haproxy with profile pointing to OpenAM 1
      2) Start authentication in sub-realm with PRIMARY_SITE_URL/UI/Login
      3) Stop Haproxy and restart it with profile pointing to OpenAM 2
      4) Restart authentication in sub-realm with PRIMARY_SITE_URL/UI/Login
      5) Submit credentials (email address and password) for LDAP authentication

      --> Authentication fails

      Due to steps 3 and 4, crosstalk happens

      Access log of Tomcat from OpenAM 2:

      127.0.0.1 - - [07/Dec/2015:09:59:19 +0100] "GET /openam1202/UI/Login?gx_charset=UTF-8 HTTP/1.1" 200 7918 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Firefox/42.0 openam.test.xyz:8080
      

      cross-talk happens to OpenAM 1:

      127.0.0.1 - - [07/Dec/2015:09:59:19 +0100] "GET /openam1202/UI/Login?gx_charset=UTF-8 HTTP/1.1" 200 7917 Java/1.7.0_76 openam1.test.xyz:8081
      

      Submit of credentials to OpenAM 2:

      127.0.0.1 - - [07/Dec/2015:09:59:35 +0100] "POST /openam1202/UI/Login HTTP/1.1" 200 2074 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Firefox/42.0 openam.test.xyz:8080
      

      results in cross-talk to OpenAM 1:

      127.0.0.1 - - [07/Dec/2015:09:59:35 +0100] "POST /openam1202/UI/Login HTTP/1.1" 200 2073 Java/1.7.0_76 openam1.test.xyz:8081
      

      the root cause for the failing authentication is that the cross-talk request does neither send over the original HTTP host-header, which is needed if DNS alias is used, nor does it append the realm-parameter.

      Result: Authentication happens in default-realm and not in sub-realm

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: