Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8188

AuthLevel Condition Advice and Session Upgrade results in non-integer AuthLevel session attribute

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 11.0.3
    • Fix Version/s: None
    • Component/s: authentication
    • Labels:
      None
    • Support Ticket IDs:

      Description

      The AuthLevel session attribute is usually a string representation of an integer. Multiple areas of the OpenAM codebase treat it this way.

      When OpenAM sends policy responses with advice based on conditions, it can use a 'realm qualified' notation of AuthLevel that includes a realm, for example: "/:2"

      In circumstances where there is a combination of a session upgrade, combined with policy's using authlevel conditions tied to realms, this realm qualified notation of the AuthLevel is written back to the session attribute.

      This then causes problems later on when other parts of OpenAM try and parse the value as an integer.

      Steps to reproduce:

      • Setup a fresh instance of OpenAM 11.0.3 with a WPA
      • Add two DataStore auth modules with AuthLevels 1 and 2
      • Add two policies:
      • Policy 1: http://www.example.com/authlevel1/* with condition AuthLevel >= 1 and tied to realm /
      • Policy 2: http://www.example.com/authlevel2/* with condition AuthLevel >= 2, realm /
      • Login via agent advice from going to authlevel1, then visit authlevel2 and agent redirects to session upgrade. After second login AuthLevel will now be "/:2" in the session attribute.

      Now hit any bit of code that uses that attribute and assumes it is an integer.

      Example:

      Ians-MacBook-Pro:logs3 ian$ curl -X POST -H "iplanetdirectorypro: AQIC5wM2LY4Sfcyo7hca2xtTGS1RwaA1URFclGEUYcO6-eI.*AAJTSQACMDEAAlNLABQtMzIzNDQwNzk4OTIzNDk0NjI5Ng..*" -H "Cache-Control: no-cache" 'http://openam.example.com:8080/openam/json/users?_action=idFromSession'
      <html><head><title>Apache Tomcat/7.0.35 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - AMSetupFilter.doFilter</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>AMSetupFilter.doFilter</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.servlet.ServletException: AMSetupFilter.doFilter
          com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:136)
      </pre></p><p><b>root cause</b> <pre>javax.servlet.ServletException: For input string: &quot;/:1&quot;
          org.forgerock.jaspi.filter.AuthNFilter.doFilter(AuthNFilter.java:227)
          org.forgerock.openam.jaspi.filter.AMAuthNFilter.doFilter(AMAuthNFilter.java:108)
          org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
          com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
      </pre></p><p><b>root cause</b> <pre>javax.security.auth.message.AuthException: For input string: &quot;/:1&quot;
          org.forgerock.openam.jaspi.modules.session.LocalSSOTokenSessionModule.validate(LocalSSOTokenSessionModule.java:208)
          org.forgerock.openam.jaspi.modules.session.LocalSSOTokenSessionModule.validateRequest(LocalSSOTokenSessionModule.java:161)
          org.forgerock.jaspi.container.ServerAuthContextImpl.validateRequest(ServerAuthContextImpl.java:147)
          org.forgerock.jaspi.filter.AuthNFilter.doFilter(AuthNFilter.java:164)
          org.forgerock.openam.jaspi.filter.AMAuthNFilter.doFilter(AMAuthNFilter.java:108)
          org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
          com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
      </pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.35 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.35</h3></body></html>
      

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              ian.packer Ian Packer [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: