Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9364

Authentication error codes are not made available correctly to SAML2 extensions

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0
    • Fix Version/s: 13.5.1, 14.0.0
    • Component/s: authentication
    • Labels:
    • Sprint:
      AM Sustaining Sprint 24, AM Sustaining Sprint 25, AM Sustaining Sprint 26, AM Sustaining Sprint 27, AM Sustaining Sprint 28, AM Sustaining Sprint 29, AM Sustaining Sprint 30, AM Sustaining Sprint 31
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      It seems that the LoginState catches AuthException when does some authentication work. This looks fine. However, there is some of these code

      try {
         ....
      } catch (AuthException ae) {
         throw new AuthException(ae);
      }
      

      One example is when a custom SP adapter is configure with
      postSingleSignOnFailure (http://download.forgerock.org/downloads/openam/javadocs/internal/index.html?com/sun/identity/saml2/plugins/SAML2ServiceProviderAdapter.html) that passes in a errcode and if the
      account is locked out, instead of getting SAML2ServiceProviderAdapter.SSO_FAILED_AUTH_USER_INACTIVE or
      SAML2ServiceProviderAdapter.SSO_FAILED_AUTH_USER_LOCKED,
      one gets SSO_FAILED_SESSION_GENERATION.

      Your account has been locked.|user_inactive.jsp
              at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:282)
              at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1256)
              at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp
      ...
              at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1218)
              at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:250)
              ... 37 more
      Caused by: com.sun.identity.authentication.service.AuthException: Your account has been locked.|user_inactive.jsp
              at com.sun.identity.authentication.service.LoginState.searchUserProfile(LoginState.java:2733)
              at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:589)
              ... 41 more
      Caused by: com.sun.identity.authentication.service.AuthException: Your account has been locked.|user_inactive.jsp
              at com.sun.identity.authentication.service.LoginState.searchUserProfile(LoginState.java:2587)
              ... 42 more
      

      Notice that the searchUserProfile exactly have this issue where
      the original issue is lost when SPACSUtils later needs to call say the custom SP adapter postSingleSignOnFailure.

      There may be other place where the AuthException should be rethrown
      rather then wrapped and thrown again.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: