Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9695

PLL request is returning an empty policy/decision set in local webagent configuration

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.3, 13.0.0, 13.5.0
    • Fix Version/s: 13.5.1, 14.0.0
    • Component/s: None
    • Sprint:
      AM Sustaining Sprint 28, AM Sustaining Sprint 29
    • Support Ticket IDs:

      Description

      Test case : OpenAM 12.0.3, OpenAM 13 , OpenAM 13.5

      1. Create a "webagent" profile, location :local configuration
      2. Create a new user Sam
      3. Create a policy in the default application "iPlanetAMWebAgentService", restricted to Sam user
      4. Create a policy in the new application "hoge" , restricted to Demo user

      Run the following script

      openam="http://openam.internal.example.com:8080/openam"
      user="amadmin"
      password="password"
      user1="demo"
      password1="changeit"
      
      webagentuser="webagent"
      webagentpassword="password"
      #user1="sam"
      #password1="password"
      
      application="hoge"
      tokenid=`curl -s --request POST --header "X-OpenAM-Username: $user" --header "X-OpenAM-Password: $password" --header "Content-Type: application/json" --data "{}" "$openam/openam/json/authenticate" | jq -r .tokenId`
      echo "$user is "  $tokenid
      
      
      tokenid1=`curl -s --request POST --header "X-OpenAM-Username: $user1" --header "X-OpenAM-Password: $password1" --header "Content-Type: application/json" --data "{}" "$openam/openam/json/authenticate" | jq -r .tokenId`
      
      echo "$user1 is "  $tokenid1
      
      tokenid2=`curl -s --request POST --header "X-OpenAM-Username: $webagentuser" --header "X-OpenAM-Password: $webagentpassword" --header "Content-Type: application/json" --data "{}" "$openam/openam/json/authenticate" | jq -r .tokenId`
      
      echo "$webagentuser is "  $tokenid2
      
      
       curl -s \
       --request POST \
       --header "iPlanetDirectoryPro: $tokenid2" \
       --header "Content-Type: application/json" \
       --data "{
      \"resources\": [ \"$protecturl\"
      ],
      \"subject\": {
      \"ssoToken\": \"$tokenid1\" },
      \"application\": \"$application\"
       }" \
       $openam/openam/json/policies?_action=evaluate | jq . 
      
       curl -s -D - -X POST -H 'Content-Type: text/xml' --data "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
      <RequestSet vers=\"1.0\" svcid=\"Policy\" reqid=\"3\">
      <Request><![CDATA[<PolicyService version=\"1.0\">
      <PolicyRequest requestId=\"4\" appSSOToken=\"$tokenid2\">
      <GetResourceResults userSSOToken=\"$tokenid1\" serviceName=\"$application\" resourceName=\"$protecturl\" resourceScope=\"self\">
      <EnvParameters><AttributeValuePair><Attribute name=\"requestIp\"/><Value></Value></AttributeValuePair></EnvParameters>
      <GetResponseDecisions>
      *
      </GetResponseDecisions>
      </GetResourceResults>
      </PolicyRequest>
      </PolicyService>]]>
      </Request>
      </RequestSet>" $openam/openam/policyservice
      
      

      Noticed that json policy ( webagent token, demo user token, application hoge ) evaluation returns success

      [
        {
          "advices": {},
          "resource": "http://eave.internal.example.com:8000/index.html",
          "actions": {
            "POST": true,
            "GET": true
          },
          "attributes": {}
        }
      ]
      
      

      the PLL policy request ( webagent token, demo user token , application hoge ) evaluation returns failure/deny

      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Content-Length: 469
      Date: Thu, 15 Sep 2016 10:53:44 GMT
      
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <ResponseSet vers="1.0" svcid="policy" reqid="3">
      <Response><![CDATA[<PolicyService version="1.0" revisionNumber="60">
      <PolicyResponse requestId="4" issueInstant="1473936824075" >
      <ResourceResult name="http://eave.internal.example.com:8000/index.html">
      <PolicyDecision>
      <ResponseAttributes>
      </ResponseAttributes>
      </PolicyDecision>
      </ResourceResult>
      </PolicyResponse>
      </PolicyService>
      ]]></Response>
      </ResponseSet>
      

      It has been observed that PLL policy is evaluated against iPlanetAMWebAgentService ( regardless of your application setting )
      This is verified by changing the user from demo to Sam. It will result in a successful evaluation

      Also, PLL policy is evaluated successfully if amadmin token is used ( amadmin token, demo user token, application hoge )

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jonthomas Jonathan Thomas
                Reporter:
                sam.phua Sam Phua
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 7h
                  7h
                  Remaining:
                  Time Spent - 3h Remaining Estimate - 4h
                  4h
                  Logged:
                  Time Spent - 3h Remaining Estimate - 4h
                  3h