Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9893

WindowsDesktop SSO auth module broken when XUI is used

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 11.0.0, 12.0.0, 13.0.0, 13.5.0
    • Fix Version/s: 13.5.1, 14.0.0
    • Component/s: authentication, XUI
    • Labels:
    • Environment:
      Mac OS X

      java version "1.8.0_31"
      Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode)

      Tomcat 8.5.4

      OpenAM 13.5.0
    • Sprint:
      AM Sustaining Sprint 30
    • Support Ticket IDs:

      Description

      Create an WDSSO auth-module an try to perform auth-module based auth with XUI

      An authentication error will appear.

      Excerpt from the debug log

      Authentication
      amAuth:10/24/2016 11:22:02:862 AM CEST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[1ff53fe6-a7db-48ee-a126-c6f43c5dfeef-488]
      Error during login..
      amAuth:10/24/2016 11:22:02:862 AM CEST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[1ff53fe6-a7db-48ee-a126-c6f43c5dfeef-488]
      Exception
      javax.security.auth.login.LoginException: java.lang.ClassCastException: java.lang.Boolean cannot be cast to java.lang.String
      	at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.hasWDSSOFailed(WindowsDesktopSSO.java:404)
      	at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process(WindowsDesktopSSO.java:156)
      	at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1056)
      	at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1224)
      	at sun.reflect.GeneratedMethodAccessor54.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:483)
      	at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:217)
      	at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:125)
      	at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:565)
      	at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:617)
      	at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:115)
      	at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:173)
      	at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:262)
      	at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:167)
      	at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:114)
      	at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:145)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:483)
      	at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:81)
      	at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:72)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:73)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:84)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:168)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152)
      	at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485)
      	at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
      	at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:555)
      	at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:477)
      	at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:468)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:146)
      	at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.openam.http.HandlerProvider.handle(HandlerProvider.java:50)
      	at org.forgerock.openam.http.HttpRoute$3.handle(HttpRoute.java:142)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:60)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:225)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:522)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:1110)
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:785)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1425)
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      
      	at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:281)
      	at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:125)
      	at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:565)
      	at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:617)
      	at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:115)
      	at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:173)
      	at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:262)
      	at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:167)
      	at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:114)
      	at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:145)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:483)
      	at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:81)
      	at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:72)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:73)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:84)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:168)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152)
      	at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485)
      	at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
      	at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:555)
      	at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:477)
      	at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:468)
      	at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:146)
      	at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.openam.http.HandlerProvider.handle(HandlerProvider.java:50)
      	at org.forgerock.openam.http.HttpRoute$3.handle(HttpRoute.java:142)
      	at org.forgerock.http.routing.Router.handle(Router.java:92)
      	at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:60)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:56)
      	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:225)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:522)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:1110)
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:785)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1425)
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      

      According to debugger information the object

      request.getAttribute("http-auth-failed")			
      

      is of type Boolean in

      WindowsDesktopSSO.java
          /**
           * Checks the request for an attribute "http-auth-failed".
           *
           * @param request THe HttpServletRequest.
           * @return If the attribute is present and set to true true is returned otherwise false is returned.
           */
          private boolean hasWDSSOFailed(HttpServletRequest request) {
              return Boolean.valueOf((String) request.getAttribute("http-auth-failed"));
          }
      

      Side note: The exception does not show up in any log when SAML SP-initiated SSO is performed.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: