Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9979

Authentication chain post authentication classes are not used if realm level PAP setting exists

    Details

    • Sprint:
      AM Sustaining Sprint 32, AM Sustaining Sprint 33, AM Sustaining Sprint 34, AM Sustaining Sprint 35, AM Sustaining Sprint 36, AM Sustaining Sprint 37
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Authentication chain PAP class settings are ignored if realm based PAP class settings also exist. One example of this would be if a realm has a PAP already set, then a new chain is created using the SAML2 or Persistent Cookie auth modules. If the necessary PAP classes are added to the chain settings, they will not get called.

      Steps to reproduce.
      1. Configure a PAP class in realm -> authentication -> settings
      2. Configure a different PAP class in realm -> authentication -> chains -> ldapService -> settings.
      3. Login with http://openam.example.com:8080/openam

      Result:
      The realm level PAP class is called, the authentication chain PAP class is not.

      Expected result:
      The authentication chain PAP class should take precedence over the realm level PAP class.

      Workaround:
      Either,
      a) Only use PAP settings at the authentication chain level.
      or
      b) use the 'service' parameter when logging in. E.g. http://openam.example.com:8080/openam?service=ldapService

      Without the service parameter, indexType and indexName will be null when OpenAM tries to pickup the right classes.

      com.sun.identity.authentication.service.LoginState

          /**
           * Creates a set of instances that are implementation of classes of type
           * AMPostAuthProcessInterface. The classes are picked based on index type
           * and auth configuration.
           *
           * @param indexType Index type for post login process
           * @param indexName Index name for post login process
           */
          void setPostLoginInstances(
                  AuthContext.IndexType indexType,
                  String indexName) {
              AMPostAuthProcessInterface postProcessInstance = null;
              String postLoginClassName = null;
              Set postLoginClassSet = Collections.EMPTY_SET;
              if (indexType == AuthContext.IndexType.ROLE) {
      
              /* If role based auth then get post process classes from
               * auth config of that role.
               */
      
                  postLoginClassSet = getRolePostLoginClassSet();
              } else if (indexType == AuthContext.IndexType.SERVICE) {
      
                  /* For service based auth if service name is console service
                   * then use admin auth config otherwise use the index name
                   */
      
                  if (indexName.equals(ISAuthConstants.CONSOLE_SERVICE)) {
                      if (LazyConfig.AUTHD.revisionNumber >= ISAuthConstants.
                              AUTHSERVICE_REVISION7_0) {
                          if ((orgAdminAuthConfig != null) &&
                                  (!orgAdminAuthConfig.equals(ISAuthConstants.BLANK))) {
                              postLoginClassSet = getServicePostLoginClassSet
                                      (orgAdminAuthConfig);
                          }
                      }
                  } else {
                      postLoginClassSet = getServicePostLoginClassSet(indexName);
                  }
              } else if ((indexType == AuthContext.IndexType.USER) &&
                      (LazyConfig.AUTHD.revisionNumber >= ISAuthConstants.AUTHSERVICE_REVISION7_0)) {
      
              /* For user based auth, take the auth config from users attributes
               */
      
                  if (((userAuthConfig != null) && (!userAuthConfig.equals(
                          ISAuthConstants.BLANK)))) {
                      postLoginClassSet = getServicePostLoginClassSet(
                              userAuthConfig);
                  }
              }
      
              if (((postLoginClassSet == null) || (postLoginClassSet.isEmpty())) &&
                      ((orgPostLoginClassSet != null) && (!orgPostLoginClassSet.isEmpty()))) {
      
              /* If no Post Process class is found or module based auth then
               * default to org level  only if they are defined.
               */
                  postLoginClassSet = orgPostLoginClassSet;
              } else if ((LazyConfig.AUTHD.revisionNumber >= ISAuthConstants.
                      AUTHSERVICE_REVISION7_0) && (indexType == null)) {
      
                /* For org based auth, if post process classes are not defined at
                 * org level then use or default config.
                 */
      
                  if ((orgAuthConfig != null) && (!orgAuthConfig.
                          equals(ISAuthConstants.BLANK))) {
                      postLoginClassSet = getServicePostLoginClassSet(orgAuthConfig);
                  }
              }
      
              if (DEBUG.messageEnabled()) {
                  DEBUG.message("postLoginClassSet = " + postLoginClassSet);
              }
      
              if ((postLoginClassSet != null) && (!postLoginClassSet.isEmpty())) {
                  postLoginInstanceSet = new HashSet<AMPostAuthProcessInterface>();
                  StringBuilder sb = new StringBuilder();
                  for (Object aPostLoginClassSet : postLoginClassSet) {
                      postLoginClassName = (String) aPostLoginClassSet;
                      if (sb.length() > 0) {
                          sb.append("|");
                      }
                      if (DEBUG.messageEnabled()) {
                          DEBUG.message("setPostLoginInstances : "
                                  + postLoginClassName);
                          DEBUG.message("setPostLoginInstances : "
                                  + postLoginClassSet.size());
                      }
                      postProcessInstance
                              = getPostLoginProcessInstance(postLoginClassName);
                      if (postProcessInstance != null) {
                          postLoginInstanceSet.add(postProcessInstance);
                          sb.append(postLoginClassName);
                      }
                  }
                  session.putProperty(ISAuthConstants.POST_AUTH_PROCESS_INSTANCE,
                          sb.toString());
              }
          }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sfraser Sam Fraser
                Reporter:
                andrew.dunn Andrew Dunn [X] (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4h
                  4h
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 4h
                  4h