Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-1227

PolicyEnforcementFilter : after getting a new pep token, OpenIG requests a policy evaluation without providing the resources & subject

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.5.0, 5.0.0
    • Fix Version/s: 5.0.0
    • Component/s: Core
    • Labels:
    • Environment:
      OS : OSX 10.11.5
      container : Tomcat 8.0.23
      jdk : 1.8.0_73
    • Support Ticket IDs:
    • Flagged:
      Impediment

      Description

      Description
      Once the end-user authenticated on OpenAM to access the resource, if the PolicyEnforcementFilter token expires, then, when the end-user accesses the resource again, OpenIG first returns a 500-Internal Server Error instead of the expected resource.
      Next access is working fine.

      Expected
      The 1st response should be successful.

      Analysis
      In the tested case, the reason for the error is that after getting a new token (named pepSsoToken here), the PolicyEnforcementFilter launches AM a request to evaluate the policy and gets back a 400 -Invalid value resources
      Finally, a 500-Internal Server Error is returned to the User-Agent.

      11:12:14:384 | INFO  | I/O dispatcher 11 | @MyCapture[captured_handler] |
      
      <--- (response) id:bb9ddba0-a561-4d85-ba72-3f1d2991ff46-95 ---
      
      HTTP/1.1 401 Unauthorized
      Cache-Control: no-cache
      Content-Type: application/json; charset=UTF-8
      Date: Mon, 05 Sep 2016 09:12:14 GMT
      Server: Apache-Coyote/1.1
      
      {"code":401,"reason":"Unauthorized","message":"Access Denied"}
      Context's content as JSON:
      {
          
      }
      
      11:12:14:385 | INFO  | I/O dispatcher 11 | @MyCapture[captured_handler] |
      
      --- (request) id:bb9ddba0-a561-4d85-ba72-3f1d2991ff46-95 --->
      
      POST http://openam.example.com:8081/openam/json/OpenIGasPEP/authenticate HTTP/1.1
      Content-Length: 2
      Content-Type: application/json; charset=UTF-8
      X-OpenAM-Password: password
      X-OpenAM-Username: policyAdmin
      
      {}
      Context's content as JSON:
      {
          
      }
      
      11:12:14:395 | INFO  | I/O dispatcher 9 | @MyCapture[captured_handler] |
      
      <--- (response) id:bb9ddba0-a561-4d85-ba72-3f1d2991ff46-95 ---
      
      HTTP/1.1 200 OK
      Cache-Control: no-cache, no-store, must-revalidate
      Content-API-Version: resource=2.0
      Content-Length: 147
      Content-Type: application/json; charset=UTF-8
      Date: Mon, 05 Sep 2016 09:12:14 GMT
      Expires: 0
      Pragma: no-cache
      Server: Apache-Coyote/1.1
      Set-Cookie: amlbcookie=01; Path=/; Domain=.example.com
      
      {"tokenId":"AQIC5wM2LY4SfcwV5H8DA2-z7w_xlTci79-aenpOR40c81I.*AAJTSQACMDEAAlNLABMzMDMxMjg2MTgyNjg0NzE4Mzg3AAJTMQAA*","successUrl":"/openam/console"}
      Context's content as JSON:
      {
          
      }
      
      11:12:14:395 | INFO  | I/O dispatcher 9 | @MyCapture[captured_handler] |
      
      --- (request) id:bb9ddba0-a561-4d85-ba72-3f1d2991ff46-95 --->
      
      POST http://openam.example.com:8081/openam/json/OpenIGasPEP/policies?_action=evaluate HTTP/1.1
      Accept-API-Version: protocol=1.0,resource=2.0
      Content-Length: 263
      Content-Type: application/json; charset=UTF-8
      pepSsoToken: AQIC5wM2LY4SfcwV5H8DA2-z7w_xlTci79-aenpOR40c81I.*AAJTSQACMDEAAlNLABMzMDMxMjg2MTgyNjg0NzE4Mzg3AAJTMQAA*
      
      
      Context's content as JSON:
      {
          
      }
      
      11:12:14:401 | INFO  | I/O dispatcher 10 | @MyCapture[captured_handler] |
      
      <--- (response) id:bb9ddba0-a561-4d85-ba72-3f1d2991ff46-95 ---
      
      HTTP/1.1 400 Bad Request
      Cache-Control: no-cache
      Content-API-Version: resource=2.1
      Content-Type: application/json; charset=UTF-8
      Date: Mon, 05 Sep 2016 09:12:14 GMT
      Server: Apache-Coyote/1.1
      
      {"code":400,"reason":"Bad Request","message":"Invalid value resources"}
      Context's content as JSON:
      {
          
      }
      

      In a working case, the resources / subject are sent :

      11:10:59:077 | INFO  | I/O dispatcher 11 | @MyCapture[captured_handler] |
      
      --- (request) id:bb9ddba0-a561-4d85-ba72-3f1d2991ff46-91 --->
      
      POST http://openam.example.com:8081/openam/json/OpenIGasPEP/policies?_action=evaluate HTTP/1.1
      Accept-API-Version: protocol=1.0,resource=2.0
      Content-Length: 263
      Content-Type: application/json; charset=UTF-8
      pepSsoToken: AQIC5wM2LY4SfcxpoAFsQwcjxPLAf7cFbVQrZ-2tMYzieu8.*AAJTSQACMDEAAlNLABQtNDgxMTQzODE0MzA2NTEwMDAyMgACUzEAAA..*
      
      {"resources":["http://app.example.com:8080/pep_specific_realm_and_application_and_ssotokenheader"],"subject":{"ssoToken":"AQIC5wM2LY4SfcywyWV5caV-tJKUc49x2rlwBWRFEpiCK0I.*AAJTSQACMDEAAlNLABQtNzY4NTUwMTczMTA4MzAwODE0NgACUzEAAA..*"},"application":"PEP-Application"}
      Context's content as JSON:
      {
          
      }
      
      11:10:59:084 | INFO  | I/O dispatcher 9 | @MyCapture[captured_handler] |
      
      <--- (response) id:bb9ddba0-a561-4d85-ba72-3f1d2991ff46-91 ---
      
      HTTP/1.1 200 OK
      Cache-Control: no-cache
      Content-API-Version: resource=2.1
      Content-Type: application/json; charset=UTF-8
      Date: Mon, 05 Sep 2016 09:10:59 GMT
      Server: Apache-Coyote/1.1
      
      [{"resource":"http://app.example.com:8080/pep_specific_realm_and_application_and_ssotokenheader","actions":{"GET":true},"attributes":{},"ttl":9223372036854775807,"advices":{}}]
      Context's content as JSON:
      {
          
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                jcdevil Jean-Charles Deville
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: