[OPENAM-11610] WindowSSO module broken in AM 5.1.1 after upgrade Created: 24/Aug/17  Updated: 19/Dec/17  Resolved: 04/Sep/17

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 14.1.1
Fix Version/s: 13.5.2, 14.5.0, 14.1.2

Type: Bug Priority: Major
Reporter: Sam Phua Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Regression
is caused by OPENAM-5152 AMAuthLevelManager miscalculates auth... Resolved
is caused by OPENAM-5153 Auth modules should call setAuthLevel... Resolved
Sprint: AM Sustaining Sprint 42
Story Points: 2
Needs backport:
No
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Upgrade a working WindowSSO module from AM 5.1.0 to AM 5.1.1 ( or OpenAM 14.1.1 ),

http://openam.example.com:8080/openam/UI/Login?realm=demo&module=Windows

the authentication module will fail with the following exception

amAuth:08/24/2017 05:53:35:143 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[0f0c34dc-e29b-4cd4-bff9-6a1e1032bde0-232]
 Exception
 javax.security.auth.login.LoginException: java.lang.ArrayIndexOutOfBoundsException: 7   <=========
 at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.initWindowsDesktopSSOAuth(WindowsDesktopSSO.java:591)
 at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process(WindowsDesktopSSO.java:158)
 at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1083)
 at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1274)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:606)
 at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:219)
 at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:127)
 at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:559)
 at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586)
 at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:107)
 at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:167)
 at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:260)
 at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:165)
 at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.initiateAuthentication(RestAuthenticationHandler.java:96)
 at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:159)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

The above "ArrayIndexOutOfBoundsException" error will not be shown if an authenticating chain is used but there is a similar error as below

( Search for WindowsDesktopSSO params )

WindowsDesktopSSO params:   <=======
principal: HTTP/openam.example.com@EXAMPLE.COM
keytab file: /home/forgerock/openam11-13-windowSSO/server.keytab
realm : EXAMPLE.COM
kdc server: northface.example.com
domain principal: false
Lookup user in realm:false
Accepted Kerberos realms: []
amAuthWindowsDesktopSSO:08/26/2017 02:33:29:268 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[43345244-65f4-4acd-a125-f663656b7642-2223]
Init WindowsDesktopSSO. This should not happen often.
amAuthWindowsDesktopSSO:08/26/2017 02:33:29:268 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[43345244-65f4-4acd-a125-f663656b7642-2223]
New Service Login ...
amAuthWindowsDesktopSSO:08/26/2017 02:33:29:278 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[43345244-65f4-4acd-a125-f663656b7642-2223]
Service login succeeded.
amLoginModule:08/26/2017 02:33:29:278 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[43345244-65f4-4acd-a125-f663656b7642-2223]
SETTING Failure Module name.... :Windows   <==============
amAuth:08/26/2017 02:33:29:278 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[43345244-65f4-4acd-a125-f663656b7642-2223]
Module name is .. Windows
amAuth:08/26/2017 02:33:29:278 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[43345244-65f4-4acd-a125-f663656b7642-2223]
failureModuleSet is : [Windows]     <============
amAuth:08/26/2017 02:33:29:278 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[43345244-65f4-4acd-a125-f663656b7642-2223]
getUserDN: null
amJAAS:08/26/2017 02:33:29:279 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[43345244-65f4-4acd-a125-f663656b7642-2223]
Method login LoginModuleControlFlag: sufficient failure.  <================

 

 

 

 

 

 



 Comments   
Comment by Ľubomír Mlích [ 27/Sep/17 ]

Reproduced in OpenAM 13.5.2-M4 Build c6adadbd36 (2017-August-16 10:56) - didn't need to upgrade from M4 to M5 to see
java.lang.ArrayIndexOutOfBoundsException: 7
Verified in OpenAM 13.5.2-M6 Build 27646dc847 (2017-September-22 10:32)

Comment by Ľubomír Mlích [ 17/Oct/17 ]

Verified in OpenAM 14.1.2-M1 Build ec49e2d3c5 (2017-October-03 13:59)

Comment by Andy Itter [ 19/Dec/17 ]

Note: This also affects a fresh install of 5.1.1

Generated at Mon Nov 30 02:06:14 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.