[OPENAM-12245] "Authentication by Module Instance" policy env condition doesn't work in session upgrade case Created: 20/Dec/17  Updated: 04/Sep/19  Resolved: 08/Jan/18

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 5.5.1
Fix Version/s: 6.0.0, 5.5.2

Type: Bug Priority: Major
Reporter: Sachiko Wallace Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Sprint: AM Sustaining Sprint 46
Story Points: 1
Needs backport:
Support Ticket IDs:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

"Authentication by Module Instance" policy env condition doesn't work in session upgrade case

How to reproduce the issue

NOTE: This issue only happens in case of session upgrade

  1. login to admin console
  2. [Realms] -> select realm -> [Authentication] -> edit [LDAP]
  3. set "Authentication Level=3" and click [Save Changes]
  4. [Authorization] -> [Policy Sets] -> [Default Policy Set] -> "+ Add a Policy"
  5. type in the following data :
    Name : TestPolicy001
    Resource Type: URL
    Resources : http://openam.example.com:38080/helloworld/*
    click [Create]
  6. click [Action] tab, add GET & POST:allow and click [Save Changes]
  7. click [Subjects] tab and set "Type: Authenticated Users" and click [Save Changes]
  8. click [Environments] tab and click [+ Add an Environment Condition]
    Type: Authentication by Module Instance
    Authentication Scheme: /:LDAP (this is in the form of <realm>:<auth module>)
    Application Name: iPlanetAMWebAgentService (Resource Type for policy evaluation)
    Application Idle Timeout Scheme: 2147483647
    Click "check" icon and click [Save Changes]
  9. login with admin user
    curl --request POST --header "X-OpenAM-Username: amadmin" --header "X-OpenAM-Password: cangetin" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/authenticate"
  10. login with demo user
    curl --request POST --header "X-OpenAM-Username: demo" --header "X-OpenAM-Password: changeit" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/authenticate?module=DataStore&authIndexType=module&authIndexValue=DataStore"
  11. then upgrade demo user's session
    curl --request POST --header "iPlanetDirectoryPro:M2hI2hR..." --header "X-OpenAM-Username: demo" --header "X-OpenAM-Password: changeit" "http://openam.example.com:18080/openam/json/realms/root/authenticate?authIndexType=level&authIndexValue=3"
  12. request for policy evaluation
    curl --request POST \
    > --header "Content-Type: application/json" \
    > --header "iPlanetDirectoryPro: <amadmin session>" \
    > --data '{
    >     "resources": [
    >         "http://openam.example.com:38080/helloworld/index.html"
    >     ],
    >     "application": "iPlanetAMWebAgentService",
    >     "subject": { "ssoToken": "<upgraded user session>"}
    > }' \
    > "http://openam.example.com:18080/openam/json/policies?_action=evaluate"
Expected behaviour

Policy evaluation request to return correct evaluation response

Current behaviour

Policy evaluation request returns empty response. If you check Entitlement debug log, you will see request user's auth scheme is in wrong format :

At AuthSchemeCondition.getConditionDecision():authScheme not satisfied = /:LDAP
At AuthSchemeCondition.getConditionDecision():authScheme = [/:LDAP], requestAuthSchemes = [/:L, /:/, /:o, /:P, /:A, /:a, /:r, /:S, /:D, /:t, :, /:e],  allowed before applicationIdleTimeout check = false

Work around


Code analysis

This seems to be a regression caused by the change implemented via AME-13482.
split("|") should've been escaped as split("\ \ |")

    public static String upgradeModuleList(String prevList, String newList, String realm) {
        newList = getRealmQualifiedList(realm, newList);
        utilDebug.message("newList : {}", newList);
        utilDebug.message("prevList : {}", prevList);
        Set<String> result = new LinkedHashSet<>();
        if (prevList != null) {
        return result.stream().collect(Collectors.joining("|"));

Comment by Ľubomír Mlích [ 04/Sep/19 ]

I created OPENAM-15405 for this disappearing value problem

Generated at Fri Sep 25 23:22:02 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.