[OPENAM-12418] Unable to access Forgerock OATH for users with Profile when caching disable Created: 09/Feb/18  Updated: 17/Apr/19  Resolved: 24/Feb/18

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 12.0.4, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 5.5.1
Fix Version/s: 12.0.5, 13.5.3, 6.0.0, 14.1.2, 5.5.2

Type: Bug Priority: Major
Reporter: C-Weng C Assignee: C-Weng C
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

User data caching disabled


Issue Links:
Duplicate
is duplicated by OPENAM-14677 Cannot use push and OATH registration... Resolved
Target Version/s:
Sprint: AM Sustaining Sprint 48
Story Points: 3
Needs backport:
No
Support Ticket IDs:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

When using a module with FR OATH but all the AM caching is disabled. Accessing the FR OATH module throws:

 

javax.security.auth.login.LoginException: java.lang.NullPointerException
        at org.forgerock.openam.core.rest.devices.UserDevicesDao.getDeviceProfil
es(UserDevicesDao.java:82)
        at org.forgerock.openam.authentication.modules.fr.oath.OathMaker.getDevi
ceProfiles(OathMaker.java:124)
        at org.forgerock.openam.authentication.modules.fr.oath.AuthenticatorOATH
.getOathDeviceSettings(AuthenticatorOATH.java:752)
        at org.forgerock.openam.authentication.modules.fr.oath.AuthenticatorOATH
.process(AuthenticatorOATH.java:274)
        at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLogin
Module.java:1056)
        at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule
.java:1224)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:62)

 

How to reproduce the issue

1. Disable AM caching for user

com.iplanet.am.sdk.caching.enabled=false
com.sun.identity.idm.cache.enabled=false

2. Create a new realm /2fa

3. Create te datastore with naming authentication as mail, search alias = uid, Create a user with mail. Similarly do the same with an LDAP module with mail as te naming authenticatio ( REQUIRED). Create a new chain for the FROATH

4. Login to LDAP module for realm /2fa and then later access the FROATH with the above user (which does not have the oath2device profile). The exception is seen

Expected behaviour
No exception and proceed to 2FA
Current behaviour
Auth module fails with server error

Work around

Enable back the IDM/user cache

AMIdentity.java
/**
 * Returns the values of the requested attribute. Returns an empty set, if
 * the attribute is not set in the object.
 *
 * This method is only valid for AMIdentity objects of type User, Agent,
 * Group, and Role.
 *
 * @param attrName
 *            Name of attribute
 * @return Set of attribute values.
public Set getAttribute(String attrName) throws IdRepoException,
        SSOException {

    Set attrNames = new HashSet();
    attrNames.add(attrName);
    IdServices idServices = IdServicesFactory.getDataStoreServices();
    Map valMap = idServices.getAttributes(token, type, name, attrNames,
 orgName, univDN, true);
 return ((Set) valMap.get(attrName));
}

As the attribute is not found this cause a NPE on the UserDeviceDAO. The API contract suggest the call should not return null (but and empty collection) but it seems that all the other previous code idiom may do a null check too. (so some old code assumes null is possible)



 Comments   
Comment by C-Weng C [ 23/Feb/18 ]

Other possible symptoms

This possible is the same when the attribute returns is not a empty set and later cause issues.

java.lang.NullPointerException
        at java.util.AbstractCollection.addAll(AbstractCollection.java:343)
        at org.forgerock.openam.session.stateless.AgentSessionNotificationURLsProvider.getSessionEventURLs(AgentSessionNotificationURLsProvider.java:78)
        at org.forgerock.openam.sso.providers.stateless.StatelessSession.getPLLNotificationURLs(StatelessSession.java:377)
Generated at Fri Nov 27 06:22:32 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.