[OPENAM-13940] Session quota limits not applied when using trees Created: 08/Nov/18  Updated: 25/Nov/20  Resolved: 13/Dec/18

Status: Resolved
Project: OpenAM
Component/s: authentication, session, trees
Affects Version/s:, 6.5.0
Fix Version/s:, 6.5.1, 7.0.0

Type: Bug Priority: Major
Reporter: Simon Moffatt Assignee: Kajetan Hemzaczek
Resolution: Fixed Votes: 1
Labels: AME, Must-Fix, Tesla
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: JPEG File Image 26-11-2018 at 15.43.jpg    
Target Version/s:
Rank: 1|hzk4g7:
Sprint: 2018.16 - Tin
Story Points: 3
Needs backport:
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

Session quota limits are not applied when authenticating via trees, only via chains/modules.

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Global Services, Session, Session Quotas, set Enable Quota Constraints
  2. Set Resulting behavior if session quota exhausted to be DENY_ACCESS
  3. Go to Realm, add Session service and set Active User Sessions to 2
  4. Log in via Example tree 3 separate times (ie incognito windows) and check the sessions are created via Admin console
Expected behaviour
User sees a message saying "You've reached your session limit"
Current behaviour
User able to login normally

Work around

Log in via chains/modules.

Comment by Sam Phua [ 09/Nov/18 ]

 A simple test case to run the rest calls against tree and chains/module

#set -vx


echo "Rest calls running against tree"

curl -s --request POST --header "Accept-API-Version: resource=2.0, protocol=1.0" --header "X-OpenAM-Username: $user" --header "X-OpenAM-Password: $password" --header "Content-Type: application/json" --data "{}" "$openam/openam/json/authenticate?authIndexType=service&authIndexValue=Example"

echo "Rest calls running against chain/module"

curl -s --request POST --header "Accept-API-Version: resource=2.0, protocol=1.0" --header "X-OpenAM-Username: $user" --header "X-OpenAM-Password: $password" --header "Content-Type: application/json" --data "{}" "$openam/openam/json/authenticate"


 The output

Rest calls running against tree


Rest calls running against chain/module

{"code":401,"reason":"Unauthorized","message":"You have reached your session limit."}





Comment by Kajetan Hemzaczek [ 26/Nov/18 ]

getUniversalId can become protected and then the new line:

"builder.enforceSessionQuota(getUniversalId(realm, username));"

can be added to the NewSessionCreator.create method.


This is enough to enforce session quote when a new session is created.

When no more sessions can be created the next login fails and "Session quota exhausted" message appear on the login screen.


This code is executed from SuccessProcessTreeResult so after the authenticationTree engine successfully authenticated a user. This means that the tree execution is already finished. Also Success node cannot have a failure outcome

Comment by Filip Kubáň [X] (Inactive) [ 10/Jan/19 ]

Verified on ForgeRock Access Management Build d901475564 (2019-January-10 06:24)

message about reaching session limit appears

Generated at Mon Mar 01 03:09:45 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.