[OPENAM-14062] Redirect to Failure URL does not occur when authentication tree is not interactive Created: 03/Dec/18  Updated: 19/Jun/20  Resolved: 10/Jan/19

Status: Resolved
Project: OpenAM
Component/s: trees
Affects Version/s:
Fix Version/s:, 6.5.1, 6.0.1, 5.5.2, 7.0.0

Type: Bug Priority: Major
Reporter: Tim Chandler Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is documented by OPENAM-15194 Add OPENAM-14062 to list of key fixes... Open
Rank: 1|hzlk53:
Sprint: AM Sustaining Sprint 58, AM Sustaining Sprint 59
Story Points: 2
Needs backport:
Support Ticket IDs:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

When an authentication tree does not have an interactive node, the failure URL configured in a Failure URL Node is not used.


How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Configure a Zero Page Login Collector node after the Start node and followed by a failure URL node when there are no credentials.
  2. Authenticate to the tree without credentials.
Expected behaviour
User is redirected to the configured Failure URL
Current behaviour
User is presented with the  XUI/#failedLogin screen

Work around

None identified.

Code analysis


Comment by Lawrence Yarham [ 21/Dec/18 ]

Notes from reproduction testing (in case anyone else sees the same error at step 4 below):

  1. Created a new Tree, e.g. Test14062.
  2. Added a Zero Page Login Collector.  Set the 'Has Credentials' outcome to go to a DataStore Decision Node.  Then set the relevant outcomes for this go to success and failure.
  3. For the Zero Page Login Collector node 'No Credentials' outcome, added a Failure URL and set this to be http://www.example.com
  4. Tested the tree using e.g. https://openam.amtest2.com:8443/access?service=Test14062.  This resulted in the text 'Loading...' appearing top left in the browser.  In the network tab, the call to https://openam.amtest2.com:8443/access/json/realms/root/authenticate?service=Test14062&authIndexType=service&authIndexValue=Test14062 had resulted in an error 500.  IN the CoreSystem debug logs the cause was:
    Caused by: java.lang.NullPointerException
            at org.forgerock.openam.auth.trees.engine.AuthTree.getNextNodeId(AuthTree.java:312)
            at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:131)
            at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:142)
            at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:389)
            at org.forgerock.openam.core.rest.authn.trees.AuthTrees.evaluateTreeAndProcessResult(AuthTrees.java:245)
            at org.forgerock.openam.core.rest.authn.trees.AuthTrees.invokeTree(AuthTrees.java:237)
            at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:207)
            at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:158)
  1. Set the outcome of the Failure URL node to be Failure.  Then repeated step 4 above.  Now I see the current behaviour described in this JIRA.
Generated at Tue Mar 02 13:27:44 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.