[OPENAM-14505] Agent sessions are constrained by Session Quota Created: 27/Feb/19  Updated: 22/Oct/19  Resolved: 04/Mar/19

Status: Resolved
Project: OpenAM
Component/s: session, web agents
Affects Version/s: 6.0.0, 6.5.0,
Fix Version/s:, 6.5.1,, 7.0.0

Type: Bug Priority: Major
Reporter: Tim Chandler Assignee: Jonathan Thomas
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File logs.tar    
Target Version/s:
Sprint: AM Sustaining Sprint 60
Story Points: 2
Needs backport:
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

When session quotas are enabled, the number of web agents sessions is limited to the number of Active User Sessions

How to reproduce the issue

  1. Install AM
  2. Enable Global Service Session Quota Constraints.
  3. Set Resulting behavior if session quota exhausted to DENY_ACCESS
  4. Create a realm, Add the Session Service  
  5. Create a Web Agent profile in the realm.
  6. Enable SSO Only Mode for the Agent profile.
  7. Install Apache 2.4 and Web agent specifying the realm.
  8. Run a simple load test on the web server requesting pages.
Expected behaviour
Responses are redirects for authentication
Current behaviour
Responses will start to return HTTP 403 Forbidden

Work around

Not tested - Configure the Web Agent profile in a separate realm with Active User Sessions configured with a value sufficient to allow the required number of agent logins calculated from Apache mpm_worker_module configuration.

Code analysis


Comment by Jonathan Thomas [ 28/Feb/19 ]

Taking this for initial investigation

Comment by Jonathan Thomas [ 04/Mar/19 ]

Fixed logic to ensure session type set before quota constraint check.

Comment by Ľubomír Mlích [ 16/Apr/19 ]

Reproduced issue in ForgeRock Access Management Build d239585362 (2019-January-15 06:37) - I additionally set user active session limit to 1 and then I can see easily error most times when I try to access protected application

Verified as fixed in ForgeRock Access Management Build a90937dad2 (2019-April-10 15:58) - no able to reproduce problem.

Comment by Ľubomír Mlích [ 23/Apr/19 ]

Reproduced in ForgeRock Access Management Build 92d60f32d1 (2018-November-26 06:25) - there was access denied
Verified as fixed in ForgeRock Access Management Build a1bc4f9d0b (2019-April-10 09:57) - no able to reproduce problem

Generated at Thu Dec 03 20:17:22 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.