[OPENAM-15216] LDAP Decision Node does not continue through "Fail" flow when Node Fails with exception Created: 16/Jul/19  Updated: 12/Aug/19  Resolved: 12/Aug/19

Status: Resolved
Project: OpenAM
Component/s: None
Affects Version/s: 6.5.1
Fix Version/s: 6.0.1, 5.5.2, 7.0.0, 6.5.3

Type: Bug Priority: Minor
Reporter: Eliot Kerslake Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to OPENAM-15160 LDAP Decision Node throws NPE when cu... Resolved
Target Version/s:
Sprint: AM Sustaining Sprint 65, AM Sustaining Sprint 66
Story Points: 3
Needs backport:
Support Ticket IDs:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

If authenticating via LDAP Decision node fails with a NPE, this will also fail to continue executing the full tree via the failed route

How to reproduce the issue

Details steps outlining how to recreate the issue

  1. Vanilla AM install
  2.  Create a new tree called testtree
  3. Within the tree I have the following :
    Start > Username > Password > LDAP Decision > True / False > Success / Fail > If FAIL > Choice Collector with a single choice > Fail
    3.1. the Ldap Decision node has the following : 
    Attributes Used to Search for a User to be Authenticated = uid cn
  4.  I created two new users as follows :
    Login > Top Level Realm > Identities > Add Identity > 
    User ID = testone
    Password = password 
  5.  Create another user 
    Login > Top Level Realm > Identities > Add Identity > 
    User ID = testtwo
    Password = password 
    > Create > Full Name = testone
  6. Then attempt to login using the new testtree 
    http://openam.example.com:8080/openam/XUI/?service=testtree You should see that authentication fails but does not prompt for a choice. (using the choice collector node) 

Authentication Logs have the following exception, which should be caught an continue the flow via the failed route. 

ERROR: searchForUser : Multiple matches found for user 'eliottest'. Please modify search start DN/filter/scope to make sure unique match returned. Contact your administrator to fix the problem

amAuth:07/11/2019 04:15:27:174 PM BST: Thread[http-nio-8080-exec-1,5,main]: TransactionId[93d625d7-6af4-48dd-aea8-7b953aa677f2-19813]

ERROR: Node processing failed


 at org.forgerock.openam.auth.nodes.LdapDecisionNode.authenticateUser(LdapDecisionNode.java:333)

 at org.forgerock.openam.auth.nodes.LdapDecisionNode.process(LdapDecisionNode.java:282)

 at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)

 at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:149)

 at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:421)

 at org.forgerock.openam.core.rest.authn.trees.AuthTrees.evaluateTreeAndProcessResult(AuthTrees.java:261)

 at org.forgerock.openam.core.rest.authn.trees.AuthTrees.invokeTree(AuthTrees.java:253)

 at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:222)

 at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:164)

 at sun.reflect.GeneratedMethodAccessor97.invoke(Unknown Source) 

Expected behaviour
Flow should fall through the fail route of the LDAP decision node
Current behaviour
Flow fails completely after ldap decision node

Work around

Use authentication chains, LDAP module will fail and continue through chain to the next module

Comment by Andrew Vinall [ 17/Jul/19 ]

Bug Triage:
1. The NPE should not occur.
2. Runtime exceptions should always prevent authentication.

Generated at Mon Nov 30 02:20:38 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.