[OPENAM-15670] DeviceIdSave auth module initialization fails if username is null Created: 12/Nov/19  Updated: 12/Dec/19  Resolved: 12/Dec/19

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1,,,, 6.0.0,,,,,,,,, 6.5.0,,,,, 6.5.1,,, 6.5.2,,,, 7.0.0,
Fix Version/s: 7.0.0, 6.5.3

Type: Bug Priority: Blocker
Reporter: Bernhard Thalmayr Assignee: Joe Starling
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Oracle JDK 1.8.0_201
Apache Tomcat/9.0.8

Attachments: File OPENAM-15670.diff.git    
Issue Links:
is related to OPENAM-15668 AM withholds NullPointerException dur... Open
is related to OPENAM-15669 NullPointerException in IdCachedServi... Open
Rank: 1|hzzfhj:
Sprint: AM Sustaining Sprint 69, AM Sustaining Sprint 70
Story Points: 5
Support Ticket IDs:


Bug description

Initialization of DeviceIdSave auth module fails if username is not present

How to reproduce the issue

  1. Configure AM
  2. Configure the below mentioned auth-chain in some sub-realm
  3. Perform service based authentication
[name=Certificate] [flag=OPTIONAL] [options=]
[name=DeviceMatch] [flag=SUFFICIENT] [options=]
[name=OTP] [flag=OPTIONAL] [options=]
[name=DeviceSave] [flag=SUFFICIENT] [options=]
[name=LDAP] [flag=REQUISITE] [options=]
[name=DeviceMatch] [flag=SUFFICIENT] [options=]
[name=OTP] [flag=REQUIRED] [options=]
[name=DeviceSave] [flag=REQUIRED] [options=]
Expected behaviour
HOTP auth module should be triggered after submitting credentials for LDAP auth module.
Current behaviour
User is prompted for LDAP credentials a second time.

Code analysis

    public void init(Subject subject, Map sharedState, Map config) {
       amIdentityPrincipal = IdUtils.getIdentity(userName, realm, userSearchAttributes);

Comment by Bernhard Thalmayr [ 12/Nov/19 ]

proposed fix based on AM

Comment by Jonathan Thomas [ 03/Dec/19 ]

Notes: One thing to note is in master we have  FRAAS-861 where the search for alias will happen before the search for name only.

We have to watch this as it also caused https://bugster.forgerock.org/jira/browse/OPENAM-15700

Generated at Tue Mar 02 20:52:17 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.