[OPENAM-16233] Policy evaluation fails when subject not found (even in ignore profile) Created: 13/May/20  Updated: 28/Jul/20  Resolved: 25/Jun/20

Status: Resolved
Project: OpenAM
Component/s: authentication, policy
Affects Version/s: 5.5.2, 7.0.0, 6.5.3
Fix Version/s: 5.5.3, 7.0.0, 6.5.3

Type: Bug Priority: Major
Reporter: C-Weng C Assignee: Pete Rogers
Resolution: Fixed Votes: 0
Labels: EDISON, Must-FIx, Selected
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to OPENAM-16258 Resource login fails to work to Authe... Open
Target Version/s:
Rank: 1|hzzk5y:
Sprint: AM Sustaining Sprint 75, AM Sustaining Sprint 76
Story Points: 5
Needs backport:
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Functional tests:


Bug description

Say you enter

curl -v -s --request POST -H 'X-Requested-With: curl' -H 'Cookie: iPlanetDirectoryPro=<somessotoken>' --header 'Content-Type: application/json' --data '{}' 'http://am.example.com:8080/openam/json/authenticate?resource=true&ForceAuth=true&resourceURL=http://website.example.com:80/index.html&authIndexType=resource&authIndexValue=true'

or claims Eg: http://yaunap.blogspot.com/2016/07/fun-with-openam13-authz-policies-over.html

curl --request POST --header "iPlanetDirectoryPro: AQIC5…*” --header "Content-Type: application/json" --data '{"resources":["customers"],"application":"api","subject":{"claims":{"sub":"","iss":"http://as.uma.com:8080/openam/oauth2/ScopeAz"}}}' http://as.uma.com:8080/openam/json/ScopeAz/policies?_action=evaluate 

issues like this happens

Caused by: java.lang.NullPointerException
        at com.sun.identity.entitlement.PrivilegeEvaluator.isSubjectActive(PrivilegeEvaluator.java:418)
        at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:279)
        at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:263)
        at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:198)
        at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:153)
        at org.forgerock.openam.entitlement.rest.EntitlementEvaluatorFactory$EntitlementEvaluatorWrapper.evaluateBatch(EntitlementEvaluatorFactory.java:58)
        at org.forgerock.openam.entitlement.rest.model.json.BatchPolicyRequest.dispatch(BatchPolicyRequest.java:46)

Also there is a search for the user on the subject using "" on the realm (performance issue too).

So cases like

  • Realm ignore profile is not consider
  • If one do not use profile for policy evaluation but passes the claims and other, the usecase is totally broken. Eg: login thru external ldap but datastore does not have such user (still want to realm to use profile if available.)
  • Resource based login fails too (which needs subject is null)

How to reproduce the issue

  1. Create a test realm
  2. Create a Policy say to grant all, Authenticatedusers, ACTION=POST/GET
  3. Enter the above URL (using resouce login) for example. See it fails 500 (TEST #1 where subject is NULL path)
  4. Repeat with policy evaluation (example 2) with authenticate session where user is not existent (say thru a LDAP) or use a claims or JWT type policy evaluation. (TEST#2 where subject comes from claims)
  5. Repeat the test with ignore profile realm but the ssotoken. exists.
Expected behaviour
Somehow old stuff should work.
- Resource based login works
- Ignore profile in realm works
Current behaviour
Get 500 failure for resource based login and also if using policy evaluation on other subject that does not exists may fail

Work around


Code analysis

  • Happens on 5.5.2 (not in 5.5.1)

Comment by Ľubomír Mlích [ 28/Jul/20 ]

Testing with curl command:

curl -v -s --request POST -H 'X-Requested-With: curl' -H "Cookie: iPlanetDirectoryPro=${USER_TOKEN}" --header 'Content-Type: application/json' --data '{}' "${URL}/json/authenticate?resource=true&ForceAuth=true&resourceURL=http://website.example.com:80/index.html&authIndexType=resource&authIndexValue=true"

1. create policy to grant access to http://website.example.com:80/index.html to all authenticated users

2. do request, result is HTTP 500 in 6.5.3-M5 and HTTP 200 in 6.5.3-M6

3. create new user, change status to inactive and change policy to allow access only to this locked user

4. do request, result is HTTP 500 in 6.5.3-M5 and HTTP 200 in 6.5.3-M6

5. delete new user

6. do request, result is HTTP 500 in 6.5.3-M5 and HTTP 200 in 6.5.3-M6

Reproduced in ForgeRock Access Management 6.5.3-M5 Build c61acc98e9 (2020-June-15 10:38)
Verified as fixed in ForgeRock Access Management 6.5.3-M6 Build 1ec2a27355 (2020-July-20 10:30)

Generated at Tue May 11 09:42:50 UTC 2021 using Jira 8.16.0#816000-sha1:a455b91378454416b49bbc88d03e653cb9815ed5.