[OPENAM-5321] Cross realm session upgrade not handled properly by XUI Created: 15/Dec/14  Updated: 23/Mar/18  Resolved: 15/Dec/15

Status: Resolved
Project: OpenAM
Component/s: rest, XUI
Affects Version/s: 12.0.0, 12.0.2, 13.0.0
Fix Version/s: 13.0.0

Type: Bug Priority: Critical
Reporter: Nemanja Lukic Assignee: Joe Bandenburg [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: 13.0.0-Must-Fix, AME, TESLA, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

RC5, FireFox


Attachments: File session.har    
Issue Links:
Depends
is required by OPENAM-4089 Session Upgrade via REST is not consi... Resolved
Duplicate
duplicates OPENAM-7145 XUI displays "Loading..." when access... Closed
is duplicated by OPENAM-7527 XUI: If you hit different realm than ... Closed
Relates
is related to OPENAM-12698 another realm display profile page ca... Open
Sprint: Sprint 97 - Team Tesla, Sprint 98 - Team Tesla
Support Ticket IDs:

 Description   

Original behaviour of the session upgrade with realms is described in more detail here: OPENAM-4089. In short, no upgrade should occur and OpenAM should warn the user that, in order to establish a session with second realm, the first session has to be destroyed. Apart from the warning, the user should be presented with a choice screen.

However, in RC5, the XUI behaviour is as follows:

  1. log in to realm1
  2. open the login URL for realm2
  3. observe "forbidden request error", "unauthorized access or session timeout" errors
  4. the original session is destroyed

Here is the HTTP session starting with the 2nd step:

http://saml-sp1.cdsso.rck.me:8080/openam/json/subrealm1/serverinfo/*

GET /openam/json/subrealm1/serverinfo/* HTTP/1.1
Host: saml-sp1.cdsso.rck.me:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Accept-API-Version: protocol=1.0,resource=1.1
X-Requested-With: XMLHttpRequest
Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
Connection: keep-alive
If-None-Match: "-62414625"

HTTP/1.1 304 Not Modified
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Date: Mon, 15 Dec 2014 16:18:14 GMT
----------------------------------------------------------
http://saml-sp1.cdsso.rck.me:8080/openam/json/authenticate?realm=%2Fsubrealm1&sessionUpgradeSSOTokenId=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*

POST /openam/json/authenticate?realm=%2Fsubrealm1&sessionUpgradeSSOTokenId=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3* HTTP/1.1
Host: saml-sp1.cdsso.rck.me:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Accept-API-Version: protocol=1.0,resource=2.0
X-Requested-With: XMLHttpRequest
Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0

HTTP/1.1 200 OK
Content-API-Version: protocol=1.0,resource=2.0
Date: Mon, 15 Dec 2014 16:18:14 GMT
Accept-Ranges: bytes
Server: Restlet-Framework/2.1.7
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: application/json;charset=UTF-8
Content-Length: 139
----------------------------------------------------------
http://saml-sp1.cdsso.rck.me:8080/openam/json/subrealm1/users?_action=idFromSession

POST /openam/json/subrealm1/users?_action=idFromSession HTTP/1.1
Host: saml-sp1.cdsso.rck.me:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
Accept-API-Version: protocol=1.0,resource=2.0
X-Requested-With: XMLHttpRequest
Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
Content-Length: 2
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{}
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-API-Version: protocol=1.0,resource=2.0
Content-Type: application/json;charset=UTF-8
Content-Length: 195
Date: Mon, 15 Dec 2014 16:18:14 GMT
----------------------------------------------------------
http://saml-sp1.cdsso.rck.me:8080/openam/json/subrealm1/users/demo

GET /openam/json/subrealm1/users/demo HTTP/1.1
Host: saml-sp1.cdsso.rck.me:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Cache-Control: no-cache
Accept-API-Version: protocol=1.0,resource=2.0
X-Requested-With: XMLHttpRequest
Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
Connection: keep-alive
If-None-Match: "0"

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: application/json;charset=UTF-8
Content-Length: 166
Date: Mon, 15 Dec 2014 16:18:14 GMT
----------------------------------------------------------
http://saml-sp1.cdsso.rck.me:8080/openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=validate

POST /openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=validate HTTP/1.1
Host: saml-sp1.cdsso.rck.me:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Accept-API-Version: protocol=1.0,resource=1.1
X-Requested-With: XMLHttpRequest
Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-API-Version: protocol=1.0,resource=1.1
Content-Type: application/json;charset=UTF-8
Content-Length: 48
Date: Mon, 15 Dec 2014 16:18:14 GMT
----------------------------------------------------------
http://saml-sp1.cdsso.rck.me:8080/openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=validate

POST /openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=validate HTTP/1.1
Host: saml-sp1.cdsso.rck.me:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Accept-API-Version: protocol=1.0,resource=1.1
X-Requested-With: XMLHttpRequest
Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-API-Version: protocol=1.0,resource=1.1
Content-Type: application/json;charset=UTF-8
Content-Length: 48
Date: Mon, 15 Dec 2014 16:18:15 GMT
----------------------------------------------------------
http://saml-sp1.cdsso.rck.me:8080/openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=logout

POST /openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=logout HTTP/1.1
Host: saml-sp1.cdsso.rck.me:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
Accept-API-Version: protocol=1.0,resource=1.1
X-Requested-With: XMLHttpRequest
Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
Content-Length: 2
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{}
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-API-Version: protocol=1.0,resource=1.1
Content-Type: application/json;charset=UTF-8
Content-Length: 36
Date: Mon, 15 Dec 2014 16:18:15 GMT
----------------------------------------------------------
http://saml-sp1.cdsso.rck.me:8080/openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=logout

POST /openam/json/sessions/AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*?_action=logout HTTP/1.1
Host: saml-sp1.cdsso.rck.me:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
Accept-API-Version: protocol=1.0,resource=1.1
X-Requested-With: XMLHttpRequest
Referer: http://saml-sp1.cdsso.rck.me:8080/openam/XUI/
Content-Length: 2
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwjUmjKQbD-bV_5QC-gjAGOBXP2_8-qQoE.*AAJTSQACMDEAAlNLABMzODM0MDYyNjQ2MzIzNjA3Nzk3*
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{}
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Length: 62
Date: Mon, 15 Dec 2014 16:18:15 GMT

To reproduce:

  • create two realms: realm1 and realm2
  • log out form OpenAM and clear your browser cache
  1. log in to: /openam/XUI/#login/realm1 as demo/changeit
  2. user profile is shown
  3. go to: /openam/XUI/#login/realm2
  4. error messages observed and sessions destroyed


 Comments   
Comment by Nemanja Lukic [ 15/Dec/14 ]

In addition to this, REST interface does not mimic this behaviour either:

  1. empty POST to: /json/realm1/authenticate?authIndexType=module&authIndexValue=DataStore
  2. NameCallback returned
  3. post the callback with: demo/changeit credentials
  4. session token obtained
  5. empty POST to: /json/realm2/authenticate?sessionUpgrade=<TOKEN>&authIndexType=module&authIndexValue=DataStore
  6. original token returned

In the last step, a choice would be expected

Comment by Jake Feasel [ 15/Dec/14 ]

I would like to see the response body included in the above HTTP trace, particularly for this call:

POST /openam/json/subrealm1/users?_action=idFromSession
Comment by Nemanja Lukic [ 15/Dec/14 ]

The response is:

{"id":"demo","realm":"/subrealm2","dn":"id=demo,ou=user,o=subrealm1,ou=services,dc=openam,dc=forgerock,dc=org","successURL":"/openam/console","fullLoginURL":"/openam/UI/Login?realm=%2Fsubrealm1"}

I am attaching the rest as .har

Comment by Jake Feasel [ 15/Dec/14 ]

According to your .har file, these are the requests:

        "request": {
          "method": "POST",
          "url": "http://saml-sp1.cdsso.rck.me:8080/openam/json/subrealm2/users?_action=idFromSession",
...
          "content": {
            "mimeType": "application/json",
            "size": 195,
            "text": "{\"id\":\"demo\",\"realm\":\"/subrealm2\",\"dn\":\"id=demo,ou=user,o=subrealm1,ou=services,dc=openam,dc=forgerock,dc=org\",\"successURL\":\"/openam/console\",\"fullLoginURL\":\"/openam/UI/Login?realm=%2Fsubrealm1\"}"
          },
...
        "request": {
          "method": "GET",
          "url": "http://saml-sp1.cdsso.rck.me:8080/openam/json/subrealm2/users/demo",

Based on the response to ?_action=idFromSession, it looks to me like the next call (the read for /subrealm2/users/demo) is properly constructed by the XUI code. Either the idFromSession call is returning the wrong value for "realm", or the read call for the user info is improperly rejecting the request. Phill Cunnington will probably have some insight on this, as he was recently working on this area I believe.

Comment by Peter Major [X] (Inactive) [ 16/Jul/15 ]

Looks similar to OPENAM-5712

Comment by Phil Ostler [X] (Inactive) [ 31/Oct/15 ]

I've looked into this and it appears that the requirement is for the XUI to match the original JATO feature. I have been unable to get my ADS working with the master build of OpenAM so I've not been able to turn off the XUI and test this. This needs to be done to understand how we are going to integrate the same feature into the XUI.

Comment by Richard Hruza [ 24/Nov/15 ]

This case is possible to reproduce with AM13 and realm query string parameter, see OPENAM-7527 for more info

Comment by Julian Kigwana [X] (Inactive) [ 02/Dec/15 ]

picked up in error

Generated at Mon Oct 19 20:39:50 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.