[OPENAM-5451] Resource based authentication does not work as expected in 12 (with legacy UI) Created: 26/Jan/15  Updated: 20/Nov/16  Resolved: 23/Feb/15

Status: Resolved
Project: OpenAM
Component/s: authentication, policy
Affects Version/s: 12.0.0
Fix Version/s: 12.0.1, 13.0.0

Type: Bug Priority: Major
Reporter: Nathalie Hoet Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to OPENAM-5541 Resource based auth doesn't work in s... Resolved
relates to OPENAM-8199 Resource based authentication does no... Resolved
Target Version/s:
Sprint: Sprint 77 - Sustaining
Support Ticket IDs:
Verified Version/s:

 Description   

You will need to disable XUI because of OPENAM-3135

To reproduce:

  • Install OpenAM 12.0.0
  • Disable XUI (Configuration > Authentication > Core > XUI interface > uncheck box)
  • Install agent
  • Configure OpenAM Login URL for the agent: http://openam.example.com:8080/openam/UI/Login?resource=true
  • Create a policy with ConditionToService set to a chain that is not the default for the realm

When accessing the protected resource, the user is redirected first to the default chain, then to the chain defined in the policy (which means the resource based is not taken into account at all).

Correct behaviour (working in 11.0.x): user is immediately redirected to the chain defined in the policy.



 Comments   
Comment by Sachiko Wallace [ 28/Jan/15 ]

AuthenticatedUsers is throwing NPE. I think there are couple of classes that were implemented from 12.0.0 and I need to check what the old policy conditions were doing.

ERROR: OpenSSOPrivilege.evaluate
java.lang.NullPointerException
        at com.sun.identity.entitlement.opensso.SubjectUtils.getSSOToken(SubjectUtils.java:69)
        at org.forgerock.openam.entitlement.conditions.subject.AuthenticatedUsers.evaluate(AuthenticatedUsers.java:86)
        at com.sun.identity.entitlement.Privilege.doesSubjectMatch(Privilege.java:607)
        at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.internalEvaluate(OpenSSOPrivilege.java:147)
        at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.access$000(OpenSSOPrivilege.java:62)
        at com.sun.identity.entitlement.opensso.OpenSSOPrivilege$1.run(OpenSSOPrivilege.java:102)
        at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:86)
        at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.evaluate(OpenSSOPrivilege.java:99)
        at com.sun.identity.entitlement.PrivilegeEvaluator$PrivilegeTask.run(PrivilegeEvaluator.java:423)
        at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:335)
        at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:248)
        at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:216)
        at com.sun.identity.policy.PolicyEvaluator.getPolicyDecisionE(PolicyEvaluator.java:872)
        at com.sun.identity.policy.PolicyEvaluator.getPolicyDecision(PolicyEvaluator.java:819)
        at com.sun.identity.policy.PolicyEvaluator.getPolicyDecisionIgnoreSubjects(PolicyEvaluator.java:2444)
        at com.sun.identity.policy.ProxyPolicyEvaluator.getPolicyDecisionIgnoreSubjects(ProxyPolicyEvaluator.java:257)
        at com.sun.identity.policy.util.PolicyDecisionUtils.getActionDecision(PolicyDecisionUtils.java:135)
        at com.sun.identity.policy.util.PolicyDecisionUtils.doResourceIPEnvAuth(PolicyDecisionUtils.java:122)
        at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:479)
        at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:419)
        at com.sun.identity.authentication.UI.LoginViewBean.getLoginDisplay(LoginViewBean.java:911)
        at com.sun.identity.authentication.UI.LoginViewBean.processLogin(LoginViewBean.java:862)
        at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:519)
        at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
        at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
        at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
Comment by Sachiko Wallace [ 28/Jan/15 ]

openam-core/src/main/java/com/sun/identity/entitlement/opensso/PolicySubject.java
vs.
openam-core/src/main/java/org/forgerock/openam/entitlement/conditions/subject/AuthenticatedUsers.java

suppressing NPE from AuthenticatedUsers wasn't enough to fix the issue.
AuthenticateToServiceCondition is having NPE as well.

Comment by Sachiko Wallace [ 28/Jan/15 ]

AuthenticateToServiceCondition#getRealmAwareService() is not testing whether the realm passed in as an argument is in DN format or realm format.

Comment by Sachiko Wallace [ 12/Feb/15 ]

SessionCondition (Active Session Time) throws NPE as well

ERROR: OpenSSOPrivilege.evaluate
java.lang.NullPointerException
        at org.forgerock.openam.entitlement.conditions.environment.SessionCondition.evaluate(SessionCondition.java:137)
        at org.forgerock.openam.entitlement.CachingEntitlementCondition.evaluate(CachingEntitlementCondition.java:119)
        at com.sun.identity.entitlement.Privilege.doesConditionMatch(Privilege.java:644)
        at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.internalEvaluate(OpenSSOPrivilege.java:147)
        at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.access$000(OpenSSOPrivilege.java:62)
        at com.sun.identity.entitlement.opensso.OpenSSOPrivilege$1.run(OpenSSOPrivilege.java:102)
        at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:86)
        at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.evaluate(OpenSSOPrivilege.java:99)
        at com.sun.identity.entitlement.PrivilegeEvaluator$PrivilegeTask.run(PrivilegeEvaluator.java:423)
        at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:335)
        at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:248)
        at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:216)
        at com.sun.identity.policy.PolicyEvaluator.getPolicyDecisionE(PolicyEvaluator.java:872)
        at com.sun.identity.policy.PolicyEvaluator.getPolicyDecision(PolicyEvaluator.java:819)
        at com.sun.identity.policy.PolicyEvaluator.getPolicyDecisionIgnoreSubjects(PolicyEvaluator.java:2444)
Comment by Sachiko Wallace [ 13/Feb/15 ]

Just fixing CachingEntitlementCondition to return empty condition didn't work since AuthenticateToServiceCondition needs to return auth service, otherwise it would display login screen twice. fix needs to be implemented in each condition class.

Comment by Richard Hruza [ 14/Jul/15 ]

Verified with:
OpenAM 12.0.1 Build 14322 (2015-June-22 16:03)

Generated at Mon Oct 19 15:36:24 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.