[OPENAM-6468] InvalidClassException with certauth after #201505-01 patch Created: 28/Jul/15  Updated: 20/Nov/16  Resolved: 13/Aug/15

Status: Resolved
Project: OpenAM
Component/s: console
Affects Version/s: 11.0.3
Fix Version/s: 11.0.4, 12.0.2, 12.0.3, 13.0.0

Type: Bug Priority: Major
Reporter: Mark Powell Assignee: Mark de Reeper
Resolution: Fixed Votes: 0
Labels: EDISON, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
is related to OPENAM-6499 Configuration store servers are not l... Resolved
Sprint: Sustaining Sprint 10
Support Ticket IDs:

 Description   

After installing the #201505 security patches for OpenAM 11.0.3 certificate authentication towards the DAS is no longer working.

The following stacktrace is printed in the Authentication debug log on the CAS with every certificate login attempt:

amAuthXMLUtils:07/27/2015 02:51:59:018 PM CEST: Thread[http-8443-11,5,main] 
ERROR: Unable to deserialize request object 
java.io.InvalidClassException: java.security.cert.Certificate$CertificateRep; Requested ObjectStreamClass was not in the whitelist of allowed classes 
at org.forgerock.openam.utils.IOUtils$WhitelistObjectInputStream.resolveClass(IOUtils.java:276) 
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1611) 
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1516) 
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1770) 
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349) 
at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1705) 
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1343) 
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:369) 
at java.util.HashMap.readObject(HashMap.java:1047) 
at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
at java.lang.reflect.Method.invoke(Method.java:622) 
at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1001) 
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1892) 
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1797) 
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349) 
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989) 
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1914) 
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1797) 
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349) 
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:369) 
at org.forgerock.openam.utils.IOUtils.deserialise(IOUtils.java:205) 
at org.forgerock.openam.utils.IOUtils.deserialise(IOUtils.java:182) 
at com.sun.identity.authentication.share.AuthXMLUtils.deserializeToObject(AuthXMLUtils.java:1683) 
at com.sun.identity.authentication.share.AuthXMLUtils.getRemoteRequest(AuthXMLUtils.java:322) 
at com.sun.identity.authentication.server.AuthXMLRequestParser.parseXML(AuthXMLRequestParser.java:238) 
at com.sun.identity.authentication.server.AuthXMLRequest.parseXML(AuthXMLRequest.java:146) 
at com.sun.identity.authentication.server.AuthXMLHandler.processRequest(AuthXMLHandler.java:238) 
at com.sun.identity.authentication.server.AuthXMLHandler.process(AuthXMLHandler.java:144) 
at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:182) 
at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:135) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
at com.avlesh.web.filter.responseheaderfilter.ResponseHeaderManagerFilter.doFilter(ResponseHeaderManagerFilter.java:191) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) 
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:558) 
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) 
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555) 
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) 
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) 
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) 
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) 
at java.lang.Thread.run(Thread.java:701)

Workaround:
Configuration -> Servers and Sites -> Default Server Settings -> Security -> Object Deserialisation Class Whitelist
Add the following two classes -

java.security.cert.Certificate

and

java.security.cert.Certificate$CertificateRep


 Comments   
Comment by Mark de Reeper [ 13/Aug/15 ]

Fixed in r15110, r15111, r15112 and r15113

Generated at Sat Oct 24 01:08:21 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.