Forum Replies Created

Viewing 15 posts - 1 through 15 (of 44 total)
  • Author
    Posts
  • #28691
     soma
    Participant

    workaround:

    sed -i "s~amHome/~$OPENAM_HOME/~g" $OPENAM_HOME/openam-tools/amster/openam-realm-configuration.amster
    $OPENAM_HOME/openam-tools/amster/amster $OPENAM_HOME/openam-tools/amster/openam-realm-configuration.amster

    The SED operation must be removed from the bash script once this bug is fixed.

    • This reply was modified 2 months, 2 weeks ago by soma.
    #14214
     soma
    Participant

    Hi,
    Thank you for the reply.
    I tried that before but unfortunately it did not help :(

    #13837
     soma
    Participant

    This is the full log:

    No configuration value found for: com.sun.identity.agents.config.amFilter.logout.application.handler, or: com.sun.identity.agents.config.logout.application.handler
    amFilter:10/22/2016 07:46:12:678 PM CEST: Thread[http-nio-8080-exec-17,5,main]
    ERROR: AmFilter: Error while delegating to inbound handler: Not Enforced List Task Handler, access will be denied
    java.lang.NullPointerException
    	at com.iplanet.dpro.session.SessionID.hashCode(SessionID.java:334)
    	at java.util.Hashtable.get(Hashtable.java:363)
    	at com.iplanet.dpro.session.Session.readSession(Session.java:2178)
    	at com.iplanet.dpro.session.Session.removeSID(Session.java:1042)
    	at com.sun.identity.agents.filter.LogoutHelper.removeSSOToken(LogoutHelper.java:174)
    	at com.sun.identity.agents.filter.LogoutHelper.doLogout(LogoutHelper.java:63)
    	at com.sun.identity.agents.filter.NotenforcedListTaskHandler.process(NotenforcedListTaskHandler.java:144)
    	at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:194)
    	at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:157)
    	at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:70)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
    	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
    	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
    	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
    	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521)
    	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478)
    	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    	at java.lang.Thread.run(Thread.java:745)
    
    amFilter:10/22/2016 07:46:12:679 PM CEST: Thread[http-nio-8080-exec-17,5,main]
    AmFilter: now processing: Audit Result Handler
    amFilter:10/22/2016 07:46:12:679 PM CEST: Thread[http-nio-8080-exec-17,5,main]
    AmFilter: result => 
    
    -----------------------------------------------------------
    FilterResult:
    	Status    	: REDIRECT
    	ProcessResponse    	: false
    	RedirectURL	: http://web.example.com:8080/admin-console/authentication/access-denied.jsp?goto=http%3A%2F%2Fweb.example.com%3A8080%2Fadmin-console%2Fauthentication%2Faccess-denied.jsp%3Fgoto%3Dhttp%253A%252F%252Fweb.example.com%253A8080%252Fadmin-console%252Fauthentication%252Faccess-denied.jsp%253Fgoto%253Dhttp%25253A%25252F%25252Fweb.example.com%25253A8080%25252Fadmin-console%25252Fauthentication%25252Faccess-denied.jsp%25253Fgoto%25253Dhttp%2525253A%2525252F%2525252Fweb.example.com%2525253A8080%2525252Fadmin-console%2525252Fauthentication%2525252Faccess-denied.jsp%2525253Fgoto%2525253Dhttp%252525253A%252525252F%252525252Fweb.example.com%252525253A8080%252525252Fadmin-console%252525252Fauthentication%252525252Faccess-denied.jsp%252525253Fgoto%252525253Dhttp%25252525253A%25252525252F%25252525252Fweb.example.com%25252525253A8080%25252525252Fadmin-console%25252525252Fauthentication%25252525252Faccess-denied.jsp%25252525253Fgoto%25252525253Dhttp%2525252525253A%2525252525252F%2525252525252Fweb.example.com%2525252525253A8080%2525252525252Fadmin-console%2525252525252Fauthentication%2525252525252Faccess-denied.jsp%2525252525253Fgoto%2525252525253Dhttp%252525252525253A%252525252525252F%252525252525252Fweb.example.com%252525252525253A8080%252525252525252Fadmin-console%252525252525252Fauthentication%252525252525252Faccess-denied.jsp%252525252525253Fgoto%252525252525253Dhttp%25252525252525253A%25252525252525252F%25252525252525252Fweb.example.com%25252525252525253A8080%25252525252525252Fadmin-console%25252525252525252Fauthentication%25252525252525252Faccess-denied.jsp%25252525252525253Fgoto%25252525252525253Dhttp%2525252525252525253A%2525252525252525252F%2525252525252525252Fweb.example.com%2525252525252525253A8080%2525252525252525252Fadmin-console%2525252525252525252Fauthentication%2525252525252525252Faccess-denied.jsp%2525252525252525253Fgoto%2525252525252525253Dhttp%252525252525252525253A%252525252525252525252F%252525252525252525252Fweb.example.com%252525252525252525253A8080%252525252525252525252Fadmin-console%252525252525252525252Fauthentication%252525252525252525252Faccess-denied.jsp%252525252525252525253Fgoto%252525252525252525253Dhttp%25252525252525252525253A%25252525252525252525252F%25252525252525252525252Fweb.example.com%25252525252525252525253A8080%25252525252525252525252Fadmin-console%25252525252525252525252Fauthentication%25252525252525252525252Faccess-denied.jsp%25252525252525252525253Fgoto%25252525252525252525253Dhttp%2525252525252525252525253A%2525252525252525252525252F%2525252525252525252525252Fweb.example.com%2525252525252525252525253A8080%2525252525252525252525252Fadmin-console%2525252525252525252525252Fauthentication%2525252525252525252525252Faccess-denied.jsp%2525252525252525252525253Fgoto%2525252525252525252525253Dhttp%252525252525252525252525253A%252525252525252525252525252F%252525252525252525252525252Fweb.example.com%252525252525252525252525253A8080%252525252525252525252525252Fadmin-console%252525252525252525252525252Fauthentication%252525252525252525252525252Faccess-denied.jsp%252525252525252525252525253Fgoto%252525252525252525252525253Dhttp%25252525252525252525252525253A%25252525252525252525252525252F%25252525252525252525252525252Fweb.example.com%25252525252525252525252525253A8080%25252525252525252525252525252Fadmin-console%25252525252525252525252525252Fauthentication%25252525252525252525252525252Faccess-denied.jsp%25252525252525252525252525253Fgoto%25252525252525252525252525253Dhttp%2525252525252525252525252525253A%2525252525252525252525252525252F%2525252525252525252525252525252Fweb.example.com%2525252525252525252525252525253A8080%2525252525252525252525252525252Fadmin-console%2525252525252525252525252525252Fauthentication%2525252525252525252525252525252Faccess-denied.jsp%2525252525252525252525252525253Fgoto%2525252525252525252525252525253Dhttp%252525252525252525252525252525253A%252525252525252525252525252525252F%252525252525252525252525252525252Fweb.example.com%252525252525252525252525252525253A8080%252525252525252525252525252525252Fadmin-console%252525252525252525252525252525252Fauthentication%252525252525252525252525252525252Faccess-denied.jsp%252525252525252525252525252525253Fgoto%252525252525252525252525252525253Dhttp%25252525252525252525252525252525253A%25252525252525252525252525252525252F%25252525252525252525252525252525252Fweb.example.com%25252525252525252525252525252525253A8080%25252525252525252525252525252525252Fadmin-console%25252525252525252525252525252525252Fauthentication%25252525252525252525252525252525252Faccess-denied.jsp%25252525252525252525252525252525253Fgoto%25252525252525252525252525252525253Dhttp%2525252525252525252525252525252525253A%2525252525252525252525252525252525252F%2525252525252525252525252525252525252Fweb.example.com%2525252525252525252525252525252525253A8080%2525252525252525252525252525252525252Fadmin-console%2525252525252525252525252525252525252Fauthentication%2525252525252525252525252525252525252Faccess-denied.jsp%2525252525252525252525252525252525253Fgoto%2525252525252525252525252525252525253Dhttp%252525252525252525252525252525252525253A%252525252525252525252525252525252525252F%252525252525252525252525252525252525252Fweb.example.com%252525252525252525252525252525252525253A8080%252525252525252525252525252525252525252Fadmin-console%252525252525252525252525252525252525252Fauthentication%252525252525252525252525252525252525252Faccess-denied.jsp%252525252525252525252525252525252525253Fgoto%252525252525252525252525252525252525253Dhttp%25252525252525252525252525252525252525253A%25252525252525252525252525252525252525252F%25252525252525252525252525252525252525252Fweb.example.com%25252525252525252525252525252525252525253A8080%25252525252525252525252525252525252525252Fadmin-console%25252525252525252525252525252525252525252Fauthentication%25252525252525252525252525252525252525252Faccess-denied.jsp
    	RequestURL	: null
    	RequestHelper: 
    		null
    
    	Data: 
    		null
    
    -----------------------------------------------------------
    

    Any idea what to check?

    • This reply was modified 5 years, 1 month ago by soma.
    #12951
     soma
    Participant

    Additional info

    I can see this in the Apache HTTP log:

    
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (data-HEAP): 231 bytes
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (data-HEAP): HTTP/1.1 200 OK\r\nDate: Fri, 09 Sep 2016 05:07:16 GMT\r\nServer: Apache/2.4.23 (Unix) OpenAM Web Agent/4.0.0\r\nContent-Length: 499\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
    [client 127.0.0.1:33770] mod_dumpio: dumpio_out
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (data-HEAP): 499 bytes
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (data-HEAP): <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>200 OK</title>\n</head><body>\n<h1>OK</h1>\n<p>The server encountered an internal error or\nmisconfiguration and was unable to complete\nyour request.</p>\n<p>Please contact the server administrator at \n [email protected] to inform them of the time this error occurred,\n and the actions you performed just before this error.</p>\n<p>More information about this error may be available\nin the server error log.</p>\n</body></html>\n
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (metadata-EOS): 0 bytes
    [client 127.0.0.1:33770] mod_dumpio: dumpio_out
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (metadata-EOR): 0 bytes
    [client 127.0.0.1:33770] mod_dumpio: dumpio_in [speculative-nonblocking] 1 readbytes
    [remote 127.0.0.1:33770] mod_dumpio: dumpio_out
    [remote 127.0.0.1:33770] mod_dumpio:  dumpio_out (metadata-EOC): 0 bytes
    [client 127.0.0.1:33768] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
    [client 127.0.0.1:33768] mod_dumpio: dumpio_in - 70014
    [client 127.0.0.1:33768] mod_dumpio: dumpio_out
    [client 127.0.0.1:33768] mod_dumpio:  dumpio_out (metadata-FLUSH): 0 bytes
    [client 127.0.0.1:33768] mod_dumpio:  dumpio_out (metadata-EOC): 0 bytes
    

    Maybe I need to ask for the solution on Apache HTTP forum?

    #12823
     soma
    Participant

    @rarondini thanks for your reply.
    The solution was so tricky. I have spent days to figure it out why my policy set was not applied.

    I added a new Policy Set as you have suggested but could not see any changes in the openam/openam/debug/Policy log file. That was so suspicious.

    I read the documentation again and again and finally i have found this: “Policy Client Service Properties“. In this paragraph the there is mentioned a property: “Application”. I had to change the value of this property and after that OpenAM just started to use my policy set.

    The location of the “Application” property on the web console is Realms > [my realm name] > Agents > J2EE or Web > [my agent name] > OpenAM Services > Policy Client Service > Application.

    The issue is closed :)

    • This reply was modified 5 years, 3 months ago by soma.
    #12484
     soma
    Participant

    Hi @rarondini

    I think the reason why I always get HTTP403 is not because of missing Policy.
    Anyway, as you suggested I created a Policy set with the following parameters:

    My Resource Type
    * pattern 1: http://*/*
    * pattern 2: http://api.example.com/*
    * actions (allowed): GET, POST, PUT, HEAD, DELETE, OPTIONS, CREATE, READ, UPDATE, PATCH, ACTION, QUERY

    My Policy Set
    * Resources: http://*:80/*, http://api.example.com:80/gombi/api/*
    * actions: GET, POST, PUT, HEAD, DELETE, OPTIONS, CREATE, READ, UPDATE, PATCH, ACTION, QUERY
    * Subject: Any of… > Authenticated Users | Users & Groups, user subject: demo

    I still get http 403.

    Could you please check my web policy agent log?
    The log is here.

    What is wrong with my configuration?

    #12480
     soma
    Participant

    Hi,

    Why do we need to declare AmAgentConf property in the VirtualHost configuration if centralized configuration is used?

    Where the policy configuration comes exactly in case of centralized config? Can I remove AmAgentConf property from VirtualHost definition?

    • This reply was modified 5 years, 3 months ago by soma.
    #12366
     soma
    Participant

    Not Enforce URI list in empty. I use the default Web Agent Settings, I have not changed anything.
    I use Centralized configuration with a realm.

    My VirtualHost looks like this:

    <VirtualHost *:80>
    ServerName api.example.com
    ServerAlias api.example.com

    DocumentRoot “/home/…./servers/apache-http/www/api.example.com”

    AmAgent On
    AmAgentConf “/home/…./servers/apache-http/openam/agent/instances/agent_1/config/agent.conf”

    Redirect 404 /favicon.ico
    <Location /favicon.ico>
    ErrorDocument 404 “No favicon
    </Location>

    <IfModule mod_headers.c>
    Header unset Server
    Header unset X-Powered-By
    Header set Access-Control-Allow-Origin “http://web.example.com:8080&#8221;
    Header set Access-Control-Allow-Credentials “true”
    Header set Access-Control-Allow-Metgods “GET, POST, DELETE”
    </IfModule>

    Options -Indexes
    ProxyRequests Off
    ProxyPreserveHost Off

    ErrorLog “logs/api.example.com-error_log”
    CustomLog “logs/api.example.com-access_log” common

    ProxyPass /myapp/api http://127.0.0.2:8082/myapp/api
    ProxyPassReverse /myapp/api http://127.0.0.2:8082/myapp/api
    </VirtualHost>

    • This reply was modified 5 years, 4 months ago by soma.
    #11931
     soma
    Participant

    The result of my info servlet:

    
    PROTECTED Info Servlet
    
    server time: Fri Jul 08 11:58:54 CEST 2016
    auth type: FORM
    remote user: demo
    
    principal
    principal class: org.apache.catalina.realm.GeneralPrincipal
    principal name: demo
    web principal subject 1: AUTHENTICATED_USERS
    web principal subject 2: id=sales,ou=group,dc=openam,dc=forgerock,dc=org
    
    user in 'AUTHENTICATED_USERS' role: true
    user in 'SALES' role: false
    user in 'sales' role: false
    user in 'id=sales,ou=group,dc=openam,dc=forgerock,dc=org' role: true
    
    #11930
     soma
    Participant

    I just want to complete this topic and share the solution with u.

    The solution described above works with with GlassFish 3.1.2.2.

    In case of Tomcat 8.0.23 I use the following settings.

    web.xml

    
    <filter>
        <filter-name>Agent</filter-name>
        <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Agent</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>
    
    <welcome-file-list>
       <welcome-file>/public/welcome.html</welcome-file>
    </welcome-file-list>
    
    <error-page>
       <error-code>403</error-code>
       <location>/authentication/accessdenied.html</location>
    </error-page>
    <error-page>
       <error-code>404</error-code>
       <location>/public/notfound.html</location>
    </error-page>
    
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>role protected content</web-resource-name>
            <url-pattern>/rest/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>id=sales,ou=group,dc=openam,dc=forgerock,dc=org</role-name>
        </auth-constraint>
    </security-constraint>
    
    <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
          <form-login-page>/authentication/login.html</form-login-page>
          <form-error-page>/authentication/accessdenied.html</form-error-page>
       </form-login-config>
    </login-config>
    
    <security-role>
        <role-name>id=sales,ou=group,dc=openam,dc=forgerock,dc=org</role-name>
    </security-role>
    

    login.html

    
    <html>
       <head>
          <meta charset="UTF-8">
          <title>login page</title>
       </head>
       <body>
          If you are able to see this page in the deployed application, it implies that either you have
          not enabled web-tier declarative security, or you have not provided a mechanism for application
          level customized form login processing.
       </body>
    </html>
    

    Settings on OpenAM web Console
    * Agents > J2EE > [agent name]
    – Global > General > Filter Mode > only J2EE_POLICY
    – Application > Login Form URI: /demo-tomcat-1.0/authentication/login.html
    – Application > Access Denied URI: [demo-tomcat-1.0]=/demo-tomcat-1.0/authentication/accessdenied.html
    – Application > Not Enforced URIs: /demo-tomcat-1.0/, /demo-tomcat-1.0/public/*, /demo-tomcat-1.0/index.html

    Users belong to the ‘sales’ group (id=sales,ou=group,dc=openam,dc=forgerock,dc=org) have access to resources /rest/*. Users who do not member of this group get accessdenied.html result.

    Hope this description helps you guys.

    #11487
     soma
    Participant

    @andyr Thanks for sharing your solution. I am going to try it.

    #11414
     soma
    Participant

    Thank you for the reply.
    Just one more comment. Used maven repo:

    
        <repositories>
            <repository>
                <id>forgerock</id>
                <url>http://maven.forgerock.org/repo/releases</url>
            </repository>
        </repositories>
    
    #11342
     soma
    Participant

    Could you tell me which jar contains this interface? I can not find it in the ‘ClientSDK-13.0.0.jar’.

    #11341
     soma
    Participant

    Thank you for your help. Could you please confirm that you are talking about
    Realm > Authentication > Modules > FacebookSocialAuthentication Module Name > ‘Attribute Mapper’ property?

    If i am on the right track then I need to implement the org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper interface.

    Example implementation: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper

    #11339
     soma
    Participant

    Thanks you for @peter-major this issue is solved.

    I recommend to everybody with same issue to read this old doc: Introduction to Security in the Java EE Platform.

    The key point was to understand that the configuration of role based authorization depends on the used java container.

    In case of GlassFish 3.1.2 there are two xml files what I had to modify: web.xml and sun-web.xml (or glassfish-web.xml).

    web.xml:

    
    <filter>
        <filter-name>Agent</filter-name>
        <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Agent</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>
    ...
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>pivate content</web-resource-name>
            <url-pattern>/rest/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>SALES_ROLE</role-name>
        </auth-constraint>
    </security-constraint>
    
    <security-role>
        <role-name>SALES_ROLE</role-name>
    </security-role>
    

    sun-web.xml

    <sun-web-app>
    <security-role-mapping>
    <role-name>SALES_ROLE</role-name>
    <group-name>id=sales,ou=group,dc=openam,dc=forgerock,dc=org</group-name>
    </security-role-mapping>
    </sun-web-app>

    Group name comes from OpenAM. If you want to check what exactly OpenAM sets then agent log level needs to be set to debug (message) level and search for AUTHENTICATED_USERS in the log (glassfish-3.1.2.2/openam/j2ee_agent/Agent_001/logs/debug/debug.out)

    In my case I could see this in the log:

    
    AmRealm.authenticate: user: demo, authenticated: true, attributes: [sales, id=sales,ou=group,dc=openam,dc=forgerock,dc=org, AUTHENTICATED_USERS]
    

    The rest is up to security role mapping and *.xml configurations. That is all.
    Thanks.

Viewing 15 posts - 1 through 15 (of 44 total)