This topic has 3 replies, 3 voices, and was last updated 1 month, 1 week ago by 
-
Posts
-
Hello,
I’m trying to force user to reauthenticate when he tries to access to protected resource. I’m using java agent and transactional authorization. I’ve configured the java agent and the resource and policy using AM console. But when I try to access to the protected resource (http://app.test.com:8080/test/protected) I’m redirected to the “CDSSO Redirect URI” (http://app.test.com:8080/test/sunwCDSSORedirectURI). I was expecting to be redirected to the authentication page as I’ve configured in the policy to ask the user to reauthenticate using MFA. Do you know what would cause the redirection to the configured “CDSSO Redirect URI” ? The problem is that I have no error in the logs (AM and agent) so it’s hard to diagnose…
Here the debug log of the agent :
----------------------------------------------------------------- AmFilter.isAccessAllowed: GET http://app.test.com:8080/test/protected AmFilterMode for application testauthent is URL_POLICY AmFilter processing XSS Detection Task Handler AmFilter processing AuthnFragmentRelayTaskHandler AmFilter processing AuthnExchangeTaskHandler AmFilter processing Notification Task Handler AmFilter processing FQDN Task Handler AmFilter processing Application Logout Handler AmFilter processing NotEnforcedTaskHandler NotEnforcedTaskHandler.process: reworked URL http://app.test.com:8080/test/protected >2021-03-07 13:20:52:188 CET: http-nio-10.201.12.163-30001-exec-8/5/main INFO: NotEnforcedRuleHelper.isAuthNRequest: requestURI: http://app.test.com:8080/test/protected; AuthNRedirectURI is /test/sunwCDSSORedirectURI; result is false AgentUrlPatternMatcher.match: http://app.test.com:8080/test/protected pattern http://app.test.com:8080/*/favicon.ico NotEnforcedRulePatternMatcher: classic pattern: */favicon.ico url: http://app.test.com:8080/test/protected gave: false AgentUrlPatternMatcher.match: http://app.test.com:8080/test/protected pattern http://app.test.com:8080/*/favicon.ico?* NotEnforcedRulePatternMatcher: classic pattern: */favicon.ico?* url: http://app.test.com:8080/test/protected gave: false NotEnforcedRuleHelper.isNotEnforced(http://app.test.com:8080/test/protected, 172.19.28.52, GET) FAILED to find a match NotEnforcedTaskHandler: Request URI http://app.test.com:8080/test/protected not found in any lists, so is enforced AmFilter processing Property Info Task Handler AmFilter processing Internal Monitoring Free Access Handler AmFilter processing PostAuthnTaskHandler AmFilter processing Authn (formerly CDSSO) Task Handler AuthnTaskHandler: Recovered user token is null User token validation: token null validateJwt: returning FAILED as user token is null/blank AuthnTaskHandler: JWT/Session is invalid AuthnTaskHandler: session validation failed >2021-03-07 13:20:52:188 CET: http-nio-10.201.12.163-30001-exec-8/5/main INFO: CookieUtils:addCookieToResponse adds amFilterCDSSORequest=reset;path=/;max-age=0;Expires=Sun, 07-Mar-2021 12:20:52 GMT;httponly recovered cookie: BookKeepingAuthnCookie 1 entry [GET http://app.test.com:8080/test/protected nonce zxWQ5zvolpDDfNYrG8mXW3FDjG8 aud testAuthentAgent txId 425f1ce2-fdef-45a5-a64e-630c07967680/1 expires 2021-03-07 12:22:31.222 GMT (in 99s)] Utils:isExcludedUserAgent: User Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Utils:isExcludedUserAgent: No match found returning false >2021-03-07 13:20:52:189 CET: http-nio-10.201.12.163-30001-exec-8/5/main INFO: CookieUtils:addCookieToResponse adds amFilterCDSSORequest=eNrFkDFvwjAQhf9KlLkmthPHMROotEhIrVS1EjBVlnMBgxNHtgMI1P9eTEc6dOsNJ929e--k75KkgzPpOEm3IfTjLPMGM3VEexkw2mvpvcWY41hk5LWmxai3BhC0vbF6pLvg5DiPahbABzmELXQhc3A1Dk4B6p0NsAFIH5K0Dds6vpo_fcSxUxCn82n5xs4Ha_rZrHldu3nVrpb582w3r-KVHG6emD79SZ9uri1K4aRvWkFZQxRQ1NTQoIJJhmRZACpzrDAXJS8rnJHogFMfDaQkjBDBGaGUxr0yrb8K3WBM8jWZXP6filV6B_s1NOKw-XxfLe250Qu3ePTHlz9SEYqXAuMc1YwJVECNkQCiUEE5k5RXss7z36gIRklV3VH5Bqb8pnw;path=/;max-age=300;Expires=Sun, 07-Mar-2021 12:25:52 GMT;httponly Written cookie: BookKeepingAuthnCookie 2 entries [GET http://app.test.com:8080/test/protected nonce zxWQ5zvolpDDfNYrG8mXW3FDjG8 aud testAuthentAgent txId 425f1ce2-fdef-45a5-a64e-630c07967680/1 expires 2021-03-07 12:22:31.222 GMT (in 99s)] [GET http://app.test.com:8080/test/protected nonce ocijekYef9vg_SXWozfiJrJCswM aud testAuthentAgent txId 9c769003-d559-4ed0-9e1c-4275a278ad33/1 expires 2021-03-07 12:25:52.188 GMT (in 299s)] AuthnContext: Custom Login is disabled getBestMatch called from at org.forgerock.agents.ConditionalUrlEntryHelper.generateUrl(ConditionalUrlEntryHelper.java:256) at org.forgerock.agents.ConditionalUrlEntryHelper.generateLoginUrl(ConditionalUrlEntryHelper.java:104) ... domain: app.test.com path: test/protected entries 1: [ConditionalUrlEntry domain: "app.test.com" path: <empty> url <empty> params "realm=employee" amper false] getBestMatch: MATCH: [ConditionalUrlEntry domain: "app.test.com" path: <empty> url <empty> params "realm=employee" amper false] AuthnContext.getRedirectResult, url = http://openam.test.com:8080/openam/oauth2/authorize?scope=openid&response_type=id_token&realm=employee&redirect_uri=http%3A%2F%2Fapp.test.com%3A8080%2Ftestauthent%2FsunwCDSSORedirectURI&nonce=ocijekYef9vg_SXWozfiJrJCswM&client_id=testAuthentAgent&agent_realm=%2Femployee&response_mode=form_post AmFilter: now processing: Audit Result Handler AmFilter.isAccessAllowed: Status STATUS_REDIRECT redirectURL http://openam.test.com:8080/openam/oauth2/authorize?scope=openid&response_type=id_token&realm=employee&redirect_uri=http%3A%2F%2Fapp.test.com%3A30001%2Ftest%2FsunwCDSSORedirectURI&nonce=ocijekYef9vg_SXWozfiJrJCswM&client_id=testAuthentAgent&agent_realm=%2Femployee&response_mode=form_post -----------------------------------------------------------------Thank you for your help.
Regards,From the docs – “Java agents work in CDSSO mode by default, regardless of the DNS domain of the AM servers and the DNS domain of the agents.”
To understand what really is going on, I would suggest breaking it down as follows:
1. Is your AM configured to use a 3rd-Level domain cookie? If yes,
openam.test.comis different fromapp.test.com. You will have to configure a 2nd-Level domain cookie if it’s the case.2. Enable AM and Agent Debugging for more information in the logs.
3. Divide and Conquer – I would suggest removing the AuthZ from the process and testing if a simple AuthN against your Tree/Chain works. If yes, then we can dive into AuthZ.
You can check the following docs for more info:
https://backstage.forgerock.com/docs/openam-jee-policy-agents/5.8/java-agents-guide/#about-cdsso
https://backstage.forgerock.com/docs/am/7/authentication-guide/about-sso.html#implementing-cdssoThanks,
JatinderHello Jatinder,
Thank you for your reply.
I finally found out that I was misconfiguring the CDSSO Redirect URI. I was using my application context /test/sunwCDSSORedirectURI rather than /agentapp/sunwCDSSORedirectURI. Then configuring the CDSSO Redirect URI in my java agent with /agentapp/sunwCDSSORedirectURI resolved the problem.Regards,
You must be logged in to reply to this topic.
