Java agent and transactional authorization

This topic has 3 replies, 3 voices, and was last updated 1 month, 1 week ago by Jatinder Singh.

  • Author
    Posts
  • #28475
     abarry
    Participant

    Hello,

    I’m trying to force user to reauthenticate when he tries to access to protected resource. I’m using java agent and transactional authorization. I’ve configured the java agent and the resource and policy using AM console. But when I try to access to the protected resource (http://app.test.com:8080/test/protected) I’m redirected to the “CDSSO Redirect URI” (http://app.test.com:8080/test/sunwCDSSORedirectURI). I was expecting to be redirected to the authentication page as I’ve configured in the policy to ask the user to reauthenticate using MFA. Do you know what would cause the redirection to the configured “CDSSO Redirect URI” ? The problem is that I have no error in the logs (AM and agent) so it’s hard to diagnose…

    Here the debug log of the agent :

    -----------------------------------------------------------------
    AmFilter.isAccessAllowed: GET http://app.test.com:8080/test/protected
    AmFilterMode for application testauthent is URL_POLICY
    AmFilter processing XSS Detection Task Handler
    AmFilter processing AuthnFragmentRelayTaskHandler
    AmFilter processing AuthnExchangeTaskHandler
    AmFilter processing Notification Task Handler
    AmFilter processing FQDN Task Handler
    AmFilter processing Application Logout Handler
    AmFilter processing NotEnforcedTaskHandler
    NotEnforcedTaskHandler.process: reworked URL http://app.test.com:8080/test/protected
    >2021-03-07 13:20:52:188 CET: http-nio-10.201.12.163-30001-exec-8/5/main
    INFO: NotEnforcedRuleHelper.isAuthNRequest: requestURI: http://app.test.com:8080/test/protected; AuthNRedirectURI is /test/sunwCDSSORedirectURI; result is false
    AgentUrlPatternMatcher.match: http://app.test.com:8080/test/protected pattern http://app.test.com:8080/*/favicon.ico
    NotEnforcedRulePatternMatcher: classic pattern: */favicon.ico url: http://app.test.com:8080/test/protected gave: false
    AgentUrlPatternMatcher.match: http://app.test.com:8080/test/protected pattern http://app.test.com:8080/*/favicon.ico?*
    NotEnforcedRulePatternMatcher: classic pattern: */favicon.ico?* url: http://app.test.com:8080/test/protected gave: false
    NotEnforcedRuleHelper.isNotEnforced(http://app.test.com:8080/test/protected, 172.19.28.52, GET) FAILED to find a match
    NotEnforcedTaskHandler: Request URI http://app.test.com:8080/test/protected not found in any lists, so is enforced
    AmFilter processing Property Info Task Handler
    AmFilter processing Internal Monitoring Free Access Handler
    AmFilter processing PostAuthnTaskHandler
    AmFilter processing Authn (formerly CDSSO) Task Handler
    AuthnTaskHandler: Recovered user token is null
    User token validation: token null
    validateJwt: returning FAILED as user token is null/blank
    AuthnTaskHandler: JWT/Session is invalid
    AuthnTaskHandler: session validation failed
    >2021-03-07 13:20:52:188 CET: http-nio-10.201.12.163-30001-exec-8/5/main
    INFO: CookieUtils:addCookieToResponse adds amFilterCDSSORequest=reset;path=/;max-age=0;Expires=Sun, 07-Mar-2021 12:20:52 GMT;httponly
    recovered cookie: BookKeepingAuthnCookie 1 entry
        [GET http://app.test.com:8080/test/protected nonce zxWQ5zvolpDDfNYrG8mXW3FDjG8 aud testAuthentAgent txId 425f1ce2-fdef-45a5-a64e-630c07967680/1 expires 2021-03-07 12:22:31.222 GMT (in 99s)]
    
    Utils:isExcludedUserAgent: User Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
    Utils:isExcludedUserAgent: No match found returning false
    >2021-03-07 13:20:52:189 CET: http-nio-10.201.12.163-30001-exec-8/5/main
    INFO: CookieUtils:addCookieToResponse adds amFilterCDSSORequest=eNrFkDFvwjAQhf9KlLkmthPHMROotEhIrVS1EjBVlnMBgxNHtgMI1P9eTEc6dOsNJ929e--k75KkgzPpOEm3IfTjLPMGM3VEexkw2mvpvcWY41hk5LWmxai3BhC0vbF6pLvg5DiPahbABzmELXQhc3A1Dk4B6p0NsAFIH5K0Dds6vpo_fcSxUxCn82n5xs4Ha_rZrHldu3nVrpb582w3r-KVHG6emD79SZ9uri1K4aRvWkFZQxRQ1NTQoIJJhmRZACpzrDAXJS8rnJHogFMfDaQkjBDBGaGUxr0yrb8K3WBM8jWZXP6filV6B_s1NOKw-XxfLe250Qu3ePTHlz9SEYqXAuMc1YwJVECNkQCiUEE5k5RXss7z36gIRklV3VH5Bqb8pnw;path=/;max-age=300;Expires=Sun, 07-Mar-2021 12:25:52 GMT;httponly
    Written cookie: BookKeepingAuthnCookie 2 entries
        [GET http://app.test.com:8080/test/protected nonce zxWQ5zvolpDDfNYrG8mXW3FDjG8 aud testAuthentAgent txId 425f1ce2-fdef-45a5-a64e-630c07967680/1 expires 2021-03-07 12:22:31.222 GMT (in 99s)]
        [GET http://app.test.com:8080/test/protected nonce ocijekYef9vg_SXWozfiJrJCswM aud testAuthentAgent txId 9c769003-d559-4ed0-9e1c-4275a278ad33/1 expires 2021-03-07 12:25:52.188 GMT (in 299s)]
    
    AuthnContext: Custom Login is disabled
    getBestMatch called from
        at org.forgerock.agents.ConditionalUrlEntryHelper.generateUrl(ConditionalUrlEntryHelper.java:256)
        at org.forgerock.agents.ConditionalUrlEntryHelper.generateLoginUrl(ConditionalUrlEntryHelper.java:104)
        ...
    
    domain: app.test.com path: test/protected entries 1:
      [ConditionalUrlEntry domain: "app.test.com" path: <empty> url <empty> params "realm=employee" amper false]
    getBestMatch: MATCH: [ConditionalUrlEntry domain: "app.test.com" path: <empty> url <empty> params "realm=employee" amper false]
    AuthnContext.getRedirectResult, url = http://openam.test.com:8080/openam/oauth2/authorize?scope=openid&response_type=id_token&realm=employee&redirect_uri=http%3A%2F%2Fapp.test.com%3A8080%2Ftestauthent%2FsunwCDSSORedirectURI&nonce=ocijekYef9vg_SXWozfiJrJCswM&client_id=testAuthentAgent&agent_realm=%2Femployee&response_mode=form_post
    AmFilter: now processing: Audit Result Handler
    AmFilter.isAccessAllowed: Status STATUS_REDIRECT redirectURL http://openam.test.com:8080/openam/oauth2/authorize?scope=openid&response_type=id_token&realm=employee&redirect_uri=http%3A%2F%2Fapp.test.com%3A30001%2Ftest%2FsunwCDSSORedirectURI&nonce=ocijekYef9vg_SXWozfiJrJCswM&client_id=testAuthentAgent&agent_realm=%2Femployee&response_mode=form_post
    -----------------------------------------------------------------

    Thank you for your help.
    Regards,

    • This topic was modified 1 month, 2 weeks ago by abarry.
    #28480
     Jatinder Singh
    Participant

    From the docs – “Java agents work in CDSSO mode by default, regardless of the DNS domain of the AM servers and the DNS domain of the agents.”

    To understand what really is going on, I would suggest breaking it down as follows:

    1. Is your AM configured to use a 3rd-Level domain cookie? If yes, openam.test.com is different from app.test.com. You will have to configure a 2nd-Level domain cookie if it’s the case.

    2. Enable AM and Agent Debugging for more information in the logs.

    3. Divide and Conquer – I would suggest removing the AuthZ from the process and testing if a simple AuthN against your Tree/Chain works. If yes, then we can dive into AuthZ.

    You can check the following docs for more info:

    https://backstage.forgerock.com/docs/openam-jee-policy-agents/5.8/java-agents-guide/#about-cdsso
    https://backstage.forgerock.com/docs/am/7/authentication-guide/about-sso.html#implementing-cdsso

    Thanks,
    Jatinder

    #28481
     abarry
    Participant

    Hello Jatinder,

    Thank you for your reply.
    I finally found out that I was misconfiguring the CDSSO Redirect URI. I was using my application context /test/sunwCDSSORedirectURI rather than /agentapp/sunwCDSSORedirectURI. Then configuring the CDSSO Redirect URI in my java agent with /agentapp/sunwCDSSORedirectURI resolved the problem.

    Regards,

    #28483
     Jatinder Singh
    Participant

    Great! And yes, the ROOT context has to read agentapp

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?