May 24, 2016 at 10:46 am #10719
I have installed and configured a web agent in my apache 2.4 reverse proxy instance that connect to my web apps executed in tomcat instances by using virtual hosts.
The policy is executed and i’m redirected to the openam server login page to authenticate.
After login successfully however the browser is going into an infinite loop i’m not able to determine the cause.
The web site url is http://www.projet-okinawa.ch that is transformed to web.projet-okinawa.org/okinawa by the reverse proxy module. openAM is executing in openam.projet-okinawa.org server.
Is this a cross domain problem ?
I ask this because I don’t know exactly when the agent is treating the headers, after or before the reverse proxy transformation ?
ThanksMay 24, 2016 at 11:34 am #10720Bhargava.badaParticipant
This might be issue with your agent . The OpenAm able to successfully authenticate the user but your agent not able to get authentication info so redirecting back to OpenAM . again OpenAM able to find authentication session and redirecting to Agent and it is repeatedly going infinite loop . check the Agent logs and openAM logs in debug mode .
BhargavaMay 24, 2016 at 4:58 pm #10727
I set the log level to message to both the agent and openAM instance but i didn’t find any error that can explain the infinite loop. Everything seem working … but really wrong.
The agent log stop debugging after redirecting to the openAM login page and is not coming back. I think the reason is openAM host url (openam.projet-okinawa.org) has no agent and nor virtual host set in the reverse proxy.
The openAM CoreSystem log let see that user demo was retrieved :
* :: READ attempted by [unknown] frRest:05/24/2016 02:00:36:102 PM UTC: Thread[http-nio-8443-exec-3,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-159] ServerInfoResource :: READ : in realm: / frRest:05/24/2016 02:00:36:104 PM UTC: Thread[http-nio-8443-exec-3,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-159] ServerInfoResource.getAllServerInfo :: Added resource to response: * frRest:05/24/2016 02:00:44:335 PM UTC: Thread[http-nio-8443-exec-5,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-198] users :: ACTION|IDFROMSESSION attempted by id=demo,ou=user,dc=openam,dc=forgerock,dc=org frRest:05/24/2016 02:00:44:336 PM UTC: Thread[http-nio-8443-exec-5,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-198] IdentityResource.idFromSession() :: Retrieved ID for user=demo frRest:05/24/2016 02:00:44:389 PM UTC: Thread[http-nio-8443-exec-3,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-201] demo :: READ attempted by id=demo,ou=user,dc=openam,dc=forgerock,dc=org tokenDataLayer:05/24/2016 02:00:44:559 PM UTC: Thread[http-nio-8443-exec-3,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-201] Requesting ConnectionFactory for type DATA_LAYER tokenDataLayer:05/24/2016 02:00:44:560 PM UTC: Thread[http-nio-8443-exec-3,5,main]: TransactionId[5d23b676-8a95-459a-b402-4fcc386d90bf-201]
In such cases what is the debugging way to understand what the problem is ?May 25, 2016 at 10:00 am #10738
I finally found my error in the cdsso configuration. That solved the problem of the infinite loop. I have cookie set to both http://www.projet-okinawa.ch and openam.projet-okinawa.org that allow the agent to execute correctly (no more infinite loop).May 25, 2016 at 10:13 am #10739
I still have doubt about properties names : com.sun.identity.agents.config.override.protocol, com.sun.identity.agents.config.override.host, com.sun.identity.agents.config.override.port and com.sun.identity.agents.config.override.notification.url.
The agent is a web agent installed in the apache instance that execute as a reverse proxy for the web apps that execute on tomcat instances.
The agent is activated for the web apps virtual host, not for openam. I didn’t set/activate any rewriting rules for the moment except proxyPass and ProxyPassReverse.
Do I need to set this properties to true ? (the agent is behind a proxy, so I think I have to but I dont’unserstand what they mean, what they do exactly)
In both cases, is it explained somewhere what they mean and what they do exactly ?December 28, 2016 at 6:32 am #15087
You must be logged in to reply to this topic.