Hello,
Making some more investigation : I do confirm each time there is a +
sign in the cookie value, the opensso j2ee agent fails to validate the
sesssion ... because the + sign is decoded to " " (space) when given to
the
com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:193)
method.
Probably a bug in J2EE Agent for App Server v9 ?
E=#
at
com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:193)
at
com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:322)
at
com.sun.identity.agents.common.SSOTokenValidator.validateInternal(SSOTokenValidator.java:226)
at
com.sun.identity.agents.common.SSOTokenValidator.validate(SSOTokenValidator.java:133)
at
com.sun.identity.agents.filter.SSOTaskHandler.process(SSOTaskHandler.java:69)
Seb
Sebastien Stormacq wrote:
> Hello,
>
> I am running AM 7.1 on GF b53.
> I have deployed an application protected by the J2EE Policy agent.
>
> A certain points in time, the authentication fails and the browser
> enters in an infinite redirect loop.
>
> It looks the iPlanetDirectoryPRO cookie is incorrectly URL encoded.
> Cookie value is
> AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQACMDE=#
> But was is seen by the J2EE filter is
> AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X kcf8=_at_AAJTSQACMDE=#
>
> (notice the space at the position of the + sign in the original cookie
> value)
>
>
> There AM returns a FORBIDDEN value as policy, which cause the browser
> to redirect to AM etc ...
> See below the error at the agent side.
>
> Because I am not sure this is GF or OpenSSO issue, I cross-post my
> question.
>
> Any suggestion ?
>
> Thanks
>
> Seb
>
> 07/19/2007 02:07:27:960 PM CEST:
> Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
> AmFilter: incoming request =>
> -----------------------------------------------------------
> HttpServletRequest: class => uri: /FineGrainedSample/
> method: GET
> QueryString: null
> Parameters:
> Headers:
> Name: host Value: spirou.sun.com:18080
> Name: user-agent Value: Mozilla/5.0 (Macintosh; U;
> Intel Mac OS X; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
> Name: accept Value:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Name: accept-language Value: en-us,en;q=0.5
> Name: accept-encoding Value: gzip,deflate
> Name: accept-charset Value: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Name: keep-alive Value: 300
> Name: connection Value: keep-alive
> Name: referer Value:
> http://spirou.sun.com:8080/amserver/UI/Login?goto=http%3A%2F%2Fspirou.sun.com%3A18080%2FFineGrainedSample%2F&gx_charset=UTF-8
> Name: cookie Value:
> JSESSIONID=e5ffee21849800471c08ca7b9b9c;
> JSESSIONID=e5fb58534cc2c0f52194ce398ad1; amlbcookie=01;
> iPlanetDirectoryPro=AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQA=#;
> amFilterRDParam=AQICh3Obt+fW1byJEdr6+mYrG3263bidnTb+j++GS5Rtl2y6clP6bBCRp+AFrjRoRerCtQarKGP8ZbXKryoic778WLMsJkRw/de+EZg7ziJdNOkqdjnBhdPY+rNTvDEXa8CMqw3pyGFxUq2bFAYEEuCJUD0o4NWLt4GFRaGyeh/Z/7HaQy4vQ2sAeg==
>
>
> Character Encoding : null
> Content Lenght : -1
> Content Type : null
> Locale : en_US
>
> Accept Locales:
> en_US
> en
>
> Protocol : HTTP/1.1
> Remote Address : 192.168.0.5
> Remote Host : 192.168.0.5
> Scheme : http
> Server Name : spirou.sun.com
> Server Port : 18080
> Is Secure : false
> Auth Type : null
> Context Path : /FineGrainedSample
> Cookies:
> JSESSIONID: e5ffee21849800471c08ca7b9b9c
> JSESSIONID: e5fb58534cc2c0f52194ce398ad1
> amlbcookie: 01
> iPlanetDirectoryPro:
> AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQACMDE=#
> amFilterRDParam:
> AQICh3Obt+fW1byJEdr6+mYrG3263bidnTb+j++GS5Rtl2y6clP6bBCRp+AFrjRoRerCtQarKGP8ZbXKryoic778WLMsJkRw/de+EZg7ziJdNOkqdjnBhdPY+rNTvDEXa8CMqw3pyGFxUq2bFAYEEuCJUD0o4NWLt4GFRaGyeh/Z/7HaQy4vQ2sAeg==
>
> Headers:
> host:
> spirou.sun.com:18080
> user-agent:
> Mozilla/5.0 (Macintosh; U; Intel Mac OS X;
> en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
> accept:
>
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> accept-language:
> en-us,en;q=0.5
> accept-encoding:
> gzip,deflate
> accept-charset:
> ISO-8859-1,utf-8;q=0.7,*;q=0.7
> keep-alive:
> 300
> connection:
> keep-alive
> referer:
>
> http://spirou.sun.com:8080/amserver/UI/Login?goto=http%3A%2F%2Fspirou.sun.com%3A18080%2FFineGrainedSample%2F&gx_charset=UTF-8
> cookie:
> JSESSIONID=e5ffee21849800471c08ca7b9b9c;
> JSESSIONID=e5fb58534cc2c0f52194ce398ad1; amlbcookie=01;
> iPlanetDirectoryPro=AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X+kcf8=_at_AAJTSQA=#;
> amFilterRDParam=AQICh3Obt+fW1byJEdr6+mYrG3263bidnTb+j++GS5Rtl2y6clP6bBCRp+AFrjRoRerCtQarKGP8ZbXKryoic778WLMsJkRw/de+EZg7ziJdNOkqdjnBhdPY+rNTvDEXa8CMqw3pyGFxUq2bFAYEEuCJUD0o4NWLt4GFRaGyeh/Z/7HaQy4vQ2sAeg==
> Method : GET
> Path Info : /Page1.jsp
> Path Trans :
> /Users/sst/NetBeansProjects/FineGrainedSample/build/web/Page1.jsp
> Query String : null
> Remote User : null
> Requested Session ID : e5fb58534cc2c0f52194ce398ad1
> Request URI : /FineGrainedSample/
> Servlet Path : /faces
> Session : false
> User Principal : <not queried>
> Attributes:
> com.sun.enterprise.http.sessionTracker:
> org.apache.coyote.tomcat5.SessionTracker_at_2cb1b1
>
>
> -----------------------------------------------------------
>
> 07/19/2007 02:07:27:961 PM CEST:
> Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
> AmFilter: now processing: Notification Task Handler
> 07/19/2007 02:07:27:961 PM CEST:
> Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
> AmFilter: now processing: FQDN Task Handler
> 07/19/2007 02:07:27:961 PM CEST:
> Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
> FQDNHelper: Incoming Server Name: [spirou.sun.com] Result: null
> 07/19/2007 02:07:27:961 PM CEST:
> Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
> AmFilter: now processing: SSO Task Handler
> 07/19/2007 02:07:27:967 PM CEST:
> Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
> SSOTokenValidator.validate(): Exception caught
> com.iplanet.sso.SSOException:
> AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X kcf8=_at_AAJTSQACMDE=# Invalid
> session ID.AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X kcf8=_at_AAJTSQACMDE=#
> at
> com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:193)
> at
> com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:322)
> at
> com.sun.identity.agents.common.SSOTokenValidator.validateInternal(SSOTokenValidator.java:226)
> at
> com.sun.identity.agents.common.SSOTokenValidator.validate(SSOTokenValidator.java:133)
> at
> com.sun.identity.agents.filter.SSOTaskHandler.process(SSOTaskHandler.java:69)
> at
> com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:172)
> at
> com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:135)
> at
> com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:66)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
> at
> org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:368)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
> at
> org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
> at
> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:624)
> at
> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
> at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
> at
> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:624)
> at
> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
> at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
> at
> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:624)
> at
> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
> at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
> at
> org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:268)
> at
> com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:631)
> at
> com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:562)
> at
> com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:803)
> at
> com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
> at
> com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:261)
> at
> com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:212)
> at
> com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
> at
> com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
>
> 07/19/2007 02:07:27:967 PM CEST:
> Thread[httpSSLWorkerThread-18080-0,10,Grizzly]
> SSOTaskHandler: SSO Validation failed for
> AQIC5wM2LY4Sfcyeq4WKJ64OGJCnGZbBCKnDXX2I7X kcf8=_at_AAJTSQACMDE=#
> --
> <http://www.java.com> *Sebastien Stormacq*
> Software Architect
> GSS, Software Practice
> Belgium & Luxembourg
> *Sun Microsystems, sarl*
> Parc d'Activités 77-79
> Capellen L8308
> Phone x48356/+352 49 11 33 56
> Mobile +352 621 503 626
> Fax +352 49 11 33 33
> Email sebastien.stormacq_at_sun.com
>
--
<http://www.java.com> * Sebastien Stormacq*
Software Architect
GSS, Software Practice
Belgium & Luxembourg
*Sun Microsystems, sarl*
Parc d'Activités 77-79
Capellen L8308
Phone x48356/+352 49 11 33 56
Mobile +352 621 503 626
Fax +352 49 11 33 33
Email sebastien.stormacq_at_sun.com