[gatein-issues] [JBoss JIRA] (GTNSSO-14) OpenSSO/OpenAM Agent doesn't not support wildcard cookie domains

Marek Posolda (JIRA) jira-events at lists.jboss.org
Wed Oct 31 18:18:18 EDT 2012 

     [ https://issues.jboss.org/browse/GTNSSO-14?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marek Posolda resolved GTNSSO-14.
---------------------------------

    Fix Version/s: 1.3.0.Beta02
                   1.3.0.Beta01
       Resolution: Done


I had issues with reproducing but I've reproduced after some investigation. It can be reproduced with cookie domain ".acme.com" and OpenAM on host "openam.toto.acme.com". It can't be reproduced when OpenAM is on host "openam.acme.com" as it requires that OpenAM host must have (at least) one more subdomain in host name. It's due to code in class RFC2109Spec:

{code}
            // host minus domain may not contain any dots
            String hostWithoutDomain = host.substring(0, host.length() 
                - cookie.getDomain().length());
            if (hostWithoutDomain.indexOf('.') != -1) {
                throw new MalformedCookieException("Domain attribute \"" 
                    + cookie.getDomain() 
                    + "\" violates RFC 2109: host minus domain may not contain any dots");
            }
{code}

so issue happens only when host without cookie domain contains any dots (like "openam.toto")


The issue itself is only minor, as it only prints WARN to server log, but the functionality itself is not affected. OpenAM iPlanetDirectoryPro cookie is properly validated by OpenSSO agent and user is successfuly logged in GateIn without problems. Only thing is that Http client can't set value of another cookie "amlbcookie" when processing response from OpenAM, but that's not needed anyway.

Latest version of OpenSSOAgentImpl in SSO 1.3.0.Beta01 was upgraded to use Apache HttpClient 4.1.2 and it doesn't print Warning anymore.

For older versions you can simply ignore Warning or use workaround like you suggested (but that require changes in code)
                
> OpenSSO/OpenAM Agent doesn't not support wildcard cookie domains
> ----------------------------------------------------------------
>
>                 Key: GTNSSO-14
>                 URL: https://issues.jboss.org/browse/GTNSSO-14
>             Project: GateIn SSO
>          Issue Type: Bug
>    Affects Versions: 1.1.1-GA
>            Reporter: Ray Tsang
>            Assignee: Marek Posolda
>             Fix For: 1.3.0.Beta02, 1.3.0.Beta01
>
>
> When OpenSSO or OpenAM is configured w/ wildcard domain for iPlanetDirectoryPro cookie (such as ".acme.com"), OpenSSOAgent fails to validate ticket.
> Commons HttpClient by default restricts the use of wildcard cookie due and will fail with exception.
> WARN  [org.apache.commons.httpclient.HttpMethodBase] (http-127.0.0.1-8080-1) Cookie rejected: "$Version=0; amlbcookie=01; $Path=/; $Domain=.acme.com". Domain attribute ".acme.com" violates RFC 2109: host minus domain may not contain any dots

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the gatein-issues mailing list