Custom Plugin Configured to Use ExecutionStatus.PAUSE Results in java.lang.NullPointerException on Authentication after OAM BP03 Patch Is Applied.
(Doc ID 1965002.1)
Last updated on SEPTEMBER 13, 2023
Applies to:
Oracle Access Manager - Version 11.1.2.1.3 and laterInformation in this document applies to any platform.
Symptoms
Applying Oracle Access Manager (OAM) 11.1.2.1 BP03 patch causes user login failures when using custom authentication plugin that is configured to use ExecutionStatus.PAUSE state to gather additional credentials for certain users.
User login works as expected if BP03 patch is uninstalled.
ERROR
-----------------------
oam_server1.log and oam_server1-diagnostic.log shows exceptions as below:
STEPS
-----------------------
The issue can be reproduced at will with the following steps:
Configure Custom Authentication Module in oamconsole:
(1) Authentication Steps:
-
- UserIdentificationPlugin
- UserAuthenticationPlugin
- TestAuthenticationPlugin (custom authentication plugin).
(2) Step Configuration:
-
- UserIdentificationPlugin:
- KEY_LDAP_FILTER:
- KEY_IDENTITY_STORE_REF: Identity store used by Plugin
- KEY_SEARCH_BASE_URL:
UserAuthenticationPlugin:
-
- KEY_IDENTITY_STORE_REF: Identity store used by Plugin
- KEY_PROP_AUTHN_EXCEPTION:
- KEY_PROP_AUTHN_LEVEL:
TestAuthenticationPlugin:
-
- Forgot_Password_URL: URL of redirect during Pause (see note below)
3) Steps Orchestration:
-
- Initial Step: UserIdentificationPlugin
[Name - On Success – On Failure – On Error]
-
- UserIdentificationPlugin – UserAuthenticationPlugin – failure – failure
- UserAuthenticationPlugin – TestAuthenticationPlugin – failure – failure
- TestAuthenticationPlugin – Success – failure – failure
Description of TestAuthenticationPlugin:
After identification and authentication, the user enters the TestAuthenticationPlugin.
PluginExecution Steps:
1) Gathers Username through context from previous plugin if it exists
2) Gathers Password through context from previous plugin if it exists
3) Prints “Username is:” and “Password is:” along with collected values from (1) and (2)
4) Obtains subject through context from previous plugin
5a) If subject exists print out the identity store handle
5b) Otherwise, print the stored and current information about the user from the context available to the TestAuthenticationPlugin.
6) If the boolean value is true, enters ExecutionStatus.PAUSE and sends the user to the redirect URL configured in the “Forgot_Password_URL” configuration parameter for the plugin.
7) If subject ==null, grab any information available from the context and store into the map. Print the identity store handle.
BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, customer is not able to apply the latest bundle patches.
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |