Limitations
The following limitations in this release are inherent to the design, not bugs to be fixed:
CDSSO Domain List Restrictions for WildFly and JBoss
Cookie support in WildFly and JBoss has been implemented so that only one cookie can be set with a certain name. This prevents setting the same cookie for multiple domains.
Configuring the JWT Cookie Domain List with more than one cookie domain may result in redirection loops.
To work around this issue, perform the following steps:
-
Go to REALMS > realm name > Applications > Agents > Java > agent name > SSO.
-
Remove all cookie domains from the JWT Cookie Domain List.
-
Go to REALMS > realm name > Applications > Agents > Java > agent name > Global.
-
Configure any required entries in the Agent Root URL for CDSSO. The agent sets the cookie domain based on the requested resource.
CDSSO Domain list restrictions for Tomcat
Tomcat 8.0.x introduced a new cookie processor,
org.apache.tomcat.util.http.Rfc6265CookieProcessor
, that became the default
cookie processor on Tomcat 8.5.x.
Due to the new cookie processor’s cookie validation checks, configuring domains
with leading dots (.
) in the
JWT Cookie Domain List
can result in the following issues:
-
Java Agent returning HTTP 403 errors.
-
Tomcat server logging messages similar to the following:
ERROR: AmFilter: Error while delegating to inbound handler: CDSSO Result Task Handler, access will be denied java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:183) at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:125) at org.apache.catalina.connector.Response.generateCookieString(Response.java:989) at org.apache.catalina.connector.Response.addCookie(Response.java:937) at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386) at com.sun.identity.shared.encode.CookieUtils.addCookieToResponse(CookieUtils.java:412) ...
To work around this issue, perform one of the following actions:
-
Configure the legacy cookie processor implementation,
org.apache.tomcat.util.http.LegacyCookieProcessor
, in your Tomcat server. Refer to the documentation for your version of Tomcat for more information. -
Ensure the domains entered in JWT Cookie Domain List start with a number or a letter. For example:
Valid configuration
org.forgerock.agents.jwt.cookie.domain.list[0]=example.com org.forgerock.agents.jwt.cookie.domain.list[1]=123company.com
Invalid configuration
org.forgerock.agents.jwt.cookie.domain.list[0]=.example.com org.forgerock.agents.jwt.cookie.domain.list[1]=.mycompany.com
The agentadmin command shows warning messages
The agentadmin
command may show warning messages similar to the following:
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1 ...
WARNING: Please consider reporting this to the maintainers of org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
You can safely ignore these messages.