Java Policy Agents 2023.3

Limitations

The following limitations in this release are inherent to the design, not bugs to be fixed:

CDSSO Domain List Restrictions for WildFly and JBoss

Cookie support in WildFly and JBoss has been implemented so that only one cookie can be set with a certain name. This prevents setting the same cookie for multiple domains.

Configuring the JWT Cookie Domain List with more than one cookie domain may result in redirection loops.

To work around this issue, perform the following steps:

  1. Go to REALMS > realm name > Applications > Agents > Java > agent name > SSO.

  2. Remove all cookie domains from the JWT Cookie Domain List.

  3. Go to REALMS > realm name > Applications > Agents > Java > agent name > Global.

  4. Configure any required entries in the Agent Root URL for CDSSO. The agent sets the cookie domain based on the requested resource.

CDSSO Domain list restrictions for Tomcat

Tomcat 8.0.x introduced a new cookie processor, org.apache.tomcat.util.http.Rfc6265CookieProcessor, that became the default cookie processor on Tomcat 8.5.x.

Due to the new cookie processor’s cookie validation checks, configuring domains with leading dots (.) in the JWT Cookie Domain List can result in the following issues:

  • Java Agent returning HTTP 403 errors.

  • Tomcat server logging messages similar to the following:

    ERROR: AmFilter: Error while delegating to inbound handler: CDSSO Result Task Handler, access will be denied
    java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie
    at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:183)
    at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:125)
    at org.apache.catalina.connector.Response.generateCookieString(Response.java:989)
    at org.apache.catalina.connector.Response.addCookie(Response.java:937)
    at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386)
    at com.sun.identity.shared.encode.CookieUtils.addCookieToResponse(CookieUtils.java:412)
    ...

To work around this issue, perform one of the following actions:

  • Configure the legacy cookie processor implementation, org.apache.tomcat.util.http.LegacyCookieProcessor, in your Tomcat server. Refer to the documentation for your version of Tomcat for more information.

  • Ensure the domains entered in JWT Cookie Domain List start with a number or a letter. For example:

    Valid configuration

    org.forgerock.agents.jwt.cookie.domain.list[0]=example.com
    org.forgerock.agents.jwt.cookie.domain.list[1]=123company.com

    Invalid configuration

    org.forgerock.agents.jwt.cookie.domain.list[0]=.example.com
    org.forgerock.agents.jwt.cookie.domain.list[1]=.mycompany.com
The agentadmin command shows warning messages

The agentadmin command may show warning messages similar to the following:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1 ...
WARNING: Please consider reporting this to the maintainers of org.forgerock.openam.sdk.com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

You can safely ignore these messages.

Copyright © 2010-2023 ForgeRock, all rights reserved.