Solutions
Archived

Redirect loop between OpenAM and JEE Policy Agent 3.5.0 causes high session numbers and poor performance

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you get a redirect loop between OpenAM and JEE Policy Agent 3.5.0 that causes high session numbers, poor performance and potentially Out of Memory exceptions. The associated error is "Application token passed in, is invalid.token error".

1 reader recommends this article
Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following error is shown multiple times in the amAgent debug log, where the same token is being passed in each time:

Session.processSessionResponseException: exception received from server:Application token passed in, is invalid.token:AQIC5...QACMDM.* amSession:05/10/2016 05:19:52:021 PM CST: Thread[catalina-exec-6,5,main] Session.processSessionResponseException: AppTokenInvalid = TRUE amSession:05/10/2016 05:19:52:021 PM CST: Thread[catalina-exec-6,5,main] Session.processSessionResponseException: Destorying AppToken amSecurity:05/10/2016 05:19:52:021 PM CST: Thread[catalina-exec-6,5,main] AdminTokenAction:invalid called amSession:05/10/2016 05:19:52:021 PM CST: Thread[catalina-exec-6,5,main] WARNING: Session.processSessionResponseException processSessionResponseException: server responded with app token invalid error,refetching the app sso token amSecurity:05/10/2016 05:19:52:021 PM CST: Thread[catalina-exec-6,5,main] AdminTokenAction::run Unable to get SSOToken from serverconfig.xml

Session numbers keep increasing as sessions do not expire, which can cause poor performance and potentially Out of Memory exceptions. Eventually, this may result in an outage of the OpenAM server.

Recent Changes

Upgraded to, or installed the JEE policy agent 3.5.0.

Causes

The policy agent receives an invalid application token from OpenAM and authenticates again to refresh it. However, the policy agent keeps using the invalid token rather than replacing it with a new application token and keeps trying to refresh it, which causes the redirect loop between the policy agent and OpenAM. Meanwhile, the number of sessions keep increasing as this process continues to create new and unused sessions on the server.

Solution

This issue can be resolved by upgrading to JEE policy agent 3.5.1 or later; you can download this version from BackStage.

Note

This issue only applies to the JEE policy agent and can only be resolved by upgrading the JEE policy agent. No changes are required to OpenAM.

See Also

How do I monitor session statistics in AM (All versions)?

Related Training

N/A

Related Issue Tracker IDs

OPENAM-5835 (Redirect loop between OpenAM and J2EE Agent in case of invalid admin token)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.