Zero Page Login disallowed after installing the patch for OpenAM Security Advisory #201503 on OpenAM 11.x or 12.x

Symptoms

The zero page login functionality ceases to work.

The Zero Page Login Referer Whitelist property in the OpenAM console appears to be blank, indicating that all referers should be allowed; navigate to: Configuration > Authentication > Core > Security > Zero Page Login Referer Whitelist to check.

Recent Changes

Installed the patch for the OpenAM Security Advisory #201503.

Upgraded to OpenAM 11.0.3.

Causes

The recent security fixes set the zero page login referer whitelist property to an empty string rather than an empty list (blank), meaning that all referer URLs are denied.

This can be seen in the amAuth.xml file, where the openam.auth.zero.page.login.referer.whitelist attribute has the following default value:

Solution

This issue can be resolved by upgrading to OpenAM 12.0.2 or later; you can download this from BackStage.

Alternatively, you can resolve this issue by removing the schema defaults for the openam.auth.zero.page.login.referer.whitelist attribute using the following ssoadm command:

replacing [adminID] and [passwordfile] with appropriate values.

This change sets the whitelist to empty, meaning all zero page logins are allowed from any referer; if you are using OpenAM 11.0.3 or later, you should consider specifying a whitelist of allowed URLs instead for improved security.

See Also

OpenAM Administration Guide › Defining Authentication Services › Core - Security

OpenAM Developer's Guide › RESTful Web Services › REST APIs for Authentication & Logout

Related Training

N/A

Related Issue Tracker IDs

OPENAM-5826 (Zero Page Login disallowed after OPENAM-sec-201503-v1102-CAS is applied)