SOAP STS X.509 Token Profile authentication causes illegal state

Describe the bug I use the openidentityplatform/openam:14.4.1 Docker image for piloting (non-production) a SOAP STS based SOA infrastructure . Signed, bearer subject confirmation method SAMLv2 tokens are issued after a successful WS-Security Username Token Profile or WS-Security X.509 Token Profile based authentication. Username/password is stored via the embedded OpenDJ server while X.509 certificates should be trusted via a CA trust store and verified according to the X.509 Public Key Infrastructure.

While the username/password based authentication successfully returns the signed and valid SAMLv2 token, X.509 based authentication fails with an exotic exception:

09-Oct-2019 11:36:30.217 SEVERE [https-openssl-nio-8443-exec-1] org.forgerock.openam.sts.soap.token.validator.wss.SoapCertificateTokenValidator.v
alidate Exception caught authenticating X509Certificate with OpenAM: org.forgerock.openam.sts.TokenValidationException: In the ThreadLocalAMToken
Cache, a session entry is being set over an existing session entry. Illegal state!
        org.forgerock.openam.sts.TokenValidationException: In the ThreadLocalAMTokenCache, a session entry is being set over an existing session 
entry. Illegal state!
                at org.forgerock.openam.sts.token.ThreadLocalAMTokenCacheImpl$AMSessionCache.setSessionEntry(ThreadLocalAMTokenCacheImpl.java:62)
                at org.forgerock.openam.sts.token.ThreadLocalAMTokenCacheImpl.cacheSessionIdForContext(ThreadLocalAMTokenCacheImpl.java:138)
                at org.forgerock.openam.sts.soap.token.validator.wss.SoapCertificateTokenValidator.validate(SoapCertificateTokenValidator.java:73)
...

As I understand, org.forgerock.openam.sts.token.ThreadLocalAMTokenCacheImpl.AMSessionCache.sessionEntry is already initialized when org.forgerock.openam.sts.token.ThreadLocalAMTokenCacheImpl.AMSessionCache.setSessionEntry(String, boolean) is invoked which triggers the exception due to this unwanted state.

To Reproduce Steps to reproduce the behavior:

Run openidentityplatform/openam:14.4.1 Docker container
Create default configuration
Create "Soap STS Instance" configured to sign SAMLv2 assertions
Deploy Soap STS .war
Send WS-Trust defined Request Security Token request via eg. SoapUI

Example request:

<soapenv:Envelope xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <soapenv:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-B2AB6B3A07FCA71BA21570620988661178">HERE COMES THE BinarySecurityToken</wsse:BinarySecurityToken>
         <ds:Signature Id="SIG-B2AB6B3A07FCA71BA21570620988661181" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces PrefixList="ns soapenv wst wsu" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:CanonicalizationMethod>
               <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
               <ds:Reference URI="#TS-B2AB6B3A07FCA71BA21570620988660177">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="wsse ns soapenv wst" 99% xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <ds:DigestValue>jnWDvhWp+zNlioz+rQ6s8JfeleJ3fu9suMVL3bYVj+4=</ds:DigestValue>
               </ds:Reference>
               <ds:Reference URI="#id-BEC47A743680A15723154659642493130">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="ns wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <ds:DigestValue>jL+AA/3JuUhEg11/sw6XYqI+MQXaa5yopBF1weqZrWE=</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>WueciAI8fHsMcxUwZfBTELqZ2wfwNYgyUe1dGK537OSa50rUWgN7dCklF3AsUFgnuGw9B+ugMrLJ
LkN3faMtp+ejm+kXM1tc7cQEzts5GelyCCM80MU6Q6ZyJEj7jSNFNNvwbfnCVL3x8zc/PZEjpLTG
cNuAkqoP0uyjejgjokrQr/Hk7EezGgICM8BtLjpEW+7NsA878QVxCgEuqdtvGZWdqI8Ysnxi5eNO
1L2MdncmTCI18CMHCoBu5/MzpOXrMxKS3GEslKEmRExUy4SiKYMz7zly/iumCvx/iH++olBMVIWV
wXoETuDUTdyKA0jjRuQrEbsSMqWsiZ8jXul3/WEdWcbjt2GBzEl4qUeQS2ty6PbL+xg7x2BSssnN
SLcRrxVFbOoajpYNlf9Y0wXzc/Ix97kmQnZk2SCAt0+EZiDv69agLKveaeV37c+F8+85mvLpRR3X
t6hkTgRY7NOV04AYY61b+sj0IQDKzfTtbjZyfFSSqugy2lNKCi6kwmWpEPWq0BBhhX0/mYr1mfMY
DZc+FKaQ+nFTSWw6wlGeclWHguJgrZXjxoMGNkq1aeUNjM7IdsnkbvZvyCofYKCKO+9Sinw+O+qt
7+XVZVBD3FJlrme2YDhjS6VMDBIjvR1p09YZuOJ+iqe5yHmv54XkhjDpzDLjOINMRe5U5Thha30=</ds:SignatureValue>
            <ds:KeyInfo Id="KI-B2AB6B3A07FCA71BA21570620988661179">
               <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-B2AB6B3A07FCA71BA21570620988661180" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                  <wsse:Reference URI="#X509-B2AB6B3A07FCA71BA21570620988661178" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
         <wsu:Timestamp wsu:Id="TS-B2AB6B3A07FCA71BA21570620988660177">
            <wsu:Created>2019-10-09T11:36:28Z</wsu:Created>
            <wsu:Expires>2019-10-09T11:46:28Z</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body wsu:Id="id-BEC47A743680A15723154659642493130">
      <wst:RequestSecurityToken Context="?">
         <wst:RequestSecurityToken Context="?">
            <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</wst:TokenType>
            <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
            <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
         </wst:RequestSecurityToken>
      </wst:RequestSecurityToken>
   </soapenv:Body>
</soapenv:Envelope>

Example response:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
      <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsu:Timestamp wsu:Id="TS-8CEE12D64CCB3DFE9A15706086987161">
            <wsu:Created>2019-10-09T08:11:38.714Z</wsu:Created>
            <wsu:Expires>2019-10-09T08:16:38.714Z</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
   </SOAP-ENV:Header>
   <soap:Body>
      <RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns2="http://www.w3.org/2005/08/addressing" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802">
         <RequestSecurityTokenResponse>
            <TokenType>urn:oasis:names:tc:SAML:2.0:assertion</TokenType>
            <RequestedSecurityToken>
               <saml:Assertion ID="s2fc508fec14e14825a6185e96b96da33132fbccd5" IssueInstant="2019-10-09T08:11:38Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                  <saml:Issuer>ISSUER ID</saml:Issuer>
                  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                     <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                        <ds:Reference URI="#s2fc508fec14e14825a6185e96b96da33132fbccd5">
                           <ds:Transforms>
                              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                           </ds:Transforms>
                           <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                           <ds:DigestValue>Uk7X4NKXyPt14xqufSJaoDsFIow=</ds:DigestValue>
                        </ds:Reference>
                     </ds:SignedInfo>
                     <ds:SignatureValue>Sl/VeAbWpRTSd5Tel+rAclqQIbU94qsrCY+piRGW4h8p+HJv3TOhW0vb7pU0XCdQzI2UXFxLWp8q
H4WxHKNuPAMQI4WRD732K4sbzNGLXziLymACsQzX1HJfF1ZfK+a8LAWBxUXbDbD95IPonho/wi5O
raFJFPKJsRL4Q/S5McXrZ8nYwQQlQG8p4g/APkrumBahByjFo/6m96N92WxRmcin4A6x5ey35nbh
msyGmVa99nVhMi8bQamf3+VbPJL2dIQtLHeP1+2AWm/nkFAuLIGLn1+DZif/nuzZqkzr5pbr37UA
GCz87zi51qDADiWsAdbTCS4t5FtKFVp18Boy9tGCUy6ikpZeNtl9P9BLjQ8GPNKMhJOv3gD5Zqru
6/bHLRFq3Mv8qapO4lVaehmSuw743dpEgBJ1lwypit2ftYy3PoyjWMfVSth7qlmuKMP4/TP3bPC2
o68Mle4vJ+WOsqAbT8MVa9oXseF2zNBRrl/Za+3nszFm7Js06ynjsvbdN6O3aNl4RoDy2jPueuh0
20zPlOqFft9HgoUk7KLzKhkwuqohjT96OsRYQwH4JeO8sOugejzDzH8nRmiSAzcAKiyFWUAQcXog
Bfx0L4v2R3NgXwcXe3WylsVXouKCxV4iEBwg+WIUmyh8NekdXFyPyzvUe5MRNvzNTWji0LAJLTM=</ds:SignatureValue>
                     <ds:KeyInfo>
                        <ds:X509Data>
                           <ds:X509Certificate>HERE COMES THE X509Certificate</ds:X509Certificate>
                        </ds:X509Data>
                     </ds:KeyInfo>
                  </ds:Signature>
                  <saml:Subject>
                     <saml:NameID Format="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified">example</saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                        <saml:SubjectConfirmationData NotOnOrAfter="2019-10-09T08:21:38Z" Recipient="http://acs.example.com"/>
                     </saml:SubjectConfirmation>
                  </saml:Subject>
                  <saml:Conditions NotBefore="2019-10-09T08:11:38Z" NotOnOrAfter="2019-10-09T08:21:38Z">
                     <saml:AudienceRestriction>
                        <saml:Audience>http://soa.example.com</saml:Audience>
                     </saml:AudienceRestriction>
                  </saml:Conditions>
                  <saml:AuthnStatement AuthnInstant="2019-10-09T08:11:38Z">
                     <saml:AuthnContext>
                        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
                     </saml:AuthnContext>
                  </saml:AuthnStatement>
               </saml:Assertion>
            </RequestedSecurityToken>
            <RequestedAttachedReference>
               <ns4:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                  <ns4:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">s2fc508fec14e14825a6185e96b96da33132fbccd5</ns4:KeyIdentifier>
               </ns4:SecurityTokenReference>
            </RequestedAttachedReference>
            <RequestedUnattachedReference>
               <ns4:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                  <ns4:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">s2fc508fec14e14825a6185e96b96da33132fbccd5</ns4:KeyIdentifier>
               </ns4:SecurityTokenReference>
            </RequestedUnattachedReference>
            <Lifetime>
               <ns3:Created>2019-10-09T08:11:38.637Z</ns3:Created>
               <ns3:Expires>2019-10-09T08:16:38.637Z</ns3:Expires>
            </Lifetime>
         </RequestSecurityTokenResponse>
      </RequestSecurityTokenResponseCollection>
   </soap:Body>
</soap:Envelope>

Expected behavior The SAMLv2 token is issued without an exception.

Screenshots Not applicable.

Desktop (please complete the following information):

OS: Not applicable
Browser: Not applicable
Version: Not applicable

Smartphone (please complete the following information):

Device: Not applicable
OS: Not applicable
Browser Not applicable
Version Not applicable

Additional context The full stacktrace found in the Tomcat log: catalina.2019-10-09.log.

This is really weird. A few things fixes my X.509 authentication problem temporarily:

Restart OpenAM
Changed the signature method from http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 to http://www.w3.org/2000/09/xmldsig#rsa-sha1 in SoapUI
Changed the digest method from http://www.w3.org/2001/04/xmlenc#sha256 to http://www.w3.org/2000/09/xmldsig#sha1

Fixed a problem regarding the SOAP body. 2 RST XML tags were embedded like this:

<wst:RequestSecurityToken Context="?">
<wst:RequestSecurityToken Context="?">
...
</wst:RequestSecurityToken>
</wst:RequestSecurityToken>

Altered to this:

<wst:RequestSecurityToken Context="?">
...
</wst:RequestSecurityToken>

Authentication works this way for a while. After some time (around 2 minutes) the error message Illegal state reappears. No username/password or X.509 authentication works anymore. If I clear the user's sessions, everything works again. The problem seems to almost disappear when I turn on "Stateless Sessions" in OpenAM.

My request looks like this after the fix:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
   <soapenv:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-7ADB9798BB4C536A751570693321809123">BINARY_SECURITY_TOKEN</wsse:BinarySecurityToken>
         <ds:Signature Id="SIG-7ADB9798BB4C536A751570693321810126" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces PrefixList="soapenv wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:CanonicalizationMethod>
               <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               <ds:Reference URI="#TS-7ADB9798BB4C536A751570693321807122">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="wsse soapenv wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <ds:DigestValue>aMuH0LpSKz1Bhq01BsrT5JyGGdI=</ds:DigestValue>
               </ds:Reference>
               <ds:Reference URI="#id-7ADB9798BB4C536A75157069224316350">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:Transform>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <ds:DigestValue>CG6om2Y+bQGtvmzbRHf2d92tEBE=</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>gfA7SkXmO2Ia8ukV7PCPNDW6ogmKG81+PYGLjFpHaVO0FjBcA7pxq7rwfBlU9HgmsjSXYaRLZNc6
UjW+kkeWfKtRETbA420pFejUUeSJidG0gHfrgwStE5dWZ0W3rc8A6HlcZiCu6FItBYd1Tgls87mV
7LBNQmdSeF+vzPAATtUwCgMZuySKNZ1KfN3bVt808IogVi9YfiWHs/H5ibT0gDypf2C2niWPLJNb
WVx+YrjG9paMGIr5bzwgo3Ngr9ox9QN3BxF1rptGVyyMi+xY4DHZSb+R3tquN/42dPwk9PfRjKaW
ETtwwkxWwbyyKnCXySFpD2Ptl9GCKW2amq9PdFE9CV0WNl4BwFeCf+UIQ2ekt2ye1BucOGXOIpLk
pIBLbRCyBWBbhHl3TD5GHEJkmHlqGpaBycth5tuOFxgSKIOCBXi1swtETfspaDun0cm0AQqhUji2
E98XJjqZaiE0+S0qNTGRwT4erMJFoVSYiV+SbJ95uXFFmjFmwv/QF1LGHSpLUOtrVvqvDiuYpuvm
VlasL3+BD4DP58d7BN7esOQC2sAm6SRWCJre5phesT6pcDeQPFraYtol0xGBqCSYQaVLsABla1IM
tIn6VqIhJ2WDawhNQ50BPm/ZFmsIrUBTNl8SY7ZyXc5zafVafXKVs2uW1IkQ8HTIK5OYC/uyTEs=</ds:SignatureValue>
            <ds:KeyInfo Id="KI-7ADB9798BB4C536A751570693321809124">
               <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-7ADB9798BB4C536A751570693321809125" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                  <wsse:Reference URI="#X509-7ADB9798BB4C536A751570693321809123" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
         <wsu:Timestamp wsu:Id="TS-7ADB9798BB4C536A751570693321807122">
            <wsu:Created>2019-10-10T07:42:01Z</wsu:Created>
            <wsu:Expires>2019-10-10T07:52:01Z</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body wsu:Id="id-7ADB9798BB4C536A75157069224316350" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wst:RequestSecurityToken Context="?">
         <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</wst:TokenType>
         <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
         <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
      </wst:RequestSecurityToken>
   </soapenv:Body>
</soapenv:Envelope>

OpenIdentityPlatform / OpenAM

SOAP STS X.509 Token Profile authentication causes illegal state #192