search

OpenLiberty / open-liberty

Open Liberty is a highly composable, fast to start, dynamic application server runtime environment
https://openliberty.io
Eclipse Public License 2.0
1.15k stars 587 forks source link

recreate Subject from SSOToken ignoring missing CustomCacheKey #16492

Open bwa opened 3 years ago

bwa commented 3 years ago

It is known that a LtpaToken2 created on one liberty server with a custom cache key, will fail on an another liberty server, even if the ltpa.keys are shared.

The error message from the trace is :

com.ibm.ws.security.authentication.AuthenticationException: Custom cache key missed authentication cache. Need to re-challenge the user to login again.

Since the custom cache key is created by the 'customer', it migth be possible to recreate the missing pieces by the second server, if the Principal is known.

In my trace I can see that the user is obtained :

[4/6/21 15:09:52:862 CEST] 0000034b id=00000000 com.ibm.ws.security.token.ltpa.internal.LTPATokenizer > convertArrayListToString Entry [user:defaultWIMFileBasedRealm/15105644105]

But it fails with the 'Custom cache key missed authentication cache' message.

If the subject was created without the custom data, normally the use of this custom data is created by the customer, so it actually need to retrieve it on the second server.

In most cases then the custom code on the second server, could use the user information to retrieve the missing data.

This could be achieved by a configurable option :

SSOContinueWithoutCustomCacheKeyData=true

or even better:

In my company the custom cache key is created by a our custom TAI, so if the same custom TAI could be challenged if the custom cache key was missing, that component could be in charge of recreating the Subject based of the username.

utle commented 3 years ago

The custom cache key is indicated that the client subject had custom informations where WebSphere/Liberty can not fully re-recreated the client subject. This is the default behavior for traditional WebSphere and Liberty. I understand your requirement, can you open an RFE so it can go through the process. Thank you.

bwa commented 3 years ago

Already done. It's 2 years old ....

The proposal is different though.

https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=119066

Have tried different channels, but it's very hard to get this fixed. It's a really blocker going from WAS ND to Liberty.

bwa commented 3 years ago

@utle Is it possible to get a hint about the progress on this issue ?

bwa commented 3 years ago

@utle Still no progress on this ?