Skip to content

Client cert authentication returns 404 when account is suspended  #2929

New issue
New issue
Open
Open
Client cert authentication returns 404 when account is suspended #2929
Labels
Priority: MediumbugVerified defect in functionalitysize/M
@achmelo

Description

@achmelo
achmelo
opened on May 23, 2023

Describe the bug
When a user wants to log in with a suspended account, API ML would return 401. When the same user tries the client certificate, the response is 404.

Steps to Reproduce

  1. Suspend the account.
  2. authenticate with client certificate

Expected behavior
The response is the same for all authentication methods.

Screenshots
If applicable, add screenshots to help explain your problem.

Logs
2023-05-22 14:02:15.269 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.z.a.g.s.m.ExternalMapper) External mapper API returned: {"userid":"","returnCode":0,"safReturnCode":0,"racfReturnCode":0,"racfReasonCode":0}
2023-05-22 14:02:15.272 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.z.a.g.s.l.x.X509AuthenticationProvider) Successfully mapped user to certificate:
2023-05-22 14:02:15.273 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.z.a.g.s.l.Providers) zOSMF registered with the Discovery Service and propagated to Gateway: true
2023-05-22 14:02:15.273 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.z.a.g.s.s.TokenCreationService) ZOSMF is available and used. Attempt to authenticate with PassTicket
2023-05-22 14:02:15.273 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.z.a.g.s.s.TokenCreationService) Generating PassTicket for user: and ZOSMF applid: IZUDFLT
2023-05-22 14:02:15.274 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.z.a.g.s.s.TokenCreationService) Generated passticket:
2023-05-22 14:02:15.276 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.i.e.MainClientExec) Executing request POST /zosmf/services/authenticate HTTP/1.1
2023-05-22 14:02:15.276 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.i.e.MainClientExec) Proxy auth state: UNCHALLENGED
2023-05-22 14:02:15.276 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 >> POST /zosmf/services/authenticate HTTP/1.1
2023-05-22 14:02:15.276 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 >> Accept: text/plain, application/xml, text/xml, application/json, application/cbor, application/+xml, application/+json, /
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 >> Authorization: Basic
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 >> X-CSRF-ZOSMF-HEADER:
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 >> Content-Length: 0
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 >> Host: :1443
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 >> Connection: Keep-Alive
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 >> User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_351)
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 >> Accept-Encoding: gzip,deflate
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 >> "POST /zosmf/services/authenticate HTTP/1.1[\r][\n]"
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 >> "Accept: text/plain, application/xml, text/xml, application/json, application/cbor, application/+xml, application/+json, /[\r][\n]"
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 >> "Authorization: Basic [\r][\n]"
2023-05-22 14:02:15.277 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 >> "[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "HTTP/1.1 401 Unauthorized[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "X-Powered-By: Servlet/3.1[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "X-Content-Type-Options: nosniff[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "X-XSS-Protection: 1; mode=block[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "Content-Type: application/json;charset=ISO-8859-1[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "Content-Language: en-US[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "Transfer-Encoding: chunked[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "Date: Mon, 22 May 2023 14:02:15 GMT[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "b7[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "{"returnCode":8,"reasonCode":1,"message":"Login failed. Check if the user ID and password you use for the Basic Auth is correct, and if the user ID has the required SAF permissions."}[\r][\n]"
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 << HTTP/1.1 401 Unauthorized
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 << X-Powered-By: Servlet/3.1
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 << X-Content-Type-Options: nosniff
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 << X-XSS-Protection: 1; mode=block
2023-05-22 14:02:15.298 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 << Content-Type: application/json;charset=ISO-8859-1
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 << Content-Language: en-US
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 << Transfer-Encoding: chunked
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.headers) http-outgoing-12 << Date: Mon, 22 May 2023 14:02:15 GMT
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.i.e.MainClientExec) Connection can be kept alive for 2000 MILLISECONDS
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.i.a.HttpAuthenticator) Authentication required
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.i.a.HttpAuthenticator) :1443 requested authentication
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.i.a.HttpAuthenticator) Response contains no authentication challenges
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "0[\r][\n]"
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-12 << "[\r][\n]"
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.z.a.s.ApimlPoolingHttpClientConnectionManager) Connection [id: 12][route: {s}->https://:1443] can be kept alive for 2.0 seconds
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.a.h.i.c.DefaultManagedHttpClientConnection) http-outgoing-12: set socket timeout to 0
2023-05-22 14:02:15.299 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR DEBUG (o.z.a.s.ApimlPoolingHttpClientConnectionManager) Connection released: [id: 12][route: {s}->https://:1443][total available: 2; route allocated: 1 of 100; total allocated: 2 of 1000]
2023-05-22 14:02:15.301 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR WARN (o.s.w.s.PageNotFound) No mapping for POST /error
2023-05-22 14:02:15.301 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR WARN (o.s.w.s.PageNotFound) No handler found for POST /error
2023-05-22 14:02:15.301 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-8:396081 ZWESVUSR WARN (o.s.w.s.m.s.DefaultHandlerExceptionResolver) Resolved [org.springframework.web.servlet.NoHandlerFoundException: No handler found for POST /error]
2023-05-22 14:02:16.297 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-7:396081 ZWESVUSR DEBUG (o.z.a.g.f.p.LocationFilter) Routing: The request was routed to /api/v1/SYSVIEW/Display
2023-05-22 14:02:16.297 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-7:396081 ZWESVUSR DEBUG (o.z.a.g.s.s.s.s.JwtAuthSourceService) Getting JWT token from request.
2023-05-22 14:02:16.297 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-7:396081 ZWESVUSR DEBUG (o.z.a.g.s.s.s.s.JwtAuthSourceService) JWT token not found in request.
2023-05-22 14:02:16.297 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-7:396081 ZWESVUSR DEBUG (o.z.a.g.s.s.s.s.PATAuthSourceService) Getting JWT token from request.
2023-05-22 14:02:16.297 ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-7:396081 ZWESVUSR DEBUG (o.z.a.g.s.s.s.s.PATAuthSourceService) JWT token not found in request.

Details

  • Version and build number: [e.g. 0.4.4-SNAPSHOT build # 155]
  • Test environment: [either defined Zowe test environment: Marist (1, 2, 3), River, or your own environment: z/OS version and z/OSMF version]

API Catalog Web UI (in case of API Catalog issue):

  • OS: [e.g. macOS, Windows]
  • Browser [e.g. Chrome, Safari]
  • Version [e.g. 71.0.3578.98]

REST API client (in case of REST API issue):

  • Technology: [e.g. Spring Boot, Node.js]
  • OS: [e.g. Windows 10]

Additional context
Add any other context about the problem here.

Willingness to help
If you are willing to help with debugging and reproducing the problem or
with fixing the problem, please state your willingness to assist in the created issue.

https://github.com/zowe/api-layer/wiki/Issue-management

Metadata

Metadata

Assignees

No one assigned

    Labels

    Priority: MediumbugVerified defect in functionalitysize/M

    Type

    No type

    Projects

    API Mediation Layer Backlog Management

    • Status

      Unplanned Bugs

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions