From ab0fed47d5cf79cef14e4158339c82fc594fb4f7 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Fri, 19 Jun 2026 19:49:36 +0300 Subject: [PATCH 1/4] Enable HttpOnly session cookies by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Switch the default of com.sun.identity.cookie.httponly from false to true so that OpenAM marks its SSO/session cookies HttpOnly out of the box. The XUI already supports this mode (relies on the auto-sent cookie instead of reading the token from document.cookie), so the previous "breaks XUI" rationale no longer applies. Core: - CookieUtils (openam-shared): default to true when the property is unset, via getAsBoolean(AM_COOKIE_HTTPONLY, true); update isCookieHttpOnly() javadoc. - serverdefaults.properties: ship com.sun.identity.cookie.httponly=true and rewrite the stale comment (document the allowTokenInBody opt-in / opt-out). IDP Discovery: - CookieUtils: default HttpOnly to true (null/empty -> on, explicit false -> off). - Configurator.jsp: default the "HTTP-Only Cookie" radio to True. CI / e2e: - build.yml: invert the Playwright phases — test the new HttpOnly=true default first (xui specs), then override to false via setenv.sh and run the full suite (oauth2/saml read tokenId from the response body, suppressed in HttpOnly mode). - saml-test.spec.mjs: fix the now-incorrect "HttpOnly breaks XUI" comment. - openam-commons.mjs: document that getAuthToken needs the token in the body. Tests: - RestAuthenticationHandlerTest: set the token-readable baseline (setCookieHttpOnly(false)) in @BeforeMethod so legacy assertions are independent of the production default and test order. Docs (asciidoc): update default to true and the serverinfo example in chap-securing, chap-deployments, chap-config-ref, chap-client-dev. --- .github/workflows/build.yml | 32 ++++++++++++------- e2e/common/openam-commons.mjs | 5 +++ e2e/saml/saml-test.spec.mjs | 7 ++-- .../authn/RestAuthenticationHandlerTest.java | 7 +++- .../asciidoc/admin-guide/chap-securing.adoc | 2 +- .../deployment-planning/chap-deployments.adoc | 2 +- .../asciidoc/dev-guide/chap-client-dev.adoc | 2 +- .../asciidoc/reference/chap-config-ref.adoc | 2 +- .../src/main/webapp/Configurator.jsp | 5 +-- .../saml2/idpdiscovery/CookieUtils.java | 9 ++---- .../template/sms/serverdefaults.properties | 15 +++++---- .../identity/shared/encode/CookieUtils.java | 14 ++++---- 12 files changed, 62 insertions(+), 40 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6383f71179..9a5db0e140 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -288,38 +288,46 @@ jobs: with: sparse-checkout: e2e - - name: UI Smoke Tests (Playwright) - HttpOnly disabled + - name: UI Smoke Tests (Playwright) - HttpOnly enabled (default) + # OpenAM now ships HttpOnly session cookies by default, so a freshly + # configured server already reports cookieHttpOnly=true. This stage runs + # the (mode-agnostic) XUI specs against that default. env: - EXPECT_COOKIE_HTTPONLY: "false" + EXPECT_COOKIE_HTTPONLY: "true" run: | cd e2e npm init -y npm install @playwright/test npx playwright install chromium --with-deps - npx playwright test --reporter=list + echo "verifying the freshly configured server reports cookieHttpOnly=true (the new default)" + curl -sf "http://openam.example.org:8080/openam/json/serverinfo/*" | jq -e '.cookieHttpOnly == true' + npx playwright test xui --reporter=list - - name: Enable HttpOnly session cookie on OpenAM IDP and restart + - name: Disable HttpOnly session cookie on OpenAM IDP and restart shell: bash run: | # com.sun.identity.cookie.httponly is read once at startup (static field # in CookieUtils) and SystemProperties gives JVM -D properties priority, - # so we inject it via Tomcat setenv.sh and restart the same container - # (its configured data dir is preserved across a restart). + # so we inject the non-default value via Tomcat setenv.sh and restart the + # same container (its configured data dir is preserved across a restart). docker exec openam-idp bash -c ' - echo "export CATALINA_OPTS=\"\$CATALINA_OPTS -Dcom.sun.identity.cookie.httponly=true\"" > "$CATALINA_HOME/bin/setenv.sh" + echo "export CATALINA_OPTS=\"\$CATALINA_OPTS -Dcom.sun.identity.cookie.httponly=false\"" > "$CATALINA_HOME/bin/setenv.sh" chmod +x "$CATALINA_HOME/bin/setenv.sh"' docker restart openam-idp echo "waiting for OpenAM IDP to be alive again..." timeout 3m bash -c 'until docker inspect --format="{{json .State.Health.Status}}" openam-idp | grep -q \"healthy\"; do sleep 10; done' - echo "verifying the server now reports cookieHttpOnly=true" - curl -sf "http://openam.example.org:8080/openam/json/serverinfo/*" | jq -e '.cookieHttpOnly == true' + echo "verifying the server now reports cookieHttpOnly=false" + curl -sf "http://openam.example.org:8080/openam/json/serverinfo/*" | jq -e '.cookieHttpOnly == false' - - name: UI Smoke Tests (Playwright) - HttpOnly enabled + - name: UI Smoke Tests (Playwright) - HttpOnly disabled + # The full suite (oauth2/saml) runs in the non-HttpOnly mode because those + # specs read the SSO tokenId from the /json/authenticate response body, + # which is suppressed in the default HttpOnly mode. env: - EXPECT_COOKIE_HTTPONLY: "true" + EXPECT_COOKIE_HTTPONLY: "false" run: | cd e2e - npx playwright test xui --reporter=list + npx playwright test --reporter=list - name: Upload failure artifacts uses: actions/upload-artifact@v7 diff --git a/e2e/common/openam-commons.mjs b/e2e/common/openam-commons.mjs index 6f84272277..eb90570408 100644 --- a/e2e/common/openam-commons.mjs +++ b/e2e/common/openam-commons.mjs @@ -25,6 +25,11 @@ export async function getAdminToken(request) { return getAuthToken(request, ADMIN_USER, ADMIN_PASS) } +// Resolves the SSO tokenId from the /json/authenticate response body. Note this only works when the +// session cookie is NOT HttpOnly, or when org.openidentityplatform.openam.httponly.allowTokenInBody +// is enabled: in the default HttpOnly deployment the token is delivered solely via Set-Cookie and is +// not echoed in the body, so this helper returns undefined. Specs that rely on it must run against a +// server with HttpOnly disabled (see the CI matrix in .github/workflows/build.yml). export async function getAuthToken(request, username, password) { const resp = await request.post(`${OPENAM_BASE}/json/authenticate`, { headers: { diff --git a/e2e/saml/saml-test.spec.mjs b/e2e/saml/saml-test.spec.mjs index 4206397927..a7aad479cb 100644 --- a/e2e/saml/saml-test.spec.mjs +++ b/e2e/saml/saml-test.spec.mjs @@ -114,9 +114,10 @@ test.describe("OpenAM XUI - Login flow", () => { // ── 7. Assert the SSO session cookie carries a SameSite attribute ─────── // GHSA-fpmh-vx4h-xc33: the iPlanetDirectoryPro SSO cookie ships with a SameSite attribute by - // default so it is not sent on cross-site requests. It is intentionally NOT HttpOnly: the XUI - // reads it from document.cookie (SessionToken.jsm / AMConfig.js / AuthNService.js) to track the - // session and set REST headers, so enabling HttpOnly by default would break XUI console login. + // default so it is not sent on cross-site requests. The check below only asserts the SameSite + // attribute; whether the cookie is HttpOnly is governed by com.sun.identity.cookie.httponly (on + // by default, and fully supported by the XUI). HttpOnly behaviour is covered by the xui-httponly + // spec. const cookies = await page.context().cookies(); const ssoCookie = cookies.find((c) => c.name === "iPlanetDirectoryPro"); expect(ssoCookie, "iPlanetDirectoryPro SSO cookie should be set").toBeTruthy(); diff --git a/openam-core-rest/src/test/java/org/forgerock/openam/core/rest/authn/RestAuthenticationHandlerTest.java b/openam-core-rest/src/test/java/org/forgerock/openam/core/rest/authn/RestAuthenticationHandlerTest.java index c3c344bbed..be5801c694 100644 --- a/openam-core-rest/src/test/java/org/forgerock/openam/core/rest/authn/RestAuthenticationHandlerTest.java +++ b/openam-core-rest/src/test/java/org/forgerock/openam/core/rest/authn/RestAuthenticationHandlerTest.java @@ -74,7 +74,12 @@ public class RestAuthenticationHandlerTest { private CoreServicesWrapper coreServicesWrapper; @BeforeMethod - public void setUp() { + public void setUp() throws Exception { + + // Establish the token-readable baseline (HttpOnly off) for every test, independent of the + // production default of com.sun.identity.cookie.httponly. Tests that exercise HttpOnly mode + // opt in explicitly via setCookieHttpOnly(true) and reset it afterwards. + setCookieHttpOnly(false); loginAuthenticator = mock(LoginAuthenticator.class); restAuthCallbackHandlerManager = mock(RestAuthCallbackHandlerManager.class); diff --git a/openam-documentation/openam-doc-source/src/main/asciidoc/admin-guide/chap-securing.adoc b/openam-documentation/openam-doc-source/src/main/asciidoc/admin-guide/chap-securing.adoc index 05047ec757..315c4b84f4 100644 --- a/openam-documentation/openam-doc-source/src/main/asciidoc/admin-guide/chap-securing.adoc +++ b/openam-documentation/openam-doc-source/src/main/asciidoc/admin-guide/chap-securing.adoc @@ -110,7 +110,7 @@ To configure OpenAM server to use secure cookies, in the OpenAM console, navigat + HttpOnly cookies are meant to be transmitted only over HTTP and HTTPS, and not through non-HTTP methods, such as JavaScript functions. + -You can configure the OpenAM server to use HttpOnly cookies by navigating to Configure > Server Defaults > Advanced, and setting the `com.sun.identity.cookie.httponly` property's value to `true`. Save your changes. Note that the XUI reads the `iPlanetDirectoryPro` SSO cookie from the browser to track the session, so enabling `HttpOnly` breaks XUI console login; the property therefore defaults to `false`. Set it to `true` only in deployments that do not rely on the XUI. +OpenAM marks its cookies `HttpOnly` by default (`com.sun.identity.cookie.httponly=true`, under Configure > Server Defaults > Advanced). The XUI fully supports this mode: it relies on the automatically sent cookie instead of reading the SSO token from JavaScript. In HttpOnly mode the token is delivered only through the `Set-Cookie` header and is, by default, no longer returned in the `/json/authenticate` response body; non-browser or raw-REST integrations that need the token in the body can opt back in with `org.openidentityplatform.openam.httponly.allowTokenInBody=true`. Set `com.sun.identity.cookie.httponly` to `false` to disable HttpOnly cookies entirely. + To reduce cross-site request forgery (CSRF) exposure, OpenAM also sets a `SameSite` attribute on its cookies. A standard installation ships with `org.openidentityplatform.openam.cookie.samesite=Lax`. You can change this to `Strict` or `None` (the latter requires secure cookies) under Configure > Server Defaults > Security > Cookie. diff --git a/openam-documentation/openam-doc-source/src/main/asciidoc/deployment-planning/chap-deployments.adoc b/openam-documentation/openam-doc-source/src/main/asciidoc/deployment-planning/chap-deployments.adoc index 83d0a3e34c..0bbf82630a 100644 --- a/openam-documentation/openam-doc-source/src/main/asciidoc/deployment-planning/chap-deployments.adoc +++ b/openam-documentation/openam-doc-source/src/main/asciidoc/deployment-planning/chap-deployments.adoc @@ -226,7 +226,7 @@ When you first configure OpenAM, there are many options to evaluate, plus a numb * On a server that includes OpenAM Console, all the endpoints defined in the Web application descriptor, `WEB-INF/web.xml`, are available for use. -* To prevent cross-site scripting attacks, you can configure session cookies as HTTP Only by setting the property `com.sun.identity.cookie.httponly=true`. This property prevents third-party scripts from accessing the session cookie. Because the XUI reads the `iPlanetDirectoryPro` SSO cookie from the browser, this property defaults to `false`; enable it only in deployments that do not use the XUI. By default, OpenAM also sets `org.openidentityplatform.openam.cookie.samesite=Lax` to reduce cross-site request forgery (CSRF) exposure. +* To prevent cross-site scripting attacks, OpenAM marks session cookies as HTTP Only by default (`com.sun.identity.cookie.httponly=true`), which prevents third-party scripts from accessing the session cookie. The XUI supports this mode out of the box; set the property to `false` only if you need the SSO token to be readable from `document.cookie`. By default, OpenAM also sets `org.openidentityplatform.openam.cookie.samesite=Lax` to reduce cross-site request forgery (CSRF) exposure. * You can deploy a reverse proxy within delimitarized zone (DMZ) firewalls to limit exposure of service URLs to the end user as well as block access to back end configuration and user data stores to unauthorized users. diff --git a/openam-documentation/openam-doc-source/src/main/asciidoc/dev-guide/chap-client-dev.adoc b/openam-documentation/openam-doc-source/src/main/asciidoc/dev-guide/chap-client-dev.adoc index f32b150da9..79b0707a0e 100644 --- a/openam-documentation/openam-doc-source/src/main/asciidoc/dev-guide/chap-client-dev.adoc +++ b/openam-documentation/openam-doc-source/src/main/asciidoc/dev-guide/chap-client-dev.adoc @@ -938,7 +938,7 @@ $ curl https://openam.example.com:8443/openam/json/serverinfo/* "protectedUserAttributes": [], "cookieName": "iPlanetDirectoryPro", "secureCookie": false, - "cookieHttpOnly": false, + "cookieHttpOnly": true, "forgotPassword": "false", "forgotUsername": "false", "kbaEnabled": "false", diff --git a/openam-documentation/openam-doc-source/src/main/asciidoc/reference/chap-config-ref.adoc b/openam-documentation/openam-doc-source/src/main/asciidoc/reference/chap-config-ref.adoc index 98f69946e4..9222d6a39d 100644 --- a/openam-documentation/openam-doc-source/src/main/asciidoc/reference/chap-config-ref.adoc +++ b/openam-documentation/openam-doc-source/src/main/asciidoc/reference/chap-config-ref.adoc @@ -5624,7 +5624,7 @@ When set to `true`, mark cookies as HttpOnly to prevent scripts and third-party Both the classic UI and the XUI support HttpOnly session cookies. When HttpOnly is enabled, the XUI relies on the automatically sent cookie instead of reading the token from JavaScript, and a successful `/json/authenticate` response delivers the token only through the `Set-Cookie` header (the `tokenId` is, by default, no longer returned in the response body). See `org.openidentityplatform.openam.httponly.allowTokenInBody` to control that behaviour. + -Default: `false` +Default: `true` `com.sun.identity.enableUniqueSSOTokenCookie`:: If `true`, then OpenAM is using protection against cookie hijacking. diff --git a/openam-federation/openam-idpdiscovery-war/src/main/webapp/Configurator.jsp b/openam-federation/openam-idpdiscovery-war/src/main/webapp/Configurator.jsp index 97d8304e6a..a042e32441 100644 --- a/openam-federation/openam-idpdiscovery-war/src/main/webapp/Configurator.jsp +++ b/openam-federation/openam-idpdiscovery-war/src/main/webapp/Configurator.jsp @@ -28,6 +28,7 @@ <%-- Portions Copyrighted 2012-2013 ForgeRock Inc Portions Copyrighted 2012 Open Source Solution Technology Corporation + Portions Copyrighted 2026 3A Systems, LLC --%> @@ -207,8 +208,8 @@ java.util.Properties" HTTP-Only Cookie: - True - False + True + False diff --git a/openam-federation/openam-idpdiscovery/src/main/java/com/sun/identity/saml2/idpdiscovery/CookieUtils.java b/openam-federation/openam-idpdiscovery/src/main/java/com/sun/identity/saml2/idpdiscovery/CookieUtils.java index 55cfadf0a3..dfb364d85c 100644 --- a/openam-federation/openam-idpdiscovery/src/main/java/com/sun/identity/saml2/idpdiscovery/CookieUtils.java +++ b/openam-federation/openam-idpdiscovery/src/main/java/com/sun/identity/saml2/idpdiscovery/CookieUtils.java @@ -28,7 +28,7 @@ /** * Portions Copyrighted 2013 ForgeRock, Inc. - * Portions Copyrighted 2025 3A Systems LLC. + * Portions Copyrighted 2021-2026 3A Systems LLC. */ package com.sun.identity.saml2.idpdiscovery; @@ -59,11 +59,8 @@ public class CookieUtils { SystemProperties.get(IDPDiscoveryConstants.AM_COOKIE_SECURE). equalsIgnoreCase("true")); - static boolean cookieHttpOnly = - (SystemProperties.get(IDPDiscoveryConstants.AM_COOKIE_HTTPONLY) - != null) && - (SystemProperties.get(IDPDiscoveryConstants.AM_COOKIE_HTTPONLY). - equalsIgnoreCase("true")); + static boolean cookieHttpOnly = !"false".equalsIgnoreCase( + SystemProperties.get(IDPDiscoveryConstants.AM_COOKIE_HTTPONLY)); static String cookieSameSite = SystemPropertiesManager.get( Constants.AM_COOKIE_SAMESITE); diff --git a/openam-server-only/src/main/webapp/WEB-INF/template/sms/serverdefaults.properties b/openam-server-only/src/main/webapp/WEB-INF/template/sms/serverdefaults.properties index 903cf773ad..a97b14b0db 100644 --- a/openam-server-only/src/main/webapp/WEB-INF/template/sms/serverdefaults.properties +++ b/openam-server-only/src/main/webapp/WEB-INF/template/sms/serverdefaults.properties @@ -50,12 +50,15 @@ com.iplanet.am.profile.host=%SERVER_HOST% com.iplanet.am.profile.port=%SERVER_PORT% com.sun.identity.client.notification.url=%SERVER_PROTO%://%SERVER_HOST%:%SERVER_PORT%/%SERVER_URI%/notificationservice com.iplanet.am.daemons=securid -# NOTE: HttpOnly cannot be enabled by default because the XUI reads the -# iPlanetDirectoryPro SSO cookie from document.cookie (see SessionToken.jsm, -# AMConfig.js, AuthNService.js) to track the session and set REST headers. -# Shipping HttpOnly=true here breaks XUI console login. Operators that do not -# use the XUI can safely override this to true. -com.sun.identity.cookie.httponly=false +# The session/SSO cookies are marked HttpOnly by default so that scripts cannot +# read the SSO token from document.cookie. The XUI fully supports this mode: it +# relies on the auto-sent cookie instead of reading the token in JavaScript, and +# in HttpOnly mode the token is delivered only via the Set-Cookie header (it is +# not echoed in the /json/authenticate body). Non-browser/raw-REST integrations +# that need the token in the body can opt back in with +# org.openidentityplatform.openam.httponly.allowTokenInBody=true, or set this +# property to false to disable HttpOnly entirely. +com.sun.identity.cookie.httponly=true com.iplanet.am.cookie.name=iPlanetDirectoryPro com.iplanet.am.cookie.secure=@SECURE_COOKIE@ org.openidentityplatform.openam.cookie.samesite=Lax diff --git a/openam-shared/src/main/java/com/sun/identity/shared/encode/CookieUtils.java b/openam-shared/src/main/java/com/sun/identity/shared/encode/CookieUtils.java index ccbc28b8a6..50b3c9016f 100644 --- a/openam-shared/src/main/java/com/sun/identity/shared/encode/CookieUtils.java +++ b/openam-shared/src/main/java/com/sun/identity/shared/encode/CookieUtils.java @@ -65,10 +65,8 @@ public class CookieUtils { (SystemPropertiesManager.get(Constants.AM_COOKIE_SECURE). equalsIgnoreCase("true")); - static boolean cookieHttpOnly = - (SystemPropertiesManager.get(Constants.AM_COOKIE_HTTPONLY) != null) && - (SystemPropertiesManager.get(Constants.AM_COOKIE_HTTPONLY). - equalsIgnoreCase("true")); + static boolean cookieHttpOnly = + SystemPropertiesManager.getAsBoolean(Constants.AM_COOKIE_HTTPONLY, true); static boolean httpOnlyAllowTokenInBody = SystemPropertiesManager.getAsBoolean(Constants.AM_COOKIE_HTTPONLY_ALLOW_TOKEN_IN_BODY, false); @@ -169,8 +167,12 @@ public static boolean isCookieSecure() { } /** - * Returns property value of "com.sun.identity.cookie.httponly" - * + * Returns property value of "com.sun.identity.cookie.httponly". + *

+ * Defaults to {@code true} when the property is not set: OpenAM marks its cookies + * {@code HttpOnly} out of the box. Set the property to {@code false} to opt out (for example for + * integrations that read the SSO token from {@code document.cookie} in the browser). + * * @return the property value of "com.sun.identity.cookie.httponly" */ public static boolean isCookieHttpOnly() { From 2f66beb954a7eecf5b724bfe90189464741b4af5 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Fri, 19 Jun 2026 20:39:44 +0300 Subject: [PATCH 2/4] Fix Non-resolvable parent POM for org.openidentityplatform.openam:openam-mcp-server:16.0.7-SNAPSHOT --- openam-mcp-server/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openam-mcp-server/pom.xml b/openam-mcp-server/pom.xml index a392a087e8..9f7866e434 100644 --- a/openam-mcp-server/pom.xml +++ b/openam-mcp-server/pom.xml @@ -20,7 +20,7 @@ org.openidentityplatform.openam openam - 16.0.7-SNAPSHOT + 16.1.2-SNAPSHOT openam-mcp-server OpenAM MCP Server From aa424b537f7101f0ac3a0a249c7b8cf16632fc99 Mon Sep 17 00:00:00 2001 From: Valery Kharseko Date: Fri, 19 Jun 2026 20:52:15 +0300 Subject: [PATCH 3/4] Update OpenAM version from 16.1.2-SNAPSHOT to 16.1.1 --- openam-mcp-server/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openam-mcp-server/pom.xml b/openam-mcp-server/pom.xml index 9f7866e434..f7031a96e9 100644 --- a/openam-mcp-server/pom.xml +++ b/openam-mcp-server/pom.xml @@ -20,7 +20,7 @@ org.openidentityplatform.openam openam - 16.1.2-SNAPSHOT + 16.1.1 openam-mcp-server OpenAM MCP Server From 32c0d9335caeadbeb6b545ee7ab6cc87696afab0 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Sat, 20 Jun 2026 09:26:35 +0300 Subject: [PATCH 4/4] ci: adapt e2e auth checks to default HttpOnly session cookies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With HttpOnly enabled by default, /json/authenticate no longer echoes the tokenId in the response body, so the Docker/e2e steps that scraped it broke. - Extract the admin SSO token from the iPlanetDirectoryPro Set-Cookie header (curl -D - -o /dev/null + sed) instead of jq .tokenId; pick the last non-empty value so a clearing (empty) Set-Cookie cannot win. - Verify successful logins via "successUrl" in the response body (present on every completed authentication, in both HttpOnly and token-readable modes) instead of grepping tokenId — robust against cookie-clearing Set-Cookie. Applies to the IDP demo user, SP, and the multi-server test-openam1/2/3 checks. --- .github/workflows/build.yml | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9a5db0e140..d22d1e3e44 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -175,13 +175,14 @@ jobs: echo "Test IDP authentication" ADMIN_TOKEN=$(docker exec openam-idp bash -c \ - 'curl -sf \ + 'curl -sf -D - -o /dev/null \ --request POST \ --header "Content-Type: application/json" \ --header "X-OpenAM-Username: amadmin" \ --header "X-OpenAM-Password: ampassword" \ --data "{}" \ - http://openam.example.org:8080/openam/json/authenticate' | jq -r .tokenId) + http://openam.example.org:8080/openam/json/authenticate \ + | tr -d "\r" | sed -n "s/^[Ss]et-[Cc]ookie: *iPlanetDirectoryPro=\([^;]*\).*/\1/p" | grep . | tail -n1') docker inspect --format="{{json .State.Health.Status}}" openam-idp | grep -q \"healthy\" @@ -210,7 +211,7 @@ jobs: --header "X-OpenAM-Username: demo" \ --header "X-OpenAM-Password: changeit" \ --data "{}" \ - http://openam.example.org:8080/openam/json/authenticate' + http://openam.example.org:8080/openam/json/authenticate | grep -q successUrl' - name: Docker start with a dedicated OpenDJ container (SP) shell: bash @@ -267,13 +268,13 @@ jobs: echo "Test SP authentication" docker exec openam-sp bash -c \ - 'curl \ + 'curl -sf \ --request POST \ --header "Content-Type: application/json" \ --header "X-OpenAM-Username: amadmin" \ --header "X-OpenAM-Password: ampassword" \ --data "{}" \ - http://sp.mycompany.org:8080/openam/json/authenticate | grep tokenId' + http://sp.mycompany.org:8080/openam/json/authenticate | grep -q successUrl' docker inspect --format="{{json .State.Health.Status}}" openam-sp | grep -q \"healthy\" @@ -383,13 +384,13 @@ jobs: " > conf.file && java -jar openam-configurator-tool*.jar --file conf.file' docker exec test-openam1 bash -c \ - 'curl \ + 'curl -sf \ --request POST \ --header "Content-Type: application/json" \ --header "X-OpenAM-Username: amadmin" \ --header "X-OpenAM-Password: ampassword" \ --data "{}" \ - http://openam1.example.org:8080/openam/json/authenticate | grep tokenId' + http://openam1.example.org:8080/openam/json/authenticate | grep -q successUrl' docker inspect --format="{{json .State.Health.Status}}" test-openam1 | grep -q \"healthy\" @@ -433,13 +434,13 @@ jobs: " > conf.file && java -jar openam-configurator-tool*.jar --file conf.file' docker exec test-openam2 bash -c \ - 'curl \ + 'curl -sf \ --request POST \ --header "Content-Type: application/json" \ --header "X-OpenAM-Username: amadmin" \ --header "X-OpenAM-Password: ampassword" \ --data "{}" \ - http://openam2.example.org:8080/openam/json/authenticate | grep tokenId' + http://openam2.example.org:8080/openam/json/authenticate | grep -q successUrl' docker inspect --format="{{json .State.Health.Status}}" test-openam2 | grep -q \"healthy\" @@ -481,12 +482,12 @@ jobs: " > conf.file && java -jar openam-configurator-tool*.jar --file conf.file' docker exec test-openam3 bash -c \ - 'curl \ + 'curl -sf \ --request POST \ --header "Content-Type: application/json" \ --header "X-OpenAM-Username: amadmin" \ --header "X-OpenAM-Password: ampassword" \ --data "{}" \ - http://openam3.example.org:8080/openam/json/authenticate | grep tokenId' + http://openam3.example.org:8080/openam/json/authenticate | grep -q successUrl' docker inspect --format="{{json .State.Health.Status}}" test-openam3 | grep -q \"healthy\"