Receiving error when attempting to login to Identity Manager using a System Manager account. Getting java.lang.StackOverflowError exception in log file.

book

Article ID: 48964

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

A StackOverflowError exception can happen when a recursion situation arises when evaluating the role memberships upon authentication. See the exception trace:

 java.lang.StackOverflowError       
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168) 
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$BranchConn.match(Pattern.java:4078)
 at
 java.util.regex.Pattern$CharProperty.match(Pattern.java:3345)
 at java.util.regex.Pattern$Branch.match(Pattern.java:4114)
 at java.util.regex.Pattern$GroupHead.match(Pattern.java:4168)
 at java.util.regex.Pattern$Loop.match(Pattern.java:4295)
 at java.util.regex.Pattern$GroupTail.match(Pattern.java:4227)
 at java.util.regex.Pattern$BranchConn.match(Pattern.java:4078)
 at

Solution:

When a System Manager administrator is trying to modify the System Manager admin role definition you should be careful not to create a recursion. This can happen when a membership of the System Manager admin role is based on the 'System Manager' role itself. This will cause a recursion when evaluating the memberships. For instance see the xml excerpt below that shows a membership policy of the System Manager role which is based on System Manager role.

<MemberPolicy>
<imsrule:MemberRule><RoleMember><AdminRole name="System Manager"/></RoleMember></imsrule:MemberRule>
</MemberPolicy>

This kind of situation should not be allowed for any admin role where none should be based on itself.

When happening it will cause the above exception trace and prevent the authentication due to the evaluation problem during authentication. If this happens you should export your IME roles and tasks xml file, edit it to remove this recursion condition and reimport.

Environment

Release: CAPUEL99000-12.5-Identity Manager-Blended upgrade to Identity &-Access Mgmt Ente
Component: