Description of problem: If a protected JSP page does a redirect and its the originally requested URL, after the IDP redirects the browser back to the SP and replays the original request an IllegalStateException will be thrown when the JSP attempts the redirect (<c:redirect>): 16:25:52,903 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/employee].[jsp]] (http-/127.0.0.1:8080-1) JBWEB000236: Servlet.service() for servlet jsp threw exception: java.lang.IllegalStateException at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:420) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.taglibs.standard.tag.common.core.RedirectSupport.doEndTag(RedirectSupport.java:152) [jboss-jstl-api_1.2_spec-1.0.6.Final-redhat-1.jar:1.0.6.Final-redhat-1] at org.apache.jsp.index_jsp._jspx_meth_c_005fredirect_005f0(index_jsp.java:89) at org.apache.jsp.index_jsp._jspService(index_jsp.java:62) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:365) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.4.Final-redhat-4.jar:7.5.4.Final-redhat-4] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45] How reproducible: Modify the employee.war/index.jsp to perform a redirect: <%@ page contentType="text/html;charset=UTF-8" language="java" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <!-- Redirects to handle post Cisco Login --> <c:redirect url="/blah.html"/> Steps to Reproduce: 1. Create the idp and sp security-domains <security-domain name="idp" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/> </login-module> </authentication> </security-domain> <security-domain name="sp" cache-type="default"> <authentication> <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="UsersRoles" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/> </login-module> </authentication> </security-domain> 2. Deploy the idp.war and employee.war 3. Hit http://localhost:8080/employee/ Actual results: IllegalStateException Expected results: Browser should get redirected to http://localhost:8080/employee/blah.html Additional info:
Created attachment 1097290 [details] BZ1282969.zip
Created attachment 1097293 [details] idp.war
Created attachment 1097294 [details] employee.war
Pedro Igor <pigor.craveiro> updated the status of jira PLINK-725 to Resolved
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Bartosz Baranowski <bbaranow> updated the status of jira JBEAP-3803 to Closed
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Reopened
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Closed
Verified with EAP 6.4.8.CP.CR2.
Brad Maxwell <bmaxwell> updated the status of jira JBEAP-3803 to Reopened
Brad Maxwell <bmaxwell> updated the status of jira JBEAP-3803 to Closed
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Resolved
Jiri Pallich <jpallich> updated the status of jira JBEAP-3803 to Closed
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.