Bug 1282967 - [GSS] (6.4.z) PicketLink SP does not redirect back to original URL correctly
Summary: [GSS] (6.4.z) PicketLink SP does not redirect back to original URL correctly
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.8
Assignee: Lin Gao
QA Contact: Ondrej Kotek
URL:
Whiteboard:
Depends On:
Blocks: 1282969 1261139 eap648-payload
TreeView+ depends on / blocked
 
Reported: 2015-11-17 22:38 UTC by dhorton
Modified: 2019-08-15 05:51 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1282969 (view as bug list)
Environment:
Last Closed: 2017-01-17 12:37:46 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
BZ1282969.zip (268.09 KB, application/zip)
2015-11-20 19:46 UTC, dhorton 		no flags Details
idp.war (163.48 KB, application/zip)
2015-11-20 19:50 UTC, dhorton 		no flags Details
employee.war (215.22 KB, application/zip)
2015-11-20 19:51 UTC, dhorton 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-3803 0 Major Closed PicketLink SP does not redirect back to original URL correctly 2016-09-07 14:17:09 UTC
Red Hat Issue Tracker PLINK-725 0 Major Resolved PicketLink SP does not redirect back to original URL correctly 2016-09-07 14:17:09 UTC

Description dhorton 2015-11-17 22:38:21 UTC 
Description of problem:

If a protected JSP page does a redirect and its the originally requested URL, after the IDP redirects the browser back to the SP and replays the original request an IllegalStateException will be thrown when the JSP attempts the redirect (<c:redirect>):

16:25:52,903 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/employee].[jsp]] (http-/127.0.0.1:8080-1) JBWEB000236: Servlet.service() for servlet jsp threw exception: java.lang.IllegalStateException
        at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:420) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.taglibs.standard.tag.common.core.RedirectSupport.doEndTag(RedirectSupport.java:152) [jboss-jstl-api_1.2_spec-1.0.6.Final-redhat-1.jar:1.0.6.Final-redhat-1]
        at org.apache.jsp.index_jsp._jspx_meth_c_005fredirect_005f0(index_jsp.java:89)
        at org.apache.jsp.index_jsp._jspService(index_jsp.java:62)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:365) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.4.Final-redhat-4.jar:7.5.4.Final-redhat-4]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]

How reproducible:

Modify the employee.war/index.jsp to perform a redirect:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>                                                                                                                                                                              
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>                                                                                                                                                                               
                                                                                                                                                                                                                                               
<!-- Redirects to handle post Cisco Login -->                                                                                                                                                                                                  
<c:redirect url="/blah.html"/>

Steps to Reproduce:
1.  Create the idp and sp security-domains

                <security-domain name="idp" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="sp" cache-type="default">
                    <authentication>
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>


2.  Deploy the idp.war and employee.war
3.  Hit http://localhost:8080/employee/

Actual results:

IllegalStateException

Expected results:

Browser should get redirected to http://localhost:8080/employee/blah.html
Additional info:
Comment 1 dhorton 2015-11-20 19:46:40 UTC 
Created attachment 1097290 [details]
BZ1282969.zip
Comment 2 dhorton 2015-11-20 19:50:43 UTC 
Created attachment 1097293 [details]
idp.war
Comment 3 dhorton 2015-11-20 19:51:24 UTC 
Created attachment 1097294 [details]
employee.war
Comment 6 JBoss JIRA Server 2015-12-16 21:51:16 UTC 
Pedro Igor <pigor.craveiro> updated the status of jira PLINK-725 to Resolved
Comment 9 Mike McCune 2016-03-28 22:55:34 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 11 JBoss JIRA Server 2016-04-11 12:47:41 UTC 
Bartosz Baranowski <bbaranow> updated the status of jira JBEAP-3803 to Closed
Comment 13 JBoss JIRA Server 2016-04-11 13:22:52 UTC 
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Reopened
Comment 14 JBoss JIRA Server 2016-04-11 13:24:18 UTC 
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Closed
Comment 15 Jiří Bílek 2016-05-06 07:25:10 UTC 
Verified with EAP 6.4.8.CP.CR2.
Comment 16 JBoss JIRA Server 2016-05-17 18:52:17 UTC 
Brad Maxwell <bmaxwell> updated the status of jira JBEAP-3803 to Reopened
Comment 17 JBoss JIRA Server 2016-05-17 18:52:42 UTC 
Brad Maxwell <bmaxwell> updated the status of jira JBEAP-3803 to Closed
Comment 18 JBoss JIRA Server 2016-05-25 15:14:15 UTC 
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Reopened
Comment 19 JBoss JIRA Server 2016-05-25 15:14:42 UTC 
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Resolved
Comment 20 JBoss JIRA Server 2016-08-23 11:37:14 UTC 
Jiri Pallich <jpallich> updated the status of jira JBEAP-3803 to Closed
Comment 21 Petr Penicka 2017-01-17 12:37:46 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.
Note You need to log in before you can comment on or make changes to this bug.