| Summary: | [GSS] (6.3.0) The NegotiationAuthenticator loses post data | |||
|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Derek Horton <dehort> | |
| Component: | Security | Assignee: | Derek Horton <dehort> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Josef Cacek <jcacek> | |
| Severity: | unspecified | Docs Contact: | Russell Dickenson <rdickens> | |
| Priority: | unspecified | |||
| Version: | 6.1.1 | CC: | dehort, hmlnarik, nchaudha, smumford, twells | |
| Target Milestone: | ER4 | |||
| Target Release: | EAP 6.3.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
In previous versions of JBoss EAP 6, it was found that the `NegotiationAuthenticator` would lose any SAMLRequest parameter if it was being used in conjunction with PicketLInk and HTTP_POST binding. This resulted in users remaining at the IDP landing page, even after successful authentication. The NegotiationAuthenticator has been patched in this release of the product and the issue no longer presents.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1085504 (view as bug list) | Environment: | ||
| Last Closed: | 2014-06-28 15:29:04 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1085497, 1085504 | |||
|
Description
Derek Horton
2013-11-13 20:01:11 UTC
A hack that appears to work in my (very limited) testing:
Index: jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java
===================================================================
--- jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (revision 114558)
+++ jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (working copy)
@@ -88,11 +88,21 @@
boolean DEBUG = log.isDebugEnabled();
log.trace("Authenticating user");
+ System.out.println("*** request.getParameterMap(): "+request.getParameterMap());
+
Principal principal = request.getUserPrincipal();
if (principal != null)
{
if (log.isTraceEnabled())
log.trace("Already authenticated '" + principal.getName() + "'");
+
+ if( matchRequest(request) )
+ {
+ System.out.println("*** restoring request!");
+ Session session = request.getSessionInternal();
+ restoreRequest(request, session);
+ }
+
return true;
}
@@ -255,6 +265,10 @@
private void initiateNegotiation(final Request request, final HttpServletResponse response, final LoginConfig config)
throws IOException
{
+ System.out.println("*** saving request!");
+ Session session = request.getSessionInternal();
+ saveRequest(request, session);
+
String loginPage = config.getLoginPage();
if (loginPage != null)
{
@@ -264,8 +278,8 @@
try
{
- Session session = request.getSessionInternal();
- saveRequest(request, session);
+// Session session = request.getSessionInternal();
+// saveRequest(request, session);
disp.include(request.getRequest(), response);
response.setHeader("WWW-Authenticate", getNegotiateScheme());
Darran,
Can you review this patch and let me know what you think?
I cleaned this patch up a bit. Some of the changes above were not needed.
__This fix depends on bz-1030050__ Right now there is a hack (see FIXME below) in there that makes it work. We should be able to remove the hack once bz-1030050 is resolved.
$ svn diff
Index: jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java
===================================================================
--- jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (revision 114558)
+++ jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (working copy)
@@ -88,11 +88,26 @@
boolean DEBUG = log.isDebugEnabled();
log.trace("Authenticating user");
+ // FIXME: This needs to be here until bz-1030050 is resolved. Without this, it will not work.
+ request.getParameterMap();
+
Principal principal = request.getUserPrincipal();
if (principal != null)
{
if (log.isTraceEnabled())
log.trace("Already authenticated '" + principal.getName() + "'");
+
+ // Is this the re-submit of the original request URI after successful
+ // authentication? If so, forward the *original* request instead.
+ if( matchRequest(request) )
+ {
+ Session session = request.getSessionInternal(true);
+ log.trace("Restore request from session '"
+ + session.getIdInternal()
+ + "'");
+ restoreRequest(request, session);
+ }
+
return true;
}
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-815 to Resolved Original release note text for 6.3.0 GA: In previous versions of JBoss EAP 6, it was found that the `NegotiationAuthenticator` would lose any SAMLRequest parameter if it was being used in conjunction with PicketLInk and HTTP_POST binding. This resulted in users remaining at the IDP landing page, even after successful authentication. The NegotiationAuthenticator has been patched in this release of the product and the issue no longer presents. |