Bug 1116146

Summary: [GSS] (6.3.x) PicketLink AbstractIDPValve does not trigger the next valve in the pipeline
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: SecurityAssignee: Peter Skopek <pskopek>
Status: CLOSED CURRENTRELEASE QA Contact: Ondrej Kotek <okotek>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.2.4CC: bdawidow, bmaxwell, cdewolf, istudens, jawilson, myarboro, okotek, pskopek
Target Milestone: CR2Keywords: Triaged
Target Release: EAP 6.3.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: MustBeFixed
Fixed In Version: Doc Type: Known Issue
Doc Text:
Cause: Consequence: Workaround (if any): Result: .
 Story Points: ---
Clone Of:
: 1122717 (view as bug list) Environment:
Last Closed: 2019-08-19 12:39:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1122717    
Bug Blocks: 1123427, 1132166, 1153566    

Description Derek Horton 2014-07-03 21:10:57 UTC 
Description of problem:

PicketLink AbstractIDPValve does not trigger the next valve in the pipeline.  The invoke() method of the AbstractIDPValve does not called getNext().invoke() which means that the pipeline processing will always terminate with the IDP valve.

You can see this by placing the AccessLogValve after the IDP valve in the WEB-INF/jboss-web.xml file.  The AccessLogValve will not get triggered.


Version-Release number of selected component (if applicable):


Steps to Reproduce:

Stack the ExtendedFormAuthenticator, IDPWebBrowserSSOValve and RequestDumperValve together.  The RequestDumperValve will not get called.

<jboss-web>
    <security-domain>SPNEGO</security-domain>
    <disable-audit>false</disable-audit>
    <context-root>idp</context-root>
    <valve>
      <class-name>org.jboss.as.web.security.ExtendedFormAuthenticator</class-name>
    </valve>
    <valve>
        <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
        <param>
            <param-name>passUserPrincipalToAttributeManager</param-name>
            <param-value>true</param-value>
        </param>
        <param>
            <param-name>characterEncoding</param-name>
            <param-value>UTF-8</param-value>
        </param>
   </valve>
    <valve>
      <class-name>org.apache.catalina.valves.RequestDumperValve</class-name>
    </valve>
</jboss-web>


Actual results:
The RequestDumperValve does not get called.


Expected results:
The RequestDumperValve should get called.


Additional info:
Comment 1 JBoss JIRA Server 2014-07-08 00:38:05 UTC 
Pedro Igor <pigor.craveiro> updated the status of jira PLINK-516 to Resolved
Comment 4 Derek Horton 2014-08-19 02:50:52 UTC 
This fix needs to include PLINK-516 and PLINK-546.

The fix in PLINK-516 does not completely resolve the issue.  With only the PLINK-516 fix, the ClusteredSessionValve does not get invoked.  This breaks the clustered session replication functionality.
Comment 6 JBoss JIRA Server 2014-08-26 18:03:09 UTC 
Pedro Igor <pigor.craveiro> updated the status of jira PLINK-546 to Resolved
Comment 7 Ondrej Kotek 2014-10-16 07:29:59 UTC 
Fix for PLINK-516 does not work for me. For JBoss EAP 6.3.2.CR1, with RequestDumperValve and ExtendedFormAuthenticator added, requests are dumped to log twice.

Commits in PicketLink 2.5.3.SP11-redhat-1 are in wrong order. PLINK-558 commit is the important one and should be placed as the last one. See BZ 1122717.
Comment 8 Ondrej Kotek 2014-10-16 08:34:20 UTC 
To be precise: commits in PicketLink Bindings 2.5.3.SP11-redhat-1.
Comment 11 Peter Skopek 2014-10-20 11:45:11 UTC 
Fixed in 2.5.3.SP12.
Comment 12 Ondrej Kotek 2014-10-24 14:11:14 UTC 
Verified for EAP 6.3.2.CR2