Bug 1282967

Summary: [GSS] (6.4.z) PicketLink SP does not redirect back to original URL correctly
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: SecurityAssignee: Lin Gao <lgao>
Status: CLOSED CURRENTRELEASE QA Contact: Ondrej Kotek <okotek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.4CC: anmiller, bbaranow, bdawidow, bmaxwell, cdewolf, darran.lofthouse, jbilek, jtruhlar, lgao, okotek, pskopek
Target Milestone: CR1   
Target Release: EAP 6.4.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1282969 (view as bug list) Environment:
Last Closed: 2017-01-17 12:37:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1261139, 1279553, 1282969    
Attachments:
Description Flags
BZ1282969.zip
none
idp.war
none
employee.war none

Description dhorton 2015-11-17 22:38:21 UTC 
Description of problem:

If a protected JSP page does a redirect and its the originally requested URL, after the IDP redirects the browser back to the SP and replays the original request an IllegalStateException will be thrown when the JSP attempts the redirect (<c:redirect>):

16:25:52,903 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/employee].[jsp]] (http-/127.0.0.1:8080-1) JBWEB000236: Servlet.service() for servlet jsp threw exception: java.lang.IllegalStateException
        at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:420) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.taglibs.standard.tag.common.core.RedirectSupport.doEndTag(RedirectSupport.java:152) [jboss-jstl-api_1.2_spec-1.0.6.Final-redhat-1.jar:1.0.6.Final-redhat-1]
        at org.apache.jsp.index_jsp._jspx_meth_c_005fredirect_005f0(index_jsp.java:89)
        at org.apache.jsp.index_jsp._jspService(index_jsp.java:62)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:365) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.4.Final-redhat-4.jar:7.5.4.Final-redhat-4]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]

How reproducible:

Modify the employee.war/index.jsp to perform a redirect:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>                                                                                                                                                                              
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>                                                                                                                                                                               
                                                                                                                                                                                                                                               
<!-- Redirects to handle post Cisco Login -->                                                                                                                                                                                                  
<c:redirect url="/blah.html"/>

Steps to Reproduce:
1.  Create the idp and sp security-domains

                <security-domain name="idp" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="sp" cache-type="default">
                    <authentication>
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>


2.  Deploy the idp.war and employee.war
3.  Hit http://localhost:8080/employee/

Actual results:

IllegalStateException

Expected results:

Browser should get redirected to http://localhost:8080/employee/blah.html
Additional info:
Comment 1 dhorton 2015-11-20 19:46:40 UTC 
Created attachment 1097290 [details]
BZ1282969.zip
Comment 2 dhorton 2015-11-20 19:50:43 UTC 
Created attachment 1097293 [details]
idp.war
Comment 3 dhorton 2015-11-20 19:51:24 UTC 
Created attachment 1097294 [details]
employee.war
Comment 6 JBoss JIRA Server 2015-12-16 21:51:16 UTC 
Pedro Igor <pigor.craveiro> updated the status of jira PLINK-725 to Resolved
Comment 9 Mike McCune 2016-03-28 22:55:34 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 11 JBoss JIRA Server 2016-04-11 12:47:41 UTC 
Bartosz Baranowski <bbaranow> updated the status of jira JBEAP-3803 to Closed
Comment 13 JBoss JIRA Server 2016-04-11 13:22:52 UTC 
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Reopened
Comment 14 JBoss JIRA Server 2016-04-11 13:24:18 UTC 
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Closed
Comment 15 Jiří Bílek 2016-05-06 07:25:10 UTC 
Verified with EAP 6.4.8.CP.CR2.
Comment 16 JBoss JIRA Server 2016-05-17 18:52:17 UTC 
Brad Maxwell <bmaxwell> updated the status of jira JBEAP-3803 to Reopened
Comment 17 JBoss JIRA Server 2016-05-17 18:52:42 UTC 
Brad Maxwell <bmaxwell> updated the status of jira JBEAP-3803 to Closed
Comment 18 JBoss JIRA Server 2016-05-25 15:14:15 UTC 
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Reopened
Comment 19 JBoss JIRA Server 2016-05-25 15:14:42 UTC 
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3803 to Resolved
Comment 20 JBoss JIRA Server 2016-08-23 11:37:14 UTC 
Jiri Pallich <jpallich> updated the status of jira JBEAP-3803 to Closed
Comment 21 Petr Penicka 2017-01-17 12:37:46 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.