Bug 956782

Summary: An IDP "hosted" page using a CSS file will result in java.lang.IllegalStateException: getOutputStream() has already been called for this response
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Tom Fonteyne <tfonteyn>
Component: PicketLinkAssignee: Pedro Igor <psilva>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: asaldhan, bmaxwell, jcacek, myarboro
Target Milestone: ER6   
Target Release: EAP 6.1.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-16 20:20:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom Fonteyne 2013-04-25 15:42:53 UTC 
Get the quickstarts for PicketLink, deploy the idp.war sample and configure it+Jboss to use some security domain

"hosted/index.jsp"

<head>
<link rel="StyleSheet" href="/idp/css/tom.css" type="text/css">
</head>
...

Access idp directly: http://server:port/idp/
login.
The css file is never delivered to the browser, and JBoss log file gets the Exception (see below)

Other variations is to have the css file in the same "hosted" directory

<link rel="StyleSheet" href="tom.css" type="text/css">

same result

Specifically added "hosted/*" to web.xml as a "free access" directory

same result.

I found:

https://issues.jboss.org/browse/PLFED-282

which is the same exception although the setup is different.


16:28:27,371 ERROR [org.apache.catalina.connector.CoyoteAdapter] (http-orac.usersys.redhat.com/10.33.1.221:8080-2) An exception or error occurred in the container during the request processing: java.lang.IllegalStateException: getOutputStream() has already been called for this response
at org.apache.catalina.connector.Response.getWriter(Response.java:615) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.jasper.runtime.JspWriterImpl.initOut(JspWriterImpl.java:125) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.java:118) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.jasper.runtime.PageContextImpl.release(PageContextImpl.java:188) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.jasper.runtime.JspFactoryImpl.internalReleasePageContext(JspFactoryImpl.java:117) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.jasper.runtime.JspFactoryImpl.releasePageContext(JspFactoryImpl.java:76) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.jsp.hosted.index_jsp._jspService(index_jsp.java:71)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jbossweb-7.0.17.Final-redhat-1.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.1.Final-redhat-2.jar:1.0.1.Final-redhat-2]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:369) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:253) [jbossweb-7.0.17.Final-redhat-1.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.1.Final-redhat-2.jar:1.0.1.Final-redhat-2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:840) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:622) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:560) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:488) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke(AbstractIDPValve.java:400) [picketlink-jbas7-2.1.3.1-redhat-1.jar:2.1.3.1-redhat-1]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.1.3.Final-redhat-4.jar:7.1.3.Final-redhat-4]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.17.Final-redhat-1.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_43]
Comment 1 Anil Saldhana 2013-06-03 15:50:06 UTC 
Is Engineering supposed to provide a patch? Why assignment to Pedro?
Comment 2 Tom Fonteyne 2013-06-03 15:59:31 UTC 
@Anil

>Is Engineering supposed to provide a patch?
no - this is the BZ I'm required to open according to procedure.
We are required to open:

- JIRA for upstream
- BZ to indicate same bug, to be fixed in next EAP release

- BZ to get new version of component to be included in next EAP (I presume you or Pedro did this as Pedro confirmed in email it would go into 6.2)

Optional, and not done (yet) as I still need to check if customer needs it back ported:
- BZ for one-off, if needed, to be build by SEG (me)


See here for full details:

https://docspace.corp.redhat.com/docs/DOC-133944

If you can simplify this specifically for security issues, please do.
Comment 4 Josef Cacek 2013-08-19 12:50:08 UTC 
Verified in EAP 6.1.1.ER6 (PL 2.1.6.3).