Bug 1030053 - [GSS] (6.3.0) The NegotiationAuthenticator loses post data
[GSS] (6.3.0) The NegotiationAuthenticator loses post data
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.1.1
Unspecified Unspecified
unspecified Severity unspecified
: ER4
: EAP 6.3.0
Assigned To: Derek Horton
Josef Cacek
Russell Dickenson
:
Depends On:
Blocks: 1085497 1085504
  Show dependency treegraph
 
Reported: 2013-11-13 15:01 EST by Derek Horton
Modified: 2014-06-28 11:29 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6, it was found that the `NegotiationAuthenticator` would lose any SAMLRequest parameter if it was being used in conjunction with PicketLInk and HTTP_POST binding. This resulted in users remaining at the IDP landing page, even after successful authentication. The NegotiationAuthenticator has been patched in this release of the product and the issue no longer presents.
Story Points: ---
Clone Of:
: 1085504 (view as bug list)
Environment:
Last Closed: 2014-06-28 11:29:04 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker SECURITY-815 Major Resolved NegotiationAuthenticator loses post data 2016-01-06 11:49 EST

  None (edit)
Description Derek Horton 2013-11-13 15:01:11 EST
Description of problem:

The NegotiationAuthenticator loses post data.

A customer is attempting to use Negotiation along with PicketLink at the IDP.  This works fine as long as the SP is using HTTP-Redirect SAML binding.

If the SP is using HTTP-Redirect, then this issue is avoided as the SAMLRequest is passed along through the redirects on the URL. 

If the HTTP-POST binding is used, then the NegotiationAuthenticator will lose the SAMLRequest post parameter.  This means that after a user is successfully authenticated, the IDP will not know where to redirect the user to.  As a result, the user will be left at the IDP index.html page.
Comment 1 Derek Horton 2013-11-13 15:03:26 EST
A hack that appears to work in my (very limited) testing:


Index: jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java
===================================================================
--- jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java	(revision 114558)
+++ jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java	(working copy)
@@ -88,11 +88,21 @@
       boolean DEBUG = log.isDebugEnabled();
       log.trace("Authenticating user");
 
+      System.out.println("*** request.getParameterMap(): "+request.getParameterMap());
+
       Principal principal = request.getUserPrincipal();
       if (principal != null)
       {
          if (log.isTraceEnabled())
             log.trace("Already authenticated '" + principal.getName() + "'");
+
+         if( matchRequest(request) )
+         {
+         System.out.println("*** restoring request!");
+         Session session = request.getSessionInternal();
+         restoreRequest(request, session);
+         }
+
          return true;
       }
 
@@ -255,6 +265,10 @@
    private void initiateNegotiation(final Request request, final HttpServletResponse response, final LoginConfig config)
          throws IOException
    {
+      System.out.println("*** saving request!");
+      Session session = request.getSessionInternal();
+      saveRequest(request, session);
+
       String loginPage = config.getLoginPage();
       if (loginPage != null)
       {
@@ -264,8 +278,8 @@
 
          try
          {
-            Session session = request.getSessionInternal();
-            saveRequest(request, session);
+//            Session session = request.getSessionInternal();
+//            saveRequest(request, session);
 
             disp.include(request.getRequest(), response);
             response.setHeader("WWW-Authenticate", getNegotiateScheme());
Comment 2 Derek Horton 2013-12-12 12:24:30 EST
Darran,

Can you review this patch and let me know what you think?

I cleaned this patch up a bit.  Some of the changes above were not needed.  

__This fix depends on bz-1030050__  Right now there is a hack (see FIXME below) in there that makes it work.  We should be able to remove the hack once bz-1030050 is resolved.

$ svn diff
Index: jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java
===================================================================
--- jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (revision 114558)
+++ jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (working copy)
@@ -88,11 +88,26 @@
       boolean DEBUG = log.isDebugEnabled();
       log.trace("Authenticating user");
 
+      // FIXME:  This needs to be here until bz-1030050 is resolved.  Without this, it will not work.
+      request.getParameterMap();
+
       Principal principal = request.getUserPrincipal();
       if (principal != null)
       {
          if (log.isTraceEnabled())
             log.trace("Already authenticated '" + principal.getName() + "'");
+
+         // Is this the re-submit of the original request URI after successful
+         // authentication?  If so, forward the *original* request instead.
+         if( matchRequest(request) )
+         {
+            Session session = request.getSessionInternal(true);
+            log.trace("Restore request from session '"
+                       + session.getIdInternal()
+                       + "'");
+            restoreRequest(request, session);
+         }
+
          return true;
       }
Comment 3 JBoss JIRA Server 2014-04-08 08:22:52 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira SECURITY-815 to Resolved
Comment 4 Derek Horton 2014-04-16 16:30:09 EDT
PR
https://github.com/wildfly/jboss-negotiation/pull/3
Comment 8 Nidhi 2014-05-15 01:04:06 EDT
Original release note text for 6.3.0 GA:

In previous versions of JBoss EAP 6, it was found that the `NegotiationAuthenticator` would lose any SAMLRequest parameter if it was being used in conjunction with PicketLInk and HTTP_POST binding. This resulted in users remaining at the IDP landing page, even after successful authentication. The NegotiationAuthenticator has been patched in this release of the product and the issue no longer presents.

Note You need to log in before you can comment on or make changes to this bug.