Description of problem: The NegotiationAuthenticator loses post data. A customer is attempting to use Negotiation along with PicketLink at the IDP. This works fine as long as the SP is using HTTP-Redirect SAML binding. If the SP is using HTTP-Redirect, then this issue is avoided as the SAMLRequest is passed along through the redirects on the URL. If the HTTP-POST binding is used, then the NegotiationAuthenticator will lose the SAMLRequest post parameter. This means that after a user is successfully authenticated, the IDP will not know where to redirect the user to. As a result, the user will be left at the IDP index.html page.
A hack that appears to work in my (very limited) testing: Index: jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java =================================================================== --- jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (revision 114558) +++ jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (working copy) @@ -88,11 +88,21 @@ boolean DEBUG = log.isDebugEnabled(); log.trace("Authenticating user"); + System.out.println("*** request.getParameterMap(): "+request.getParameterMap()); + Principal principal = request.getUserPrincipal(); if (principal != null) { if (log.isTraceEnabled()) log.trace("Already authenticated '" + principal.getName() + "'"); + + if( matchRequest(request) ) + { + System.out.println("*** restoring request!"); + Session session = request.getSessionInternal(); + restoreRequest(request, session); + } + return true; } @@ -255,6 +265,10 @@ private void initiateNegotiation(final Request request, final HttpServletResponse response, final LoginConfig config) throws IOException { + System.out.println("*** saving request!"); + Session session = request.getSessionInternal(); + saveRequest(request, session); + String loginPage = config.getLoginPage(); if (loginPage != null) { @@ -264,8 +278,8 @@ try { - Session session = request.getSessionInternal(); - saveRequest(request, session); +// Session session = request.getSessionInternal(); +// saveRequest(request, session); disp.include(request.getRequest(), response); response.setHeader("WWW-Authenticate", getNegotiateScheme());
Darran, Can you review this patch and let me know what you think? I cleaned this patch up a bit. Some of the changes above were not needed. __This fix depends on bz-1030050__ Right now there is a hack (see FIXME below) in there that makes it work. We should be able to remove the hack once bz-1030050 is resolved. $ svn diff Index: jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java =================================================================== --- jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (revision 114558) +++ jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (working copy) @@ -88,11 +88,26 @@ boolean DEBUG = log.isDebugEnabled(); log.trace("Authenticating user"); + // FIXME: This needs to be here until bz-1030050 is resolved. Without this, it will not work. + request.getParameterMap(); + Principal principal = request.getUserPrincipal(); if (principal != null) { if (log.isTraceEnabled()) log.trace("Already authenticated '" + principal.getName() + "'"); + + // Is this the re-submit of the original request URI after successful + // authentication? If so, forward the *original* request instead. + if( matchRequest(request) ) + { + Session session = request.getSessionInternal(true); + log.trace("Restore request from session '" + + session.getIdInternal() + + "'"); + restoreRequest(request, session); + } + return true; }
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-815 to Resolved
PR https://github.com/wildfly/jboss-negotiation/pull/3
Original release note text for 6.3.0 GA: In previous versions of JBoss EAP 6, it was found that the `NegotiationAuthenticator` would lose any SAMLRequest parameter if it was being used in conjunction with PicketLInk and HTTP_POST binding. This resulted in users remaining at the IDP landing page, even after successful authentication. The NegotiationAuthenticator has been patched in this release of the product and the issue no longer presents.