1075985 – [RFE] EAP6-88 - Wrong behavior of Domain Chooser in SP in PicketLink after wrong or unrealized authentication on IDP

Bug 1075985 - [RFE] EAP6-88 - Wrong behavior of Domain Chooser in SP in PicketLink after wrong or unrealized authentication on IDP

Summary: [RFE] EAP6-88 - Wrong behavior of Domain Chooser in SP in PicketLink after wr...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	PicketLink
Sub Component:
Version:	6.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	ER6
Target Release:	EAP 6.3.0
Assignee:	Anil Saldhana
QA Contact:	Josef Cacek
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:	1085522 1102237
Blocks:
TreeView+	depends on / blocked

Reported:	2014-03-13 10:27 UTC by Ondrej Lukas
Modified:	2014-06-28 15:31 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-06-28 15:31:23 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
accountchooser (26.62 KB, application/zip) 2014-03-13 10:27 UTC, Ondrej Lukas	no flags	Details
idp1 (160.11 KB, application/zip) 2014-03-13 10:28 UTC, Ondrej Lukas	no flags	Details
View All

Description Ondrej Lukas 2014-03-13 10:27:53 UTC

Created attachment 873905 [details]
accountchooser

When you choose some IDP in SP's Domain Chooser it redirect you to that IDP which ask you for authentication. In case that you make wrong authentication or unrealize authentication and hit that SP again it show you domain chooser again (maybe IDP should be chosen according to set cookie - it depends when cookie should be set) and if you choose any of IDPs (same or different) from domain chooser it doesn't redirect you to chosen IDP (according to idpmap.properties) but try to redirect you to IDP defined in <IdentityURL> attribute of picketlink.xml.

Steps to reproduce:
1) Start standalone server and add needed security domains via CLI commands:
/subsystem=security/security-domain=idp:add(cache-type=default)
/subsystem=security/security-domain=idp/authentication=classic:add
/subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required, module-options=[("usersProperties"=>"users.properties"), ("rolesProperties"=>"roles.properties")])

/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required)

2) Deploy accountchooser.war and idp1.war

3) Open browser and hit http://localhost:8080/accountchooser/ and choose DomainA. Try to authenticate with wrong credentials or don't do anything with authentication. Hit http://localhost:8080/accountchooser/ again and choose DomainA again. It try to redirect you to http://localhost:8080/neverShowThis/ instead of chosen IDP.

Comment 1 Ondrej Lukas 2014-03-13 10:28:22 UTC

Created attachment 873906 [details]
idp1

Comment 8 Ondrej Lukas 2014-04-23 06:12:52 UTC

Unfortunately verification failed. This fix successfully repairs direct access to chosen link after wrong or unrealized authentication on IDP, but there is still same issue if you hit http://localhost:8080/accountchooser/.

Steps to reproduce:
1) hit http://localhost:8080/accountchooser/ and choose DomainA
2) do nothing on redirected IDP
3) hit again http://localhost:8080/accountchooser/ and reload page by pressing F5 (because some browsers use cache) - http://localhost:8080/neverShowThis/ is shown

Comment 16 Peter Skopek 2014-05-28 15:30:52 UTC

PR: https://github.com/jbossas/jboss-eap/pull/1378

Comment 17 Ondrej Lukas 2014-06-12 12:14:02 UTC

Verified in EAP 6.3.0.ER7.

Note You need to log in before you can comment on or make changes to this bug.