Bug 1085504 - [GSS] (6.2.x) The NegotiationAuthenticator loses post data
Summary: [GSS] (6.2.x) The NegotiationAuthenticator loses post data
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.1.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR2
: EAP 6.2.3
Assignee: Derek Horton
QA Contact: Josef Cacek
Lucas Costi
URL:
Whiteboard:
Depends On: 1030053
Blocks: eap62-cp03-blockers 1085506
TreeView+ depends on / blocked
 
Reported: 2014-04-08 18:37 UTC by Derek Horton
Modified: 2018-12-05 18:05 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When using negotiation with PicketLink, if the Service Provider (SP) was using HTTP-POST binding, then the `NegotiationAuthenticator` would lose the SAMLRequest post parameter. This meant that after a user was successfully authenticated, the Identity Provider (IDP) would not know to where to redirect the user. As a result, the user would be left at the IDP index page. This issue was fixed by altering the `NegotiationAuthenticator` to check if there was a re-submission of the original request URI, and if so, would forward the original request instead. As a result, using HTTP-POST binding when using negotiation should redirect the user successfully after authentication.
Clone Of: 1030053
Environment:
Last Closed: 2014-06-09 12:46:53 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SECURITY-815 0 Major Resolved NegotiationAuthenticator loses post data 2015-10-02 13:06:00 UTC

Description Derek Horton 2014-04-08 18:37:52 UTC
+++ This bug was initially created as a clone of Bug #1030053 +++

Description of problem:

The NegotiationAuthenticator loses post data.

A customer is attempting to use Negotiation along with PicketLink at the IDP.  This works fine as long as the SP is using HTTP-Redirect SAML binding.

If the SP is using HTTP-Redirect, then this issue is avoided as the SAMLRequest is passed along through the redirects on the URL. 

If the HTTP-POST binding is used, then the NegotiationAuthenticator will lose the SAMLRequest post parameter.  This means that after a user is successfully authenticated, the IDP will not know where to redirect the user to.  As a result, the user will be left at the IDP index.html page.

--- Additional comment from Derek Horton on 2013-11-13 15:03:26 EST ---

A hack that appears to work in my (very limited) testing:


Index: jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java
===================================================================
--- jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java	(revision 114558)
+++ jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java	(working copy)
@@ -88,11 +88,21 @@
       boolean DEBUG = log.isDebugEnabled();
       log.trace("Authenticating user");
 
+      System.out.println("*** request.getParameterMap(): "+request.getParameterMap());
+
       Principal principal = request.getUserPrincipal();
       if (principal != null)
       {
          if (log.isTraceEnabled())
             log.trace("Already authenticated '" + principal.getName() + "'");
+
+         if( matchRequest(request) )
+         {
+         System.out.println("*** restoring request!");
+         Session session = request.getSessionInternal();
+         restoreRequest(request, session);
+         }
+
          return true;
       }
 
@@ -255,6 +265,10 @@
    private void initiateNegotiation(final Request request, final HttpServletResponse response, final LoginConfig config)
          throws IOException
    {
+      System.out.println("*** saving request!");
+      Session session = request.getSessionInternal();
+      saveRequest(request, session);
+
       String loginPage = config.getLoginPage();
       if (loginPage != null)
       {
@@ -264,8 +278,8 @@
 
          try
          {
-            Session session = request.getSessionInternal();
-            saveRequest(request, session);
+//            Session session = request.getSessionInternal();
+//            saveRequest(request, session);
 
             disp.include(request.getRequest(), response);
             response.setHeader("WWW-Authenticate", getNegotiateScheme());

--- Additional comment from Derek Horton on 2013-12-12 12:24:30 EST ---

Darran,

Can you review this patch and let me know what you think?

I cleaned this patch up a bit.  Some of the changes above were not needed.  

__This fix depends on bz-1030050__  Right now there is a hack (see FIXME below) in there that makes it work.  We should be able to remove the hack once bz-1030050 is resolved.

$ svn diff
Index: jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java
===================================================================
--- jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (revision 114558)
+++ jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (working copy)
@@ -88,11 +88,26 @@
       boolean DEBUG = log.isDebugEnabled();
       log.trace("Authenticating user");
 
+      // FIXME:  This needs to be here until bz-1030050 is resolved.  Without this, it will not work.
+      request.getParameterMap();
+
       Principal principal = request.getUserPrincipal();
       if (principal != null)
       {
          if (log.isTraceEnabled())
             log.trace("Already authenticated '" + principal.getName() + "'");
+
+         // Is this the re-submit of the original request URI after successful
+         // authentication?  If so, forward the *original* request instead.
+         if( matchRequest(request) )
+         {
+            Session session = request.getSessionInternal(true);
+            log.trace("Restore request from session '"
+                       + session.getIdInternal()
+                       + "'");
+            restoreRequest(request, session);
+         }
+
          return true;
       }

--- Additional comment from JBoss JIRA Server on 2014-04-08 08:22:52 EDT ---

Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-815 to Resolved

Comment 1 baranowb 2014-04-11 06:34:22 UTC
Assigning to pskopek since he pleaded to PL issues for EAP6

Comment 2 baranowb 2014-04-15 11:59:19 UTC
Assigning back to derek, this is negotiation issue, its not part of PL as I assumed.

Comment 3 Derek Horton 2014-04-16 20:36:38 UTC
PR
https://github.com/wildfly/jboss-negotiation/pull/3

Comment 5 Ondrej Lukas 2014-05-13 11:06:57 UTC
Verified in EAP 6.2.3.CR2, changes are presented in code. Customer confirmed the bug was fixed.

Comment 6 sgilda 2014-05-19 11:39:37 UTC
Fix typo in release notes reported by Bug 1098999.


Note You need to log in before you can comment on or make changes to this bug.