+++ This bug was initially created as a clone of Bug #1030053 +++ Description of problem: The NegotiationAuthenticator loses post data. A customer is attempting to use Negotiation along with PicketLink at the IDP. This works fine as long as the SP is using HTTP-Redirect SAML binding. If the SP is using HTTP-Redirect, then this issue is avoided as the SAMLRequest is passed along through the redirects on the URL. If the HTTP-POST binding is used, then the NegotiationAuthenticator will lose the SAMLRequest post parameter. This means that after a user is successfully authenticated, the IDP will not know where to redirect the user to. As a result, the user will be left at the IDP index.html page. --- Additional comment from Derek Horton on 2013-11-13 15:03:26 EST --- A hack that appears to work in my (very limited) testing: Index: jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java =================================================================== --- jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (revision 114558) +++ jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (working copy) @@ -88,11 +88,21 @@ boolean DEBUG = log.isDebugEnabled(); log.trace("Authenticating user"); + System.out.println("*** request.getParameterMap(): "+request.getParameterMap()); + Principal principal = request.getUserPrincipal(); if (principal != null) { if (log.isTraceEnabled()) log.trace("Already authenticated '" + principal.getName() + "'"); + + if( matchRequest(request) ) + { + System.out.println("*** restoring request!"); + Session session = request.getSessionInternal(); + restoreRequest(request, session); + } + return true; } @@ -255,6 +265,10 @@ private void initiateNegotiation(final Request request, final HttpServletResponse response, final LoginConfig config) throws IOException { + System.out.println("*** saving request!"); + Session session = request.getSessionInternal(); + saveRequest(request, session); + String loginPage = config.getLoginPage(); if (loginPage != null) { @@ -264,8 +278,8 @@ try { - Session session = request.getSessionInternal(); - saveRequest(request, session); +// Session session = request.getSessionInternal(); +// saveRequest(request, session); disp.include(request.getRequest(), response); response.setHeader("WWW-Authenticate", getNegotiateScheme()); --- Additional comment from Derek Horton on 2013-12-12 12:24:30 EST --- Darran, Can you review this patch and let me know what you think? I cleaned this patch up a bit. Some of the changes above were not needed. __This fix depends on bz-1030050__ Right now there is a hack (see FIXME below) in there that makes it work. We should be able to remove the hack once bz-1030050 is resolved. $ svn diff Index: jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java =================================================================== --- jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (revision 114558) +++ jboss-negotiation-common/src/main/java/org/jboss/security/negotiation/NegotiationAuthenticator.java (working copy) @@ -88,11 +88,26 @@ boolean DEBUG = log.isDebugEnabled(); log.trace("Authenticating user"); + // FIXME: This needs to be here until bz-1030050 is resolved. Without this, it will not work. + request.getParameterMap(); + Principal principal = request.getUserPrincipal(); if (principal != null) { if (log.isTraceEnabled()) log.trace("Already authenticated '" + principal.getName() + "'"); + + // Is this the re-submit of the original request URI after successful + // authentication? If so, forward the *original* request instead. + if( matchRequest(request) ) + { + Session session = request.getSessionInternal(true); + log.trace("Restore request from session '" + + session.getIdInternal() + + "'"); + restoreRequest(request, session); + } + return true; } --- Additional comment from JBoss JIRA Server on 2014-04-08 08:22:52 EDT --- Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-815 to Resolved
Assigning to pskopek since he pleaded to PL issues for EAP6
Assigning back to derek, this is negotiation issue, its not part of PL as I assumed.
PR https://github.com/wildfly/jboss-negotiation/pull/3
Verified in EAP 6.2.3.CR2, changes are presented in code. Customer confirmed the bug was fixed.
Fix typo in release notes reported by Bug 1098999.