Bug 1116146 - [GSS] (6.3.x) PicketLink AbstractIDPValve does not trigger the next valve in the pipeline
Summary: [GSS] (6.3.x) PicketLink AbstractIDPValve does not trigger the next valve in ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.2.4
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: CR2
: EAP 6.3.2
Assignee: Peter Skopek
QA Contact: Ondrej Kotek
URL:
Whiteboard: MustBeFixed
Depends On: 1122717
Blocks: 1123427 eap632-blockers, eap632-payload 1153566
TreeView+ depends on / blocked
 
Reported: 2014-07-03 21:10 UTC by Derek Horton
Modified: 2019-08-19 12:39 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Cause: Consequence: Workaround (if any): Result: .
Clone Of:
: 1122717 (view as bug list)
Environment:
Last Closed: 2019-08-19 12:39:55 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
JBoss Issue Tracker PLINK-516 Major Resolved PicketLink AbstractIDPValve does not trigger the next valve in the pipeline 2015-11-26 01:29:40 UTC
JBoss Issue Tracker PLINK-546 Major Resolved PicketLink AbstractIDPValve breaks clustered session replication 2015-11-26 01:29:39 UTC
JBoss Issue Tracker PLINK-558 Major Resolved AbstractIDPValve should always invoke next valve 2015-11-26 01:29:39 UTC

Description Derek Horton 2014-07-03 21:10:57 UTC
Description of problem:

PicketLink AbstractIDPValve does not trigger the next valve in the pipeline.  The invoke() method of the AbstractIDPValve does not called getNext().invoke() which means that the pipeline processing will always terminate with the IDP valve.

You can see this by placing the AccessLogValve after the IDP valve in the WEB-INF/jboss-web.xml file.  The AccessLogValve will not get triggered.


Version-Release number of selected component (if applicable):


Steps to Reproduce:

Stack the ExtendedFormAuthenticator, IDPWebBrowserSSOValve and RequestDumperValve together.  The RequestDumperValve will not get called.

<jboss-web>
    <security-domain>SPNEGO</security-domain>
    <disable-audit>false</disable-audit>
    <context-root>idp</context-root>
    <valve>
      <class-name>org.jboss.as.web.security.ExtendedFormAuthenticator</class-name>
    </valve>
    <valve>
        <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
        <param>
            <param-name>passUserPrincipalToAttributeManager</param-name>
            <param-value>true</param-value>
        </param>
        <param>
            <param-name>characterEncoding</param-name>
            <param-value>UTF-8</param-value>
        </param>
   </valve>
    <valve>
      <class-name>org.apache.catalina.valves.RequestDumperValve</class-name>
    </valve>
</jboss-web>


Actual results:
The RequestDumperValve does not get called.


Expected results:
The RequestDumperValve should get called.


Additional info:

Comment 1 JBoss JIRA Server 2014-07-08 00:38:05 UTC
Pedro Igor <pigor.craveiro@gmail.com> updated the status of jira PLINK-516 to Resolved

Comment 4 Derek Horton 2014-08-19 02:50:52 UTC
This fix needs to include PLINK-516 and PLINK-546.

The fix in PLINK-516 does not completely resolve the issue.  With only the PLINK-516 fix, the ClusteredSessionValve does not get invoked.  This breaks the clustered session replication functionality.

Comment 6 JBoss JIRA Server 2014-08-26 18:03:09 UTC
Pedro Igor <pigor.craveiro@gmail.com> updated the status of jira PLINK-546 to Resolved

Comment 7 Ondrej Kotek 2014-10-16 07:29:59 UTC
Fix for PLINK-516 does not work for me. For JBoss EAP 6.3.2.CR1, with RequestDumperValve and ExtendedFormAuthenticator added, requests are dumped to log twice.

Commits in PicketLink 2.5.3.SP11-redhat-1 are in wrong order. PLINK-558 commit is the important one and should be placed as the last one. See BZ 1122717.

Comment 8 Ondrej Kotek 2014-10-16 08:34:20 UTC
To be precise: commits in PicketLink Bindings 2.5.3.SP11-redhat-1.

Comment 11 Peter Skopek 2014-10-20 11:45:11 UTC
Fixed in 2.5.3.SP12.

Comment 12 Ondrej Kotek 2014-10-24 14:11:14 UTC
Verified for EAP 6.3.2.CR2


Note You need to log in before you can comment on or make changes to this bug.