Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1142804 - PicketLink SAML based SSO using REDIRECT binding: redirect to SP is sent with non-zero content-length header without a content
PicketLink SAML based SSO using REDIRECT binding: redirect to SP is sent with...
Status: ASSIGNED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: PicketLink (Show other bugs)
6.4.0
Unspecified Unspecified
unspecified Severity high
: ---
: EAP 6.4.0
Assigned To: Peter Skopek
Ondrej Kotek
:
Depends On: 1164220
Blocks: 1153620
  Show dependency treegraph
 
Reported: 2014-09-17 08:44 EDT by Ondrej Kotek
Modified: 2018-02-07 13:13 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
Cause: ?? Consequence: Workaround (if any): Result:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
idp.war (4.61 KB, application/zip)
2015-03-03 09:25 EST, Josef Cacek 		no flags Details
sp.war (8.82 KB, application/zip)
2015-03-03 09:29 EST, Josef Cacek 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker EAP6-222 Major Closed Modify the PicketLink IDP to support SAML 2.0 unsolicited responses 2018-03-15 10:15 EDT

  None (edit)
Description Ondrej Kotek 2014-09-17 08:44:13 EDT 
Description of problem:

Lets have PicketLink SAML based SSO using REDIRECT binding. When IdP is redirecting (back) to SP, the redirect response is sent with non-zero content-length header but without a content. A client (httpunit) expects content that never comes.

This applies to SP initiated SSO and for SAML v2.0 unsolicited response. In case of SAML v1.1 unsolicited response, the redirection is ok (no content and no non-zero content-length header) -- in AbstractIDPValve, it is processed separately and response object is recycled before redirection (line 706: response.getCoyoteResponse().recycle();), unlike in other cases.


Version-Release number of selected component (if applicable):

PicketLink 2.5.3.SP10-redhat-1


How reproducible:

Test cases from AbstractIdPInitiatedSsoTestCase with SP initiation or SAML v2.0 unsolicited responses.


Steps to Reproduce:

Run IdPInitiatedSsoRedirectTestCase#testSpInitiatedSso test case.


Actual results:

Waiting 1 minute (timeout) because of corrupted redirection, and failure because an assertion is no longer valid.


Expected results:

No waiting.
Comment 3 Hynek Mlnarik 2014-11-27 09:20:31 EST 
Failed verification 6.4.0.DR11. See [1] for wireshark dump of communication of IdPInitiatedSsoRedirectTestCase#testSpInitiatedSsoHelloWorld test, especially line 140.
Comment 7 Josef Cacek 2015-03-03 09:25:08 EST 
Created attachment 997556 [details]
idp.war
Comment 8 Josef Cacek 2015-03-03 09:29:52 EST 
Created attachment 997557 [details]
sp.war

Attaching reproducer.

Steps:

- start EAP

- use JBoss CLI to configure security domains:
/subsystem=security/security-domain=idp:add(cache-type=default)
/subsystem=security/security-domain=idp/authentication=classic:add
/subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required)
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=UsersRoles:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required)
reload

- deploy attached applications (idp.war, sp.war)

- open SP in Internet Explorer 10/11: http://localhost:8080/sp/

- you are redirected to IdP login form - use tomcat/tomcat credentials to authenticate.

... and wait for the SP page
Comment 10 JBoss JIRA Server 2015-04-28 11:05:13 EDT 
John Doyle <jdoyle@jboss.org> updated the status of jira EAP6-222 to Closed
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.