Bug 1142804 - PicketLink SAML based SSO using REDIRECT binding: redirect to SP is sent with non-zero content-length header without a content
Summary: PicketLink SAML based SSO using REDIRECT binding: redirect to SP is sent with...
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: PicketLink
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: EAP 6.4.0
Assignee: Peter Skopek
QA Contact: Ondrej Kotek
URL:
Whiteboard:
Depends On: 1164220
Blocks: 1153620
TreeView+ depends on / blocked
 
Reported: 2014-09-17 12:44 UTC by Ondrej Kotek
Modified: 2019-08-19 12:49 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Cause: ?? Consequence: Workaround (if any): Result:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:49:15 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
idp.war (4.61 KB, application/zip)
2015-03-03 14:25 UTC, Josef Cacek 		no flags Details
sp.war (8.82 KB, application/zip)
2015-03-03 14:29 UTC, Josef Cacek 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker EAP6-222 0 Major Closed Modify the PicketLink IDP to support SAML 2.0 unsolicited responses 2018-03-15 14:15:58 UTC

Description Ondrej Kotek 2014-09-17 12:44:13 UTC 
Description of problem:

Lets have PicketLink SAML based SSO using REDIRECT binding. When IdP is redirecting (back) to SP, the redirect response is sent with non-zero content-length header but without a content. A client (httpunit) expects content that never comes.

This applies to SP initiated SSO and for SAML v2.0 unsolicited response. In case of SAML v1.1 unsolicited response, the redirection is ok (no content and no non-zero content-length header) -- in AbstractIDPValve, it is processed separately and response object is recycled before redirection (line 706: response.getCoyoteResponse().recycle();), unlike in other cases.


Version-Release number of selected component (if applicable):

PicketLink 2.5.3.SP10-redhat-1


How reproducible:

Test cases from AbstractIdPInitiatedSsoTestCase with SP initiation or SAML v2.0 unsolicited responses.


Steps to Reproduce:

Run IdPInitiatedSsoRedirectTestCase#testSpInitiatedSso test case.


Actual results:

Waiting 1 minute (timeout) because of corrupted redirection, and failure because an assertion is no longer valid.


Expected results:

No waiting.
Comment 3 Hynek Mlnarik 2014-11-27 14:20:31 UTC 
Failed verification 6.4.0.DR11. See [1] for wireshark dump of communication of IdPInitiatedSsoRedirectTestCase#testSpInitiatedSsoHelloWorld test, especially line 140.
Comment 7 Josef Cacek 2015-03-03 14:25:08 UTC 
Created attachment 997556 [details]
idp.war
Comment 8 Josef Cacek 2015-03-03 14:29:52 UTC 
Created attachment 997557 [details]
sp.war

Attaching reproducer.

Steps:

- start EAP

- use JBoss CLI to configure security domains:
/subsystem=security/security-domain=idp:add(cache-type=default)
/subsystem=security/security-domain=idp/authentication=classic:add
/subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required)
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=UsersRoles:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required)
reload

- deploy attached applications (idp.war, sp.war)

- open SP in Internet Explorer 10/11: http://localhost:8080/sp/

- you are redirected to IdP login form - use tomcat/tomcat credentials to authenticate.

... and wait for the SP page
Comment 10 JBoss JIRA Server 2015-04-28 15:05:13 UTC 
John Doyle <jdoyle> updated the status of jira EAP6-222 to Closed
Note You need to log in before you can comment on or make changes to this bug.