Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1142804

Summary: PicketLink SAML based SSO using REDIRECT binding: redirect to SP is sent with non-zero content-length header without a content
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ondrej Kotek <okotek>
Component: PicketLinkAssignee: Peter Skopek <pskopek>
Status: CLOSED EOL QA Contact: Ondrej Kotek <okotek>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: anmiller, bdawidow, kkhan, pslavice
Target Milestone: ---   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
Cause: ?? Consequence: Workaround (if any): Result:
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:49:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1164220    
Bug Blocks: 1153620    
Attachments:
Description Flags
idp.war
none
sp.war none

Description Ondrej Kotek 2014-09-17 12:44:13 UTC 
Description of problem:

Lets have PicketLink SAML based SSO using REDIRECT binding. When IdP is redirecting (back) to SP, the redirect response is sent with non-zero content-length header but without a content. A client (httpunit) expects content that never comes.

This applies to SP initiated SSO and for SAML v2.0 unsolicited response. In case of SAML v1.1 unsolicited response, the redirection is ok (no content and no non-zero content-length header) -- in AbstractIDPValve, it is processed separately and response object is recycled before redirection (line 706: response.getCoyoteResponse().recycle();), unlike in other cases.


Version-Release number of selected component (if applicable):

PicketLink 2.5.3.SP10-redhat-1


How reproducible:

Test cases from AbstractIdPInitiatedSsoTestCase with SP initiation or SAML v2.0 unsolicited responses.


Steps to Reproduce:

Run IdPInitiatedSsoRedirectTestCase#testSpInitiatedSso test case.


Actual results:

Waiting 1 minute (timeout) because of corrupted redirection, and failure because an assertion is no longer valid.


Expected results:

No waiting.
Comment 3 Hynek Mlnarik 2014-11-27 14:20:31 UTC 
Failed verification 6.4.0.DR11. See [1] for wireshark dump of communication of IdPInitiatedSsoRedirectTestCase#testSpInitiatedSsoHelloWorld test, especially line 140.
Comment 7 Josef Cacek 2015-03-03 14:25:08 UTC 
Created attachment 997556 [details]
idp.war
Comment 8 Josef Cacek 2015-03-03 14:29:52 UTC 
Created attachment 997557 [details]
sp.war

Attaching reproducer.

Steps:

- start EAP

- use JBoss CLI to configure security domains:
/subsystem=security/security-domain=idp:add(cache-type=default)
/subsystem=security/security-domain=idp/authentication=classic:add
/subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required)
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=UsersRoles:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required)
reload

- deploy attached applications (idp.war, sp.war)

- open SP in Internet Explorer 10/11: http://localhost:8080/sp/

- you are redirected to IdP login form - use tomcat/tomcat credentials to authenticate.

... and wait for the SP page
Comment 10 JBoss JIRA Server 2015-04-28 15:05:13 UTC 
John Doyle <jdoyle> updated the status of jira EAP6-222 to Closed