Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1196726

Summary: [GSS] (6.4.z) After login, the ServiceURL (picketlink.xml) is not redirecting to the desired page
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Tom Fonteyne <tfonteyn>
Component: PicketLinkAssignee: Dominik Pospisil <dpospisi>
Status: CLOSED NOTABUG QA Contact: Josef Cacek <jcacek>
Severity: high Docs Contact:
Priority: high    
Version: 6.3.3CC: anmiller, bbaranow, bmaxwell, dpospisi, jawilson, psilva, pskopek, shivam.vds, tfonteyn
Target Milestone: ---Keywords: Regression
Target Release: ---Flags: tfonteyn: needinfo-
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-14 09:25:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
employee.war
none
idp.war none

Description Tom Fonteyne 2015-02-26 15:41:01 UTC
Tested using:

    EAP 6.3 CP3 with the onboard PicketLink version
    EAP 6.3 CP3 with the 'master' build of picketlink and picketlink-bindings as of 2015-02-26

Deployed a minimal IDP which works fine
Deployed a minimal SP with this structure:
"/plhello" == context

http://myhost:8080/plhello/index.jsp

=> free access, page has links to:

/plhello/p/index2.jsp
/plhello/test/test.jsp

both of those are protected:

<security-constraint>
<display-name>protected</display-name>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<description/>
<url-pattern>/test/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/p/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>JBossAdmin</role-name>
</security-role>

BindingType: REDIRECT

Test 1:
<ServiceURL>http://myhost:8080/plhello/</ServiceURL>

click on "/plhello/p/index2.jsp"
redirect to IDP, successful login
end up on http://myhost:8080/plhello/
instead of "/plhello/p/index2.jsp"
click on either "/plhello/p/index2.jsp" or "/plhello/test/test.jsp"
end up on http://myhost:8080/plhello/
instead of on the desired link

Test 2
<ServiceURL>http://myhost:8080/plhello/p/</ServiceURL>

click on "/plhello/p/index2.jsp"
redirect to IDP, successful login
end up with:
JBWEB000065: HTTP Status 500
logfile:

15:26:47,878 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/plhello].[default]] (http-orac.usersys.redhat.com/10.33.1.182:8080-1) JBWEB000236: Servlet.service() for servlet default threw exception: java.lang.IllegalStateException
at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:392) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:730) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:363) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.servlets.DefaultServlet.doPost(DefaultServlet.java:399) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_76]

Manually go back to http://orac.usersys.redhat.com:8080/plhello/
and click on /plhello/p/index2.jsp or /plhello/test/test.jsp
=> correct page is show now.

Comment 2 Josef Cacek 2015-03-03 07:43:49 UTC
Created attachment 997357 [details]
employee.war

Comment 3 Josef Cacek 2015-03-03 07:54:15 UTC
Created attachment 997358 [details]
idp.war

I'm attaching a reproducer - it's slightly modified employee quickstart app (from PL 2.1.6 quickstarts).
The context root (/employee/) is not protected. A new subfolder (/employee/protected/) is protected.

Steps:
- start EAP

- use JBoss CLI to configure security domains:
/subsystem=security/security-domain=idp:add(cache-type=default)
/subsystem=security/security-domain=idp/authentication=classic:add
/subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required)
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=UsersRoles:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required)
reload

- deploy attached applications (idp.war, employee.war)

- go to the SP root: http://localhost:8080/employee/

- click the link to navigate the "protected area" and use  tomcat/tomcat credentials to authenticate.

=> authentication is successfull, but you are redirected back to the (unprotected) context root

Comment 12 shivam.vds 2015-09-08 22:34:37 UTC
I also faced exactly same problem, Removing the trailing / from the SP URL solved the problem.

Below is the code excerpt from org.apache.catalina.servlets.DefaultServlet supposedly guilty of doing this....


// If the resource is not a collection, and the resource path
720         // ends with "/" or "\", return NOT FOUND
721         if (cacheEntry.context == null) {
722             if (path.endsWith("/") || (path.endsWith("\\"))) {
723                 // Check if we're included so we can return the appropriate 
724                 // missing resource name in the error
725                 String requestUri = (String) request.getAttribute(
726                                             Globals.INCLUDE_REQUEST_URI_ATTR);
727                 if (requestUri == null) {
728                     requestUri = request.getRequestURI();
729                 }
730                 response.sendError(HttpServletResponse.SC_NOT_FOUND,
731                                    requestUri);
732                 return;
733             }
734         }