Bug 1196726
| Summary: | [GSS] (6.4.z) After login, the ServiceURL (picketlink.xml) is not redirecting to the desired page | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Tom Fonteyne <tfonteyn> | ||||||
| Component: | PicketLink | Assignee: | Dominik Pospisil <dpospisi> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Josef Cacek <jcacek> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 6.3.3 | CC: | anmiller, bbaranow, bmaxwell, dpospisi, jawilson, psilva, pskopek, shivam.vds, tfonteyn | ||||||
| Target Milestone: | --- | Keywords: | Regression | ||||||
| Target Release: | --- | Flags: | tfonteyn:
needinfo-
|
||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-09-14 09:25:34 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 997357 [details]
employee.war
Created attachment 997358 [details] idp.war I'm attaching a reproducer - it's slightly modified employee quickstart app (from PL 2.1.6 quickstarts). The context root (/employee/) is not protected. A new subfolder (/employee/protected/) is protected. Steps: - start EAP - use JBoss CLI to configure security domains: /subsystem=security/security-domain=idp:add(cache-type=default) /subsystem=security/security-domain=idp/authentication=classic:add /subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required) /subsystem=security/security-domain=sp:add(cache-type=default) /subsystem=security/security-domain=sp/authentication=classic:add /subsystem=security/security-domain=sp/authentication=classic/login-module=UsersRoles:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required) reload - deploy attached applications (idp.war, employee.war) - go to the SP root: http://localhost:8080/employee/ - click the link to navigate the "protected area" and use tomcat/tomcat credentials to authenticate. => authentication is successfull, but you are redirected back to the (unprotected) context root I also faced exactly same problem, Removing the trailing / from the SP URL solved the problem.
Below is the code excerpt from org.apache.catalina.servlets.DefaultServlet supposedly guilty of doing this....
// If the resource is not a collection, and the resource path
720 // ends with "/" or "\", return NOT FOUND
721 if (cacheEntry.context == null) {
722 if (path.endsWith("/") || (path.endsWith("\\"))) {
723 // Check if we're included so we can return the appropriate
724 // missing resource name in the error
725 String requestUri = (String) request.getAttribute(
726 Globals.INCLUDE_REQUEST_URI_ATTR);
727 if (requestUri == null) {
728 requestUri = request.getRequestURI();
729 }
730 response.sendError(HttpServletResponse.SC_NOT_FOUND,
731 requestUri);
732 return;
733 }
734 }
|
Tested using: EAP 6.3 CP3 with the onboard PicketLink version EAP 6.3 CP3 with the 'master' build of picketlink and picketlink-bindings as of 2015-02-26 Deployed a minimal IDP which works fine Deployed a minimal SP with this structure: "/plhello" == context http://myhost:8080/plhello/index.jsp => free access, page has links to: /plhello/p/index2.jsp /plhello/test/test.jsp both of those are protected: <security-constraint> <display-name>protected</display-name> <web-resource-collection> <web-resource-name>test</web-resource-name> <description/> <url-pattern>/test/*</url-pattern> </web-resource-collection> <web-resource-collection> <web-resource-name>protected</web-resource-name> <description/> <url-pattern>/p/*</url-pattern> </web-resource-collection> <auth-constraint> <description/> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> <security-role> <description/> <role-name>JBossAdmin</role-name> </security-role> BindingType: REDIRECT Test 1: <ServiceURL>http://myhost:8080/plhello/</ServiceURL> click on "/plhello/p/index2.jsp" redirect to IDP, successful login end up on http://myhost:8080/plhello/ instead of "/plhello/p/index2.jsp" click on either "/plhello/p/index2.jsp" or "/plhello/test/test.jsp" end up on http://myhost:8080/plhello/ instead of on the desired link Test 2 <ServiceURL>http://myhost:8080/plhello/p/</ServiceURL> click on "/plhello/p/index2.jsp" redirect to IDP, successful login end up with: JBWEB000065: HTTP Status 500 logfile: 15:26:47,878 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/plhello].[default]] (http-orac.usersys.redhat.com/10.33.1.182:8080-1) JBWEB000236: Servlet.service() for servlet default threw exception: java.lang.IllegalStateException at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:392) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:730) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:363) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.servlets.DefaultServlet.doPost(DefaultServlet.java:399) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_76] Manually go back to http://orac.usersys.redhat.com:8080/plhello/ and click on /plhello/p/index2.jsp or /plhello/test/test.jsp => correct page is show now.