Get the quickstarts for PicketLink, deploy the idp.war sample and configure it+Jboss to use some security domain "hosted/index.jsp" <head> <link rel="StyleSheet" href="/idp/css/tom.css" type="text/css"> </head> ... Access idp directly: http://server:port/idp/ login. The css file is never delivered to the browser, and JBoss log file gets the Exception (see below) Other variations is to have the css file in the same "hosted" directory <link rel="StyleSheet" href="tom.css" type="text/css"> same result Specifically added "hosted/*" to web.xml as a "free access" directory same result. I found: https://issues.jboss.org/browse/PLFED-282 which is the same exception although the setup is different. 16:28:27,371 ERROR [org.apache.catalina.connector.CoyoteAdapter] (http-orac.usersys.redhat.com/10.33.1.221:8080-2) An exception or error occurred in the container during the request processing: java.lang.IllegalStateException: getOutputStream() has already been called for this response at org.apache.catalina.connector.Response.getWriter(Response.java:615) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.jasper.runtime.JspWriterImpl.initOut(JspWriterImpl.java:125) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.java:118) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.jasper.runtime.PageContextImpl.release(PageContextImpl.java:188) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.jasper.runtime.JspFactoryImpl.internalReleasePageContext(JspFactoryImpl.java:117) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.jasper.runtime.JspFactoryImpl.releasePageContext(JspFactoryImpl.java:76) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.jsp.hosted.index_jsp._jspService(index_jsp.java:71) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jbossweb-7.0.17.Final-redhat-1.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.1.Final-redhat-2.jar:1.0.1.Final-redhat-2] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:369) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:253) [jbossweb-7.0.17.Final-redhat-1.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.1.Final-redhat-2.jar:1.0.1.Final-redhat-2] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:840) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:622) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:560) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:488) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke(AbstractIDPValve.java:400) [picketlink-jbas7-2.1.3.1-redhat-1.jar:2.1.3.1-redhat-1] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.1.3.Final-redhat-4.jar:7.1.3.Final-redhat-4] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.17.Final-redhat-1.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.17.Final-redhat-1.jar:] at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_43]
Is Engineering supposed to provide a patch? Why assignment to Pedro?
@Anil >Is Engineering supposed to provide a patch? no - this is the BZ I'm required to open according to procedure. We are required to open: - JIRA for upstream - BZ to indicate same bug, to be fixed in next EAP release - BZ to get new version of component to be included in next EAP (I presume you or Pedro did this as Pedro confirmed in email it would go into 6.2) Optional, and not done (yet) as I still need to check if customer needs it back ported: - BZ for one-off, if needed, to be build by SEG (me) See here for full details: https://docspace.corp.redhat.com/docs/DOC-133944 If you can simplify this specifically for security issues, please do.
Verified in EAP 6.1.1.ER6 (PL 2.1.6.3).