[security-dev] Feedback: IDPFilter/SPFilter

Eric Wittmann eric.wittmann at redhat.com
Tue May 20 11:28:28 EDT 2014

Hey everyone.  Recently we've switched Overlord over to using primarily 
the IDPFilter and SPFilter implementations for our picketlink based SAML 
SSO solution.  Previously we were using the app-server specific approach 
(e.g. valves).  We're doing this because we need to support both JBoss 
and Fuse.  The latter is an OSGi environment and uses Jetty as its web 
app container.  We also support standalone jetty (why not?) and Tomcat.

My hope was that I could have as few differences as possible with 
respect to security across all these platforms.  Hence the attempt to 
use the filter implementations where possible.

Overall this effort resulted in some success and some failure. 
Primarily, we have been successful in using the filter approach to get 
everything working in Fuse!  This was the primary goal, so that's great.

However, here are some issues we ran into (and are still problems):

1) I couldn't get our IDP working in JBoss EAP 6.x when using the 
IDPFilter approach.  The problem is that the IDP doesn't seem to do the 
redirect back to the SP.  I poked at this a *very* little bit but didn't 
find the problem.  Workaround:  continue to use the more native approach 
when deploying to EAP.

2) Ran into a pax-web bug that caused an infinite redirect loop when 
using welcome-files in the SP web.xml.  Workaround: implement a custom 
filter to mimic welcome-file behavior.  (this is not a problem with 
picketlink, just informational)

3) When running in jetty (or in fuse) we see a number of picketlink 
stack traces:  https://gist.github.com/EricWittmann/aafd2c05954cbfea8a87 
  Workaround:  none - we're ignoring them. :(

So finally, if you want to reproduce any of these or just have a look at 
some code, go here:


See the README.md for a description of how to run it either in Fuse or 
Jetty.  To run it in EAP just copy the relevant WARs into 
standalone/deployments (make sure to name them properly as I have not 
included jboss-web.xml files:  idp.war, sp1.war, sp2.war).


More information about the security-dev mailing list