[security-dev] Feedback: IDPFilter/SPFilter

Anil Saldhana Anil.Saldhana at redhat.com
Tue May 20 15:39:21 EDT 2014

On 05/20/2014 10:28 AM, Eric Wittmann wrote:
> Hey everyone.  Recently we've switched Overlord over to using primarily
> the IDPFilter and SPFilter implementations for our picketlink based SAML
> SSO solution.  Previously we were using the app-server specific approach
> (e.g. valves).  We're doing this because we need to support both JBoss
> and Fuse.  The latter is an OSGi environment and uses Jetty as its web
> app container.  We also support standalone jetty (why not?) and Tomcat.
> My hope was that I could have as few differences as possible with
> respect to security across all these platforms.  Hence the attempt to
> use the filter implementations where possible.
> Overall this effort resulted in some success and some failure.
> Primarily, we have been successful in using the filter approach to get
> everything working in Fuse!  This was the primary goal, so that's great.
> However, here are some issues we ran into (and are still problems):
> 1) I couldn't get our IDP working in JBoss EAP 6.x when using the
> IDPFilter approach.  The problem is that the IDP doesn't seem to do the
> redirect back to the SP.  I poked at this a *very* little bit but didn't
> find the problem.  Workaround:  continue to use the more native approach
> when deploying to EAP.

It may be related to a bug in JBossWeb packaged as of EAP 6.2
where in the FORM Authenticator does not restore the post data
after authentication.

If you use a community module of JBossWeb that is more recent, you
will see that it works.

I have tried with jbossweb-7.4.0.Beta3.jar


I would think 7.4.2.Final would have it too. :)

> 2) Ran into a pax-web bug that caused an infinite redirect loop when
> using welcome-files in the SP web.xml.  Workaround: implement a custom
> filter to mimic welcome-file behavior.  (this is not a problem with
> picketlink, just informational)
The SPFilter definitely needs additional testing and updates. If you want
to add in the welcome file behavior to SPFilter, please feel free to 
send a PR.
> 3) When running in jetty (or in fuse) we see a number of picketlink
> stack traces:  https://gist.github.com/EricWittmann/aafd2c05954cbfea8a87
>    Workaround:  none - we're ignoring them. :(
One end is complaining when the other end has closed. Hmmm... Wonder
why this is happening.

> So finally, if you want to reproduce any of these or just have a look at
> some code, go here:
> https://github.com/EricWittmann/karaf-picketlink-test
> See the README.md for a description of how to run it either in Fuse or
> Jetty.  To run it in EAP just copy the relevant WARs into
> standalone/deployments (make sure to name them properly as I have not
> included jboss-web.xml files:  idp.war, sp1.war, sp2.war).
> -Eric

More information about the security-dev mailing list