[security-dev] Feedback: IDPFilter/SPFilter
Anil.Saldhana at redhat.com
Tue May 20 15:39:21 EDT 2014
On 05/20/2014 10:28 AM, Eric Wittmann wrote:
> Hey everyone. Recently we've switched Overlord over to using primarily
> the IDPFilter and SPFilter implementations for our picketlink based SAML
> SSO solution. Previously we were using the app-server specific approach
> (e.g. valves). We're doing this because we need to support both JBoss
> and Fuse. The latter is an OSGi environment and uses Jetty as its web
> app container. We also support standalone jetty (why not?) and Tomcat.
> My hope was that I could have as few differences as possible with
> respect to security across all these platforms. Hence the attempt to
> use the filter implementations where possible.
> Overall this effort resulted in some success and some failure.
> Primarily, we have been successful in using the filter approach to get
> everything working in Fuse! This was the primary goal, so that's great.
> However, here are some issues we ran into (and are still problems):
> 1) I couldn't get our IDP working in JBoss EAP 6.x when using the
> IDPFilter approach. The problem is that the IDP doesn't seem to do the
> redirect back to the SP. I poked at this a *very* little bit but didn't
> find the problem. Workaround: continue to use the more native approach
> when deploying to EAP.
It may be related to a bug in JBossWeb packaged as of EAP 6.2
where in the FORM Authenticator does not restore the post data
If you use a community module of JBossWeb that is more recent, you
will see that it works.
I have tried with jbossweb-7.4.0.Beta3.jar
I would think 7.4.2.Final would have it too. :)
> 2) Ran into a pax-web bug that caused an infinite redirect loop when
> using welcome-files in the SP web.xml. Workaround: implement a custom
> filter to mimic welcome-file behavior. (this is not a problem with
> picketlink, just informational)
The SPFilter definitely needs additional testing and updates. If you want
to add in the welcome file behavior to SPFilter, please feel free to
send a PR.
> 3) When running in jetty (or in fuse) we see a number of picketlink
> stack traces: https://gist.github.com/EricWittmann/aafd2c05954cbfea8a87
> Workaround: none - we're ignoring them. :(
One end is complaining when the other end has closed. Hmmm... Wonder
why this is happening.
> So finally, if you want to reproduce any of these or just have a look at
> some code, go here:
> See the README.md for a description of how to run it either in Fuse or
> Jetty. To run it in EAP just copy the relevant WARs into
> standalone/deployments (make sure to name them properly as I have not
> included jboss-web.xml files: idp.war, sp1.war, sp2.war).
More information about the security-dev