[JBoss JIRA] Created: (GTNPORTAL-1048) GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
8:48 a.m.
GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
-----------------------------------------------------------------------------------------
Key: GTNPORTAL-1048
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1048
Project: GateIn Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Identity integration
Affects Versions: 3.0.0-GA
Environment: GateIn trunk (revision 2479) with JBoss 5.1.0,
Picketlink IDM version: 1.1.2.CR01,
JOSSO 1.8.1 +Tomcat bundle integrated with GateIn and running on localhost:8888,
Reporter: Marek Posolda
I have GateIn configured with OpenSSO according to instructions in reference guide. And
going throught this scenario:
1) Go to http://localhist:8080/portal
2) Click to "sign in" and login as root with OpenSSO console. User is redirected
back to GateIn and correctly logged
3) Wait 5 minutes (Assumption is that session expiration is configured to be 1 minute in
gatein.ear/02portal.war/WEB-INF/web.xml)
4) Go to http://localhost:8080/portal/private/classic . Now I should be logged directly
into GateIn because of SSO cookie. And I am really is logged but I am not seeing user full
name (see attached screenshot). And exception is in server log (IdentityObjectType[USER]
not present in the store. Caused by: org.hibernate.HibernateException: createCriteria is
not valid without active transaction) Full exception is in server log.
I tried to debug and I founded that Hibernate transaction is not started when calling
orgService.getUserHandler().findUserByName(state.getIdentity().getUserId() from
CacheUserProfileFilter. It doesn't occur during normal user login because User object
is cached in PersistenceManagerImpl.findUser(). But problem occur when User is not cached
when findUserByName is called from CacheUserProfileFilter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:50 a.m.
New subject: [JBoss JIRA] Updated: (GTNPORTAL-1048) GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
[
https://jira.jboss.org/jira/browse/GTNPORTAL-1048?page=com.atlassian.jira...
]
Marek Posolda updated GTNPORTAL-1048:
-------------------------------------
Attachment: identityException-createCriteria.txt
identityException-screenshot.png
GateIn+SSO integration: IdentityException thrown in special case when
HTTP session expire
-----------------------------------------------------------------------------------------
Key: GTNPORTAL-1048
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1048
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Identity integration
Affects Versions: 3.0.0-GA
Environment: GateIn trunk (revision 2479) with JBoss 5.1.0,
Picketlink IDM version: 1.1.2.CR01,
JOSSO 1.8.1 +Tomcat bundle integrated with GateIn and running on localhost:8888,
Reporter: Marek Posolda
Attachments: identityException-createCriteria.txt,
identityException-screenshot.png
I have GateIn configured with OpenSSO according to instructions in reference guide. And
going throught this scenario:
1) Go to http://localhist:8080/portal
2) Click to "sign in" and login as root with OpenSSO console. User is
redirected back to GateIn and correctly logged
3) Wait 5 minutes (Assumption is that session expiration is configured to be 1 minute in
gatein.ear/02portal.war/WEB-INF/web.xml)
4) Go to http://localhost:8080/portal/private/classic . Now I should be logged directly
into GateIn because of SSO cookie. And I am really is logged but I am not seeing user full
name (see attached screenshot). And exception is in server log (IdentityObjectType[USER]
not present in the store. Caused by: org.hibernate.HibernateException: createCriteria is
not valid without active transaction) Full exception is in server log.
I tried to debug and I founded that Hibernate transaction is not started when calling
orgService.getUserHandler().findUserByName(state.getIdentity().getUserId() from
CacheUserProfileFilter. It doesn't occur during normal user login because User object
is cached in PersistenceManagerImpl.findUser(). But problem occur when User is not cached
when findUserByName is called from CacheUserProfileFilter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:07 a.m.
New subject: [JBoss JIRA] Commented: (GTNPORTAL-1048) GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
[
https://jira.jboss.org/jira/browse/GTNPORTAL-1048?page=com.atlassian.jira...
]
Marek Posolda commented on GTNPORTAL-1048:
------------------------------------------
It's possible to simulate it without doing SSO integration. IDE debugger can be used
for simulating it. Doing steps:
1) Go to http://localhost:8080/portal
2) Click to "Sign in" and wait for GateIn dialog.
3) Fill "root"/"gtn"
4) Add breakpoint to class org.exoplatform.web.CacheUserProfileFilter - line 62 (line with
orgService.getUserHandler().findUserByName)
5) Go back to browser and click to "Sign in " button
6) Wait for IDE to go into breakpoint in CacheUserProfileFilter class.
7) Wait 2 minutes or more (cache expiration time on
org.picketlink.idm.impl.api.session.managers.PersistenceManagerImpl class)
8) Click F8 in Eclipse IDE to continue with progress.
I hope this scenario is more easy to simulate then integration with JOSSO or OpenSSO :-)
GateIn+SSO integration: IdentityException thrown in special case when
HTTP session expire
-----------------------------------------------------------------------------------------
Key: GTNPORTAL-1048
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1048
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Identity integration
Affects Versions: 3.0.0-GA
Environment: GateIn trunk (revision 2479) with JBoss 5.1.0,
Picketlink IDM version: 1.1.2.CR01,
JOSSO 1.8.1 +Tomcat bundle integrated with GateIn and running on localhost:8888,
Reporter: Marek Posolda
Attachments: identityException-createCriteria.txt,
identityException-screenshot.png
I have GateIn configured with OpenSSO according to instructions in reference guide. And
going throught this scenario:
1) Go to http://localhist:8080/portal
2) Click to "sign in" and login as root with OpenSSO console. User is
redirected back to GateIn and correctly logged
3) Wait 5 minutes (Assumption is that session expiration is configured to be 1 minute in
gatein.ear/02portal.war/WEB-INF/web.xml)
4) Go to http://localhost:8080/portal/private/classic . Now I should be logged directly
into GateIn because of SSO cookie. And I am really is logged but I am not seeing user full
name (see attached screenshot). And exception is in server log (IdentityObjectType[USER]
not present in the store. Caused by: org.hibernate.HibernateException: createCriteria is
not valid without active transaction) Full exception is in server log.
I tried to debug and I founded that Hibernate transaction is not started when calling
orgService.getUserHandler().findUserByName(state.getIdentity().getUserId() from
CacheUserProfileFilter. It doesn't occur during normal user login because User object
is cached in PersistenceManagerImpl.findUser(). But problem occur when User is not cached
when findUserByName is called from CacheUserProfileFilter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:29 p.m.
New subject: [JBoss JIRA] Commented: (GTNPORTAL-1048) GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
[
https://jira.jboss.org/jira/browse/GTNPORTAL-1048?page=com.atlassian.jira...
]
Sohil Shah commented on GTNPORTAL-1048:
---------------------------------------
ok so after running lots of scenarios and debugging here is what I have found out:
The core issue probably lies inside PicketLink or the exo identity components that
integrate with it. This issue affects all SSO frameworks, not just OpenSSO. I have can
replicate this issue "intermittently" with CAS and the newly added member
SPNEGO. Here is an explanation of what is going on.
The SSOLoginModules by design do not deal with a password. They deal with a trust token
for each framework, making a trust call back from GateIn, and then establishing an
authenticated Identity based on that trust. The problem lies with the fact that, if a
"password" based validation is not performed inside the LoginModule, looks like
the PicketLink Cache is out of sync with the authenticated state of the session.
When I add the following lines of code to the SSOLoginModule, everything works fine
consistently:
Credential[] credentials = new Credential[]{new UsernameCredential(username), new
PasswordCredential("gtn")};
String userId = authenticator.validateUser(credentials);
This is obviously for testing only. In SSO context, this does not make sense since its a
password-less authentication. The only code that should suffice for SSO is:
Identity identity = authenticator.createIdentity(username);
since the password input/validation is performed at the SSO framework's authentication
server.
Bolek- I hope this is enough narrowed down information to investigate deeper into why the
PL Cache Layer is out of sync.
btw- I did try the SPENGOFilter hack with OpenSSO and CAS, but those two did not work at
all. For some reason the Filter creating a TX context works for SPNEGO, but I seriously
think its not the right solution
GateIn+SSO integration: IdentityException thrown in special case when
HTTP session expire
-----------------------------------------------------------------------------------------
Key: GTNPORTAL-1048
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1048
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Identity integration
Affects Versions: 3.0.0-GA
Environment: GateIn trunk (revision 2479) with JBoss 5.1.0,
Picketlink IDM version: 1.1.2.CR01,
JOSSO 1.8.1 +Tomcat bundle integrated with GateIn and running on localhost:8888,
Reporter: Marek Posolda
Attachments: identityException-createCriteria.txt,
identityException-screenshot.png
I have GateIn configured with OpenSSO according to instructions in reference guide. And
going throught this scenario:
1) Go to http://localhist:8080/portal
2) Click to "sign in" and login as root with OpenSSO console. User is
redirected back to GateIn and correctly logged
3) Wait 5 minutes (Assumption is that session expiration is configured to be 1 minute in
gatein.ear/02portal.war/WEB-INF/web.xml)
4) Go to http://localhost:8080/portal/private/classic . Now I should be logged directly
into GateIn because of SSO cookie. And I am really is logged but I am not seeing user full
name (see attached screenshot). And exception is in server log (IdentityObjectType[USER]
not present in the store. Caused by: org.hibernate.HibernateException: createCriteria is
not valid without active transaction) Full exception is in server log.
I tried to debug and I founded that Hibernate transaction is not started when calling
orgService.getUserHandler().findUserByName(state.getIdentity().getUserId() from
CacheUserProfileFilter. It doesn't occur during normal user login because User object
is cached in PersistenceManagerImpl.findUser(). But problem occur when User is not cached
when findUserByName is called from CacheUserProfileFilter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:59 a.m.
New subject: [JBoss JIRA] Assigned: (GTNPORTAL-1048) GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
[
https://jira.jboss.org/jira/browse/GTNPORTAL-1048?page=com.atlassian.jira...
]
Boleslaw Dawidowicz reassigned GTNPORTAL-1048:
----------------------------------------------
Assignee: Boleslaw Dawidowicz
GateIn+SSO integration: IdentityException thrown in special case when
HTTP session expire
-----------------------------------------------------------------------------------------
Key: GTNPORTAL-1048
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1048
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Identity integration
Affects Versions: 3.0.0-GA
Environment: GateIn trunk (revision 2479) with JBoss 5.1.0,
Picketlink IDM version: 1.1.2.CR01,
JOSSO 1.8.1 +Tomcat bundle integrated with GateIn and running on localhost:8888,
Reporter: Marek Posolda
Assignee: Boleslaw Dawidowicz
Attachments: identityException-createCriteria.txt,
identityException-screenshot.png
I have GateIn configured with OpenSSO according to instructions in reference guide. And
going throught this scenario:
1) Go to http://localhist:8080/portal
2) Click to "sign in" and login as root with OpenSSO console. User is
redirected back to GateIn and correctly logged
3) Wait 5 minutes (Assumption is that session expiration is configured to be 1 minute in
gatein.ear/02portal.war/WEB-INF/web.xml)
4) Go to http://localhost:8080/portal/private/classic . Now I should be logged directly
into GateIn because of SSO cookie. And I am really is logged but I am not seeing user full
name (see attached screenshot). And exception is in server log (IdentityObjectType[USER]
not present in the store. Caused by: org.hibernate.HibernateException: createCriteria is
not valid without active transaction) Full exception is in server log.
I tried to debug and I founded that Hibernate transaction is not started when calling
orgService.getUserHandler().findUserByName(state.getIdentity().getUserId() from
CacheUserProfileFilter. It doesn't occur during normal user login because User object
is cached in PersistenceManagerImpl.findUser(). But problem occur when User is not cached
when findUserByName is called from CacheUserProfileFilter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:59 a.m.
New subject: [JBoss JIRA] Commented: (GTNPORTAL-1048) GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
[
https://jira.jboss.org/jira/browse/GTNPORTAL-1048?page=com.atlassian.jira...
]
Boleslaw Dawidowicz commented on GTNPORTAL-1048:
------------------------------------------------
It is not PL issue as the exception is not related to any PL internal cache or even
identity component cache but gatein filter performing IDM call outside of valid
transaction. And no hibernate object is passed outside picketlink in any situation so
there is nothing to get out of sync really... this is not PL Cache Layer. So if this can
be observed in every type of SSO integration this means that something seriously differs
in the flow there. Anyway I'll followup.
GateIn+SSO integration: IdentityException thrown in special case when
HTTP session expire
-----------------------------------------------------------------------------------------
Key: GTNPORTAL-1048
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1048
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Identity integration
Affects Versions: 3.0.0-GA
Environment: GateIn trunk (revision 2479) with JBoss 5.1.0,
Picketlink IDM version: 1.1.2.CR01,
JOSSO 1.8.1 +Tomcat bundle integrated with GateIn and running on localhost:8888,
Reporter: Marek Posolda
Attachments: identityException-createCriteria.txt,
identityException-screenshot.png
I have GateIn configured with OpenSSO according to instructions in reference guide. And
going throught this scenario:
1) Go to http://localhist:8080/portal
2) Click to "sign in" and login as root with OpenSSO console. User is
redirected back to GateIn and correctly logged
3) Wait 5 minutes (Assumption is that session expiration is configured to be 1 minute in
gatein.ear/02portal.war/WEB-INF/web.xml)
4) Go to http://localhost:8080/portal/private/classic . Now I should be logged directly
into GateIn because of SSO cookie. And I am really is logged but I am not seeing user full
name (see attached screenshot). And exception is in server log (IdentityObjectType[USER]
not present in the store. Caused by: org.hibernate.HibernateException: createCriteria is
not valid without active transaction) Full exception is in server log.
I tried to debug and I founded that Hibernate transaction is not started when calling
orgService.getUserHandler().findUserByName(state.getIdentity().getUserId() from
CacheUserProfileFilter. It doesn't occur during normal user login because User object
is cached in PersistenceManagerImpl.findUser(). But problem occur when User is not cached
when findUserByName is called from CacheUserProfileFilter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:27 a.m.
New subject: [JBoss JIRA] Commented: (GTNPORTAL-1048) GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
[
https://jira.jboss.org/jira/browse/GTNPORTAL-1048?page=com.atlassian.jira...
]
Marek Posolda commented on GTNPORTAL-1048:
------------------------------------------
Looks like calling of "authenticatior.validateUser(credentials)" forces
hibernate transaction to start. But calling of
"authenticator.createIdentity(username)" does not force it.
So issue is not visible in "normal" flow (without SSO) because both
authenticator.validateUser is called and later during authenticator.createIdentity is User
object founded in cache.
With SSO integration is not called authenticator.validateUser and so User object is not in
cache on PersistenceManagerImpl object.
It's only suggestion, hope this helps a little...
GateIn+SSO integration: IdentityException thrown in special case when
HTTP session expire
-----------------------------------------------------------------------------------------
Key: GTNPORTAL-1048
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1048
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Identity integration
Affects Versions: 3.0.0-GA
Environment: GateIn trunk (revision 2479) with JBoss 5.1.0,
Picketlink IDM version: 1.1.2.CR01,
JOSSO 1.8.1 +Tomcat bundle integrated with GateIn and running on localhost:8888,
Reporter: Marek Posolda
Assignee: Boleslaw Dawidowicz
Attachments: identityException-createCriteria.txt,
identityException-screenshot.png
I have GateIn configured with OpenSSO according to instructions in reference guide. And
going throught this scenario:
1) Go to http://localhist:8080/portal
2) Click to "sign in" and login as root with OpenSSO console. User is
redirected back to GateIn and correctly logged
3) Wait 5 minutes (Assumption is that session expiration is configured to be 1 minute in
gatein.ear/02portal.war/WEB-INF/web.xml)
4) Go to http://localhost:8080/portal/private/classic . Now I should be logged directly
into GateIn because of SSO cookie. And I am really is logged but I am not seeing user full
name (see attached screenshot). And exception is in server log (IdentityObjectType[USER]
not present in the store. Caused by: org.hibernate.HibernateException: createCriteria is
not valid without active transaction) Full exception is in server log.
I tried to debug and I founded that Hibernate transaction is not started when calling
orgService.getUserHandler().findUserByName(state.getIdentity().getUserId() from
CacheUserProfileFilter. It doesn't occur during normal user login because User object
is cached in PersistenceManagerImpl.findUser(). But problem occur when User is not cached
when findUserByName is called from CacheUserProfileFilter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:37 a.m.
New subject: [JBoss JIRA] Commented: (GTNPORTAL-1048) GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
[
https://jira.jboss.org/jira/browse/GTNPORTAL-1048?page=com.atlassian.jira...
]
Boleslaw Dawidowicz commented on GTNPORTAL-1048:
------------------------------------------------
Yes, thats the point. As IDM call in authenticator is wrap with the call to begin/end in
proper ComponentRequestLifecycle. Then by establishing identity SSO integration makes
SetCurrentIdentityFilter to create new ConversationState which then make
CacheUserProfileFilter to call IDM to cache user profile. I'll try to come with
workaround that will work in both configurations (with or without SSO).
GateIn+SSO integration: IdentityException thrown in special case when
HTTP session expire
-----------------------------------------------------------------------------------------
Key: GTNPORTAL-1048
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1048
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Identity integration
Affects Versions: 3.0.0-GA
Environment: GateIn trunk (revision 2479) with JBoss 5.1.0,
Picketlink IDM version: 1.1.2.CR01,
JOSSO 1.8.1 +Tomcat bundle integrated with GateIn and running on localhost:8888,
Reporter: Marek Posolda
Assignee: Boleslaw Dawidowicz
Attachments: identityException-createCriteria.txt,
identityException-screenshot.png
I have GateIn configured with OpenSSO according to instructions in reference guide. And
going throught this scenario:
1) Go to http://localhist:8080/portal
2) Click to "sign in" and login as root with OpenSSO console. User is
redirected back to GateIn and correctly logged
3) Wait 5 minutes (Assumption is that session expiration is configured to be 1 minute in
gatein.ear/02portal.war/WEB-INF/web.xml)
4) Go to http://localhost:8080/portal/private/classic . Now I should be logged directly
into GateIn because of SSO cookie. And I am really is logged but I am not seeing user full
name (see attached screenshot). And exception is in server log (IdentityObjectType[USER]
not present in the store. Caused by: org.hibernate.HibernateException: createCriteria is
not valid without active transaction) Full exception is in server log.
I tried to debug and I founded that Hibernate transaction is not started when calling
orgService.getUserHandler().findUserByName(state.getIdentity().getUserId() from
CacheUserProfileFilter. It doesn't occur during normal user login because User object
is cached in PersistenceManagerImpl.findUser(). But problem occur when User is not cached
when findUserByName is called from CacheUserProfileFilter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:46 a.m.
New subject: [JBoss JIRA] Resolved: (GTNPORTAL-1048) GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
[
https://jira.jboss.org/jira/browse/GTNPORTAL-1048?page=com.atlassian.jira...
]
Boleslaw Dawidowicz resolved GTNPORTAL-1048.
--------------------------------------------
Resolution: Done
Fix is commited in trunk
GateIn+SSO integration: IdentityException thrown in special case when
HTTP session expire
-----------------------------------------------------------------------------------------
Key: GTNPORTAL-1048
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1048
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Identity integration
Affects Versions: 3.0.0-GA
Environment: GateIn trunk (revision 2479) with JBoss 5.1.0,
Picketlink IDM version: 1.1.2.CR01,
JOSSO 1.8.1 +Tomcat bundle integrated with GateIn and running on localhost:8888,
Reporter: Marek Posolda
Assignee: Boleslaw Dawidowicz
Attachments: identityException-createCriteria.txt,
identityException-screenshot.png
I have GateIn configured with OpenSSO according to instructions in reference guide. And
going throught this scenario:
1) Go to http://localhist:8080/portal
2) Click to "sign in" and login as root with OpenSSO console. User is
redirected back to GateIn and correctly logged
3) Wait 5 minutes (Assumption is that session expiration is configured to be 1 minute in
gatein.ear/02portal.war/WEB-INF/web.xml)
4) Go to http://localhost:8080/portal/private/classic . Now I should be logged directly
into GateIn because of SSO cookie. And I am really is logged but I am not seeing user full
name (see attached screenshot). And exception is in server log (IdentityObjectType[USER]
not present in the store. Caused by: org.hibernate.HibernateException: createCriteria is
not valid without active transaction) Full exception is in server log.
I tried to debug and I founded that Hibernate transaction is not started when calling
orgService.getUserHandler().findUserByName(state.getIdentity().getUserId() from
CacheUserProfileFilter. It doesn't occur during normal user login because User object
is cached in PersistenceManagerImpl.findUser(). But problem occur when User is not cached
when findUserByName is called from CacheUserProfileFilter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:57 a.m.
New subject: [JBoss JIRA] Updated: (GTNPORTAL-1048) GateIn+SSO integration: IdentityException thrown in special case when HTTP session expire
[
https://jira.jboss.org/jira/browse/GTNPORTAL-1048?page=com.atlassian.jira...
]
Thomas Heute updated GTNPORTAL-1048:
------------------------------------
Fix Version/s: 3.1.0-GA
GateIn+SSO integration: IdentityException thrown in special case when
HTTP session expire
-----------------------------------------------------------------------------------------
Key: GTNPORTAL-1048
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1048
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Identity integration
Affects Versions: 3.0.0-GA
Environment: GateIn trunk (revision 2479) with JBoss 5.1.0,
Picketlink IDM version: 1.1.2.CR01,
JOSSO 1.8.1 +Tomcat bundle integrated with GateIn and running on localhost:8888,
Reporter: Marek Posolda
Assignee: Boleslaw Dawidowicz
Fix For: 3.1.0-GA
Attachments: identityException-createCriteria.txt,
identityException-screenshot.png
I have GateIn configured with OpenSSO according to instructions in reference guide. And
going throught this scenario:
1) Go to http://localhist:8080/portal
2) Click to "sign in" and login as root with OpenSSO console. User is
redirected back to GateIn and correctly logged
3) Wait 5 minutes (Assumption is that session expiration is configured to be 1 minute in
gatein.ear/02portal.war/WEB-INF/web.xml)
4) Go to http://localhost:8080/portal/private/classic . Now I should be logged directly
into GateIn because of SSO cookie. And I am really is logged but I am not seeing user full
name (see attached screenshot). And exception is in server log (IdentityObjectType[USER]
not present in the store. Caused by: org.hibernate.HibernateException: createCriteria is
not valid without active transaction) Full exception is in server log.
I tried to debug and I founded that Hibernate transaction is not started when calling
orgService.getUserHandler().findUserByName(state.getIdentity().getUserId() from
CacheUserProfileFilter. It doesn't occur during normal user login because User object
is cached in PersistenceManagerImpl.findUser(). But problem occur when User is not cached
when findUserByName is called from CacheUserProfileFilter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5817
days inactive
5846
days old
9 comments
4 participants
participants (4)
-
Boleslaw Dawidowicz (JIRA) -
Marek Posolda (JIRA)
-
Sohil Shah (JIRA)
-
Thomas Heute (JIRA)