|
|
|
|
|
Change By:
|
Tom Fonteyne
|
|
Help Desk Ticket Reference:
|
https://c.na7.visual.force.com/apex/Case_View?id=500A000000Q0JwMIAV&sfdc.override=1
|
|
Steps to Reproduce:
|
Tested using:
- EAP 6.3 CP3 with the onboard PicketLink version
- EAP 6.3 CP3 with the 'master' build of picketlink and picketlink-bindings as of 2015-02-26
Deployed a minimal IDP which works fine
Deployed a minimal SP with this structure:
"/plhello" == context
http://myhost:8080/plhello/index.jsp
=> free access, page has links to:
/plhello/p/index2.jsp
/plhello/test/test.jsp
both of those are protected:
<security-constraint>
<display-name>protected</display-name>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<description/>
<url-pattern>/test/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/p/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>JBossAdmin</role-name>
</security-role>
BindingType: REDIRECT
Test 1:
<ServiceURL>http://myhost:8080/plhello/</ServiceURL>
click on "/plhello/p/index2.jsp"
redirect to IDP, successful login
end up on http://myhost:8080/plhello/
instead of "/plhello/p/index2.jsp"
click on either "/plhello/p/index2.jsp" or "/plhello/test/test.jsp"
end up on http://myhost:8080/plhello/
instead of on the desired link
Test 2
<ServiceURL>http://myhost:8080/plhello/p/</ServiceURL>
click on "/plhello/p/index2.jsp"
redirect to IDP, successful login
end up with:
JBWEB000065: HTTP Status 500
logfile:
15:26:47,878 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/plhello].[default]] (http-orac.usersys.redhat.com/10.33.1.182:8080-1) JBWEB000236: Servlet.service() for servlet default threw exception: java.lang.IllegalStateException
at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:392) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:730) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:363) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.servlets.DefaultServlet.doPost(DefaultServlet.java:399) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_76]
Manually go back to http://orac.usersys.redhat.com:8080/plhello/
and click on /plhello/p/index2.jsp or /plhello/test/test.jsp
=> correct page is show now.
|
|
Workaround Description:
|
Tested using:
- EAP 6.3 CP3 with the onboard PicketLink version
- EAP 6.3 CP3 with the 'master' build of picketlink and picketlink-bindings as of 2015-02-26
Deployed a minimal IDP which works fine
Deployed a minimal SP with this structure:
"/plhello" == context
http://myhost:8080/plhello/index.jsp
=> free access, page has links to:
/plhello/p/index2.jsp
/plhello/test/test.jsp
both of those are protected:
<security-constraint>
<display-name>protected</display-name>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<description/>
<url-pattern>/test/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/p/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>JBossAdmin</role-name>
</security-role>
BindingType: REDIRECT
Test 1:
<ServiceURL>http://myhost:8080/plhello/</ServiceURL>
click on "/plhello/p/index2.jsp"
redirect to IDP, successful login
end up on http://myhost:8080/plhello/
instead of "/plhello/p/index2.jsp"
click on either "/plhello/p/index2.jsp" or "/plhello/test/test.jsp"
end up on http://myhost:8080/plhello/
instead of on the desired link
Test 2
<ServiceURL>http://myhost:8080/plhello/p/</ServiceURL>
click on "/plhello/p/index2.jsp"
redirect to IDP, successful login
end up with:
JBWEB000065: HTTP Status 500
logfile:
15:26:47,878 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/plhello].[default]] (http-orac.usersys.redhat.com/10.33.1.182:8080-1) JBWEB000236: Servlet.service() for servlet default threw exception: java.lang.IllegalStateException
at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:392) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:730) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:363) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.servlets.DefaultServlet.doPost(DefaultServlet.java:399) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_76]
Manually go back to http://orac.usersys.redhat.com:8080/plhello/
and click on /plhello/p/index2.jsp or /plhello/test/test.jsp
=> correct page is show now.
|
|
|
|
|
|
