Hi Pedro,

I think this is vicious circle.

If the valves do not get called, then you have problems with the form authenticators (change session id after authentication), clustered sso valves and who knows what else.
If the valves are called, then eventually the "real" content which would be served if picketlink was not there gets pushed in the Response and OutpuBuffer, forcing in some cases the response to be committed and because of that saml processing fails.

This index.html is specially constructed to be more than 8k (or whatever the buffer size is) so the buffers are forced-flush and the response is committed. So the forward to hosted page code can not reset the response (set a new content length and the likes) and the saml responses fail to be generated...

Also the way the hosted page is served is wrong. There should be a RequestDispatcher.forward and not an RequestDispatcher.include.

From the javadocs:

void include(ServletRequest request, ServletResponse response) throws ServletException, IOException

 Includes the content of a resource (servlet, JSP page, HTML file) in the response. In essence, this method enables programmatic server-side includes.
 The ServletResponse object has its path elements and parameters remain unchanged from the caller's. The included servlet cannot change the response status code or set headers; any attempt to make a change is ignored.
 The request and response parameters must be either the same objects as were passed to the calling servlet's service method or be subclasses of the ServletRequestWrapper or ServletResponseWrapper classes that wrap them.

This method sets the dispatcher type of the given request to DispatcherType.INCLUDE.