On 05/20/2014 10:28 AM, Eric Wittmann wrote:
Hey everyone. Recently we've switched Overlord over to using
primarily
the IDPFilter and SPFilter implementations for our picketlink based SAML
SSO solution. Previously we were using the app-server specific approach
(e.g. valves). We're doing this because we need to support both JBoss
and Fuse. The latter is an OSGi environment and uses Jetty as its web
app container. We also support standalone jetty (why not?) and Tomcat.
My hope was that I could have as few differences as possible with
respect to security across all these platforms. Hence the attempt to
use the filter implementations where possible.
Overall this effort resulted in some success and some failure.
Primarily, we have been successful in using the filter approach to get
everything working in Fuse! This was the primary goal, so that's great.
However, here are some issues we ran into (and are still problems):
1) I couldn't get our IDP working in JBoss EAP 6.x when using the
IDPFilter approach. The problem is that the IDP doesn't seem to do the
redirect back to the SP. I poked at this a *very* little bit but didn't
find the problem. Workaround: continue to use the more native approach
when deploying to EAP.
It may be related to a bug in JBossWeb packaged as of EAP 6.2
where in the FORM Authenticator does not restore the post data
after authentication.
If you use a community module of JBossWeb that is more recent, you
will see that it works.
I have tried with jbossweb-7.4.0.Beta3.jar
http://repository.jboss.org/nexus/content/groups/public/org/jboss/web/jbo...
I would think 7.4.2.Final would have it too. :)
2) Ran into a pax-web bug that caused an infinite redirect loop when
using welcome-files in the SP web.xml. Workaround: implement a custom
filter to mimic welcome-file behavior. (this is not a problem with
picketlink, just informational)
The SPFilter definitely needs additional testing
and updates. If you want
to add in the welcome file behavior to SPFilter, please feel free to
send a PR.
3) When running in jetty (or in fuse) we see a number of picketlink
stack traces:
https://gist.github.com/EricWittmann/aafd2c05954cbfea8a87
Workaround: none - we're ignoring them. :(
One end is complaining when the
other end has closed. Hmmm... Wonder
why this is happening.
So finally, if you want to reproduce any of these or just have a look
at
some code, go here:
https://github.com/EricWittmann/karaf-picketlink-test
See the README.md for a description of how to run it either in Fuse or
Jetty. To run it in EAP just copy the relevant WARs into
standalone/deployments (make sure to name them properly as I have not
included jboss-web.xml files: idp.war, sp1.war, sp2.war).
-Eric