[keycloak-dev] Possible defect when using SAML Client Java Servlet Filter

Akshay Kini kga.official at gmail.com
Wed Jan 13 05:57:04 EST 2016 

Hi Folks,

I was using the filter: org.keycloak.adapters.saml.servlet.SamlFilter in
our application.

I got the following exception in the logs:

ERROR
[org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/].[AppName]]
Servlet.service() for servlet NasDefault threw exception:
java.lang.RuntimeException: This method is not supported in a restored
authenticated request
    at
org.keycloak.adapters.servlet.FilterSessionStore$1.getDateHeader(FilterSessionStore.java:178)
[:1.7.0.CR1]
    at
org.apache.catalina.servlets.DefaultServlet.checkIfModifiedSince(DefaultServlet.java:1731)
[:]
    at
org.apache.catalina.servlets.DefaultServlet.checkIfHeaders(DefaultServlet.java:608)
[:]
    at
org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:714)
[:]
    at
org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:368)
[:]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
[:1.0.0.Final]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[:1.0.0.Final]
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324)
[:]
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
[:]
... (trimmed)
...
    at
org.keycloak.adapters.saml.servlet.SamlFilter.doFilter(SamlFilter.java:125)
[:1.7.0.CR1]
...(trimmed)
...
etc.

After looking into the Keycloak code base, I saw the method (implemented in
an anonymous class):
javax.servlet.http.HttpServletRequestWrapper#getDateHeader
inside the class: org.keycloak.adapters.servlet.FilterSessionStore

The code was:
@Override
public long getDateHeader(String name) {
    if (!needRequestRestore) return super.getDateHeader(name);
         throw new RuntimeException("This method is not supported in a
restored authenticated request");
    }

Looks like a particular case isn't implemented yet, and an exception is
thrown.

After looking into the JEE API at:
http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#getDateHeader-java.lang.String-

It is required that any class implementing HttpServletRequest
getDateHeader() method, return a -1 in case it cannot get the required
header.

Hence, I suggest that instead of throwing an exception to handle the error
condition, we should return -1.

*Any help appreciated.*

Thanks,
Regards,
Akshay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160113/3ffe10b7/attachment.html

More information about the keycloak-dev mailing list