[security-dev] Feedback: IDPFilter/SPFilter
Eric Wittmann
eric.wittmann at redhat.com
Tue May 20 11:28:28 EDT 2014
Hey everyone. Recently we've switched Overlord over to using primarily
the IDPFilter and SPFilter implementations for our picketlink based SAML
SSO solution. Previously we were using the app-server specific approach
(e.g. valves). We're doing this because we need to support both JBoss
and Fuse. The latter is an OSGi environment and uses Jetty as its web
app container. We also support standalone jetty (why not?) and Tomcat.
My hope was that I could have as few differences as possible with
respect to security across all these platforms. Hence the attempt to
use the filter implementations where possible.
Overall this effort resulted in some success and some failure.
Primarily, we have been successful in using the filter approach to get
everything working in Fuse! This was the primary goal, so that's great.
However, here are some issues we ran into (and are still problems):
1) I couldn't get our IDP working in JBoss EAP 6.x when using the
IDPFilter approach. The problem is that the IDP doesn't seem to do the
redirect back to the SP. I poked at this a *very* little bit but didn't
find the problem. Workaround: continue to use the more native approach
when deploying to EAP.
2) Ran into a pax-web bug that caused an infinite redirect loop when
using welcome-files in the SP web.xml. Workaround: implement a custom
filter to mimic welcome-file behavior. (this is not a problem with
picketlink, just informational)
3) When running in jetty (or in fuse) we see a number of picketlink
stack traces: https://gist.github.com/EricWittmann/aafd2c05954cbfea8a87
Workaround: none - we're ignoring them. :(
So finally, if you want to reproduce any of these or just have a look at
some code, go here:
https://github.com/EricWittmann/karaf-picketlink-test
See the README.md for a description of how to run it either in Fuse or
Jetty. To run it in EAP just copy the relevant WARs into
standalone/deployments (make sure to name them properly as I have not
included jboss-web.xml files: idp.war, sp1.war, sp2.war).
-Eric
More information about the security-dev
mailing list