Uploaded image for project: 'PicketLink Federated Identity'
  1. PicketLink Federated Identity
  2. PLFED-255

Global logout: SPRedirectFormAuthenticator.authenticate should return false after redirecting to IP.

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Done
    • PLFED_2.0.1.final
    • PLFED_2.0.2.final
    • SAML
    • None

    Description

      This error is related to global logout and it can be reproduced this way:
      1) Go to http://localhost:8080/employee and click "login"
      2) Login in "idp" application as tomcat/tomcat
      3) Being redirected back to employee as logged user.
      4) Go to http://localhost:8080/sales and login. I have automatic login thanks to SSO.
      5) Now click "logout" in sales application, which performs global logout. I am seeing this in server log:

      17:21:10,688 FATAL [JspFactoryImpl] Exception initializing page context
      java.lang.IllegalStateException: Cannot create a session after the response has been committed
      	at org.apache.catalina.connector.Request.doGetSession(Request.java:2338)
      	at org.apache.catalina.connector.Request.getSession(Request.java:2094)
      	at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
      	at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:844)
      	at org.apache.jasper.runtime.PageContextImpl._initialize(PageContextImpl.java:146)
      	at org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:124)
      	at org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:107)
      	at org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:63)
      	at org.apache.jsp.index_jsp._jspService(index_jsp.java:44)
      	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:369)
      	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:322)
      	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:249)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
      	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
      	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
      	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
      	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
      	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
      	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      	at java.lang.Thread.run(Thread.java:662)
      

      This exception is actually thrown at second ServiceProvider (in our case in "employee" application). What's actually done behind after click to logout is that:

      • Sales application send SAML LogoutRequest to IP
      • IP process SAML LogoutRequest and it founds that there is already one more application (employee) authenticated in this session. So it sends SAML LogoutRequest to employee application
      • employee application process LogoutRequest, invalidates it's HTTP session and create LogoutResponse for IDP. In method ServiceProviderSAMLRequestProcessor.process is calling redirection to IP with SAML LogoutResponse. But whole result of SPRedirectFormAuthenticator.authenticate is true, which means that processing of HTTP request continues through other Tomcat valves. And this seems to be the root cause of the bug! At this point should method "authenticate" return false, which will stop the processing of HTTP request and clearly performs redirection to IP.

      Attachments

        Activity

          People

            anil.saldhana Anil Saldanha (Inactive)
            mposolda@redhat.com Marek Posolda
            Archiver:
            samahaja@redhat.com Sagar Mahajan

            Dates

              Created:
              Updated:
              Resolved:
              Archived: