Loading...

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: PLINK_2.7.0.Beta1
Affects Version/s: PLINK_2.5.2.FInal, PLINK_2.6.0.Final
Component/s: SAML
Labels:
None

Steps to Reproduce:
Hide

Use the attached deployments (/idp/, /sp01/, /sp02/, /dummy/ )

Post binding is used

User must not be logged in in the IDP

User tries to access an SP (http://localhost:8080/sp01/) (sp redirects user to IDP)
User enters a wrong password (wrong/wrong)
User navigates away from the idp to a recovery password app (login error page has a link to the reocover page)
From the recovery app, user navigates back to the IDP
In the IDP user enters correct credentials and hits the login button.

IDP hangs...
Show
Use the attached deployments (/idp/, /sp01/, /sp02/, /dummy/ ) Post binding is used User must not be logged in in the IDP User tries to access an SP ( http://localhost:8080/sp01/ ) (sp redirects user to IDP) User enters a wrong password (wrong/wrong) User navigates away from the idp to a recovery password app (login error page has a link to the reocover page) From the recovery app, user navigates back to the IDP In the IDP user enters correct credentials and hits the login button. IDP hangs...
Git Pull Request:
https://github.com/picketlink/picketlink/pull/374, https://github.com/picketlink/picketlink-bindings/pull/92

Description

Post-Binding fails if user enters a wrong username in IDP login page, navigates away from the IDP and comes back to enter correct credentials.

The problem is that the IDP believes the request is a Redirect Binding while it is a Post-Binding. The IDP code uses the last HTTP Request to infer the binding type. This affects at least

AbstractIDPValve,
IDPWebRequestUtil, and
SAML2SignatureValidationHandler.

The IDP hangs and the following (misleading) exception is thrown (plink 2.5.2):

14:21:01,783 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-1) Exception in processing request:: org.picketlink.common.exceptions.ProcessingException: PL00102: Processing Exception:
        at org.picketlink.common.DefaultPicketLinkLogger.processingError(DefaultPicketLinkLogger.java:176)
        at org.picketlink.common.util.DocumentUtil.getDocument(DocumentUtil.java:203)
        at org.picketlink.identity.federation.api.saml.v2.request.SAML2Request.getSAML2ObjectFromStream(SAML2Request.java:158) [picketlink-federation-2.5.2.Final.jar:]
        at org.picketlink.identity.federation.web.util.IDPWebRequestUtil.getSAMLDocumentHolder(IDPWebRequestUtil.java:124) [picketlink-federation-2.5.2.Final.jar:]
        at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.processSAMLRequestMessage(AbstractIDPValve.java:701) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
        at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.handleSAMLMessage(AbstractIDPValve.java:374) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
        at org.picketlink.identity.federation.bindings.tomcat.idp.AbstractIDPValve.invoke(AbstractIDPValve.java:329) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.CP04.jar:7.2.0.CP04]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final.jar:7.2.0.Final]
        at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
Caused by: java.util.zip.ZipException: invalid code lengths set
        at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:164) [rt.jar:1.7.0_45]
        at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:122) [rt.jar:1.7.0_45]
        at org.apache.xerces.impl.XMLEntityManager$RewindableInputStream.read(Unknown Source)
        at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
        at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) [rt.jar:1.7.0_45]
        at org.picketlink.common.util.DocumentUtil.getDocument(DocumentUtil.java:197)
        ... 14 more

With plink 2.6.0 the /index.html page is shown instead of the hosted page. The error in the log file is the following line:

16:24:56,073 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-1) Error in base64 decoding saml message: org.picketlink.common.exceptions.ProcessingException: PL00102: Processing Exception:

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

deployments.zip
496 kB
2014/08/21 7:31 AM
picketlink-installer-2.7.0-SNAPSHOT.zip
2.04 MB
2014/08/25 9:20 AM

Post-Binding fails if user enters a wrong username in IDP login page, navigates away from the IDP and comes back to enter correct credentials.

Details

Description

Attachments

Attachments

Activity

People

Dates