Hi Marcel,

Sorry for the delay, things have been pretty hectic.

I got back to work on this problem and, rather strangely, it's gone. It was there until Friday. When I built the app again on Monday morning, Maven fetched a number of updated libraries and the behaviour was gone. I've seen it on 4 machines with my own eyes so I swear it happened but now I cannot reproduce it anymore.

However, there's still a problem left: when I accees the server by any other hostname than the one configured as a service provider (say, by IP or by a name I made up in hosts), then an infinite loop is triggered.

What's happening is that the injection of @In private ServiceProvider serviceProvider in ExternalAuthenticator fails so a method (which happens to be a setter now) fails as well (BTW, you can annotate the accessors with @BypassInterceptors to avoid injecting those components which are not actually used by the methods, it saves a little time). The loop is caused because the server tries to display the error page which is also protected (this is a financial app so no pages except the login are public) which causes the PicketLink error again and so on. It's a pretty nifty denial of service attack in fact, the server logs fill up quickly because of the stack traces.

Any advice about how to control this behaviour?

Thanks again for the help

org.jboss.seam.RequiredException: @In attribute requires non-null value: org.picketlink.identity.seam.federation.externalAuthenticator.serviceProvider

        at org.jboss.seam.Component.getValueToInject(Component.java:2361)

        at org.jboss.seam.Component.injectAttributes(Component.java:1739)

        at org.jboss.seam.Component.inject(Component.java:1557)

        at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:61)

        at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)

        at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44)

        at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)

        at org.jboss.seam.core.SynchronizationInterceptor.aroundInvoke(SynchronizationInterceptor.java:32)

        at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)

        at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)

        at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)

        at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)

        at org.picketlink.identity.seam.federation.ExternalAuthenticator_$$_javassist_seam_10.setReturnUrl(ExternalAuthenticator_$$_javassist_seam_10.java)

        at org.picketlink.identity.seam.federation.PagesSupportingExternalAuthentication.redirectToLoginView(PagesSupportingExternalAuthentication.java:74)

        at org.jboss.seam.navigation.Pages.postRestore(Pages.java:414)

        at org.jboss.seam.jsf.SeamPhaseListener.postRestorePage(SeamPhaseListener.java:545)

        at org.jboss.seam.jsf.SeamPhaseListener.afterRestoreView(SeamPhaseListener.java:394)

        at org.jboss.seam.jsf.SeamPhaseListener.afterServletPhase(SeamPhaseListener.java:230)

        at org.jboss.seam.jsf.SeamPhaseListener.afterPhase(SeamPhaseListener.java:196)

        at com.sun.faces.lifecycle.Phase.handleAfterPhase(Phase.java:175)

        at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:114)

        at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(RestoreViewPhase.java:103)

        at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)

        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:530)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)

        at org.picketlink.identity.seam.federation.ExternalAuthenticationFilter.doFilter(ExternalAuthenticationFilter.java:134)

        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

        at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)

        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

        at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)

        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

        at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)

        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

        at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)

        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

        at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)

        at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)

        at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)

        at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)

        at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)

        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

        at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)

        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

        at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)

        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

        at java.lang.Thread.run(Thread.java:619)

Hi Marcel,

Thanks for the follow-up. We do have a generic error page which doesn't display technical details (the requirement for it being secure stems from a compliance policy); the tip with the conditional is useful.