7 Replies Latest reply: Jun 12, 2012 1:40 PM by Pedro Igor RSS

    Need help with Picketlink on Jboss7 + Apache HTTP Server

    Karl Gross Newbie

      Dear all,

       

      has anyone experience with Picketlink provided in Jboss7.1.1 together with Apache HTTP Server? I can run the Picketlink example without any problem on Jboss7 Server standalone. As far as I also want to use Apache HTTP Server together with JBoss7 through AJP, the IDP could not redirect the user to the SP after I submited the login form. But if I click the submit button twice, the user can also be redirected to the SP. Has anyone also met this problem?

        • 1. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
          Pedro Igor Master

          Hi Karl,

           

              Which binding are you using in the SP: POST or REDIRECT ? Are you using Strict Post Binding on the IDP ?

           

              I'll try to simulate this problem.

           

          Regards.

          Pedro Igor

          • 2. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
            Karl Gross Newbie

            Hi Pedro,

            I appreciate your help. I am using POST bindings. After setting IDPWebBrowserSSOValve with Strict Post Binding according to the the post https://issues.jboss.org/browse/PLFED-271, I have still the same problem.

             

            For you to simulate the problem, let me explain the setup of my projects in more detail:

             

            I have one IDP and two SPs. The IDP and SP1 are running on one server, but with different domain names, SP2 is running on a different server. The Problem should be reproducable only with IDP and SP1.

             

            Jboss Setup

            IDP:

            jboss-web.xml

            <jboss-web>

              <security-domain>idp</security-domain>

              <valve>

                 <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>

                 <param>

                    <param-name>signOutgoingMessages</param-name>

                    <param-value>false</param-value>

                 </param>

                 <param>

                    <param-name>ignoreIncomingSignatures</param-name>

                    <param-value>true</param-value>

                 </param>

                 <param>

                <param-name>characterEncoding</param-name>

                <param-value>UTF-8</param-value>

                 </param>

                 <param>

                    <param-name>strictPostBinding</param-name>

                <param-value>true</param-value>

                 </param>

               </valve>

            </jboss-web>

             

            picketlink-handlers.xml

            <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">

              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/>

              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>

              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>    

               <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>

            </Handlers>

             

            picketlink-idfed.xml

            <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0" >

            <IdentityURL>${idp.url}</IdentityURL>

            <Trust>

               <Domains>sso-idp.server.internal,sso-sp1.server.internal,sso-sp2.server.internal</Domains>

            </Trust>

            </PicketLinkIDP>

             

            standalone.xml

            <system-properties>

                <property name="idp.url" value="https://sso-idp.server.internal/idp/"/>

            </system-properties>

             

            SP1:

            picketlink-handlers.xml

            <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">

              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>

              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>  

            </Handlers>

             

            picketlink-idfed.xml

            <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat">

            <IdentityURL>${idp.url}</IdentityURL>

            <ServiceURL>${sp1.url}</ServiceURL>

            </PicketLinkSP>

             

            jboss-web.xml

            <?xml version="1.0" encoding="UTF-8"?>

            <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">

            <jboss-web>

                <security-domain flushOnSessionInvalidation="true">sp1</security-domain>

                <valve>

                         <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator</class-name>

                    <param>

                        <param-name>characterEncoding</param-name>

                        <param-value>UTF-8</param-value>

                    </param>

                   </valve>

            </jboss-web>

             

            standalone.xml

            <system-properties>

                  <property name="idp.url" value="https://sso-idp.server.internal/idp/"/>

                  <property name="sp1.url" value="https://sso-sp1.server.internal/sp1/"/>

            </system-properties>

             

            Apache config

            IDP:

            <VirtualHost *:80>

                    ServerName sso-idp.server.internal

                    DocumentRoot /var/www

             

                    RedirectMatch temp ^.*$ https://sso-idp.server.internal

            </VirtualHost>

             

            <IfModule mod_ssl.c>

            <VirtualHost *:443>

                    SSLEngine on

                    ServerName sso-idp.server.internal

                    DocumentRoot /var/www

             

                    #SetEnvIf User-Agent ".*MSIE.*" \

                    #       nokeepalive ssl-unclean-shutdown \

                    #       downgrade-1.0 force-response-1.0

             

                    BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

                    BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown

             

                    ProxyRequests off

                    ProxyTimeout 900

             

                    <Location /idp>

                            Allow from all

                            ProxyPass        ajp://localhost:20917/idp

                            ProxyPassReverse ajp://localhost:20917/idp

                    </Location>

             

                    RedirectMatch temp ^/$ /idp

            </VirtualHost>

            </IfModule>

             

            SP1:

            <VirtualHost *:80>

                    ServerName sso-sp1.server.internal

                    DocumentRoot /var/www

             

                    RedirectMatch temp ^.*$ https://sso-sp1.server.internal

            </VirtualHost>

             

            <IfModule mod_ssl.c>

            <VirtualHost *:443>

                    SSLEngine on

                    ServerName sso-sp1.server.internal

                    DocumentRoot /var/www

             

                    #SetEnvIf User-Agent ".*MSIE.*" \

                    #       nokeepalive ssl-unclean-shutdown \

                    #       downgrade-1.0 force-response-1.0

             

                    BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

                    BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown

             

                    ProxyRequests off

                    ProxyTimeout 900

             

                    <Location /sp1>

                            Allow from all

                            ProxyPass        ajp://localhost:20857/sp1

                            ProxyPassReverse ajp://localhost:20857/sp1

                    </Location>

             

                    RedirectMatch temp ^/$ /sp1

             

            </VirtualHost>

            </IfModule>

            • 3. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
              Karl Gross Newbie

              Hi Pedro,

               

              did you have chance to reproduce the problem?

               

              I have also packed a minimal testcase in JBoss Community https://community.jboss.org/message/739961#739961

               

              Best Regards,

              Karl

              • 4. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
                Pedro Igor Master

                Hi Karl,

                 

                    I did some tests considering the following scenario:

                 

                  • One Apache installation with two VirtualHosts (sso-idp.server.internal,sso-sp.server.internal). SSL enabled. Basically, the same config as you described.

                 

                    I did a test using the HTTP Redirect Binding and worked fine. However, when using the POST binding i run into the same problem. Just after a second click on the login button i'm redirect to the SP.

                 

                    Can you try to use the REDIRECT binding to see if it works for you too ? Meantime I`ll investigate why is not working with the POST binding.

                 

                Regards.

                Pedro Igor

                • 5. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
                  Pedro Igor Master

                  Karl,

                   

                      Can you execute a test using the POST binding without the SSL configuration ?

                   

                  Regards.

                  Pedro Igor

                  • 6. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
                    Karl Gross Newbie

                    Hi Pedro,

                     

                    thank you for investigating this problem. I have actually already tried POST binding without SSL like the testcase posted in JBoss Community. The Problem happens only with the combination of Apache AJP proxy and Pickeltink Post bindings. In debug mode I found that JBoss was trapped in the method socketReader0 without backing to the restoreRequest method of FormAutheticator. Using HTTP proxy instead of AJP proxy can also avoid the problem.

                     

                    Stack trace of JBoss 7.1.1 and Java6 with Apache AJP proxy:

                    java.net.SocketInputStream.socketRead0(Native Method)

                    java.net.SocketInputStream.read(SocketInputStream.java:129)

                    org.apache.coyote.ajp.AjpProcessor.read(AjpProcessor.java:1131)

                    org.apache.coyote.ajp.AjpProcessor.readMessage(AjpProcessor.java:1213)

                    org.apache.coyote.ajp.AjpProcessor.receive(AjpProcessor.java:1152)

                    org.apache.coyote.ajp.AjpProcessor$SocketInputBuffer.doRead(AjpProcessor.java:1278)

                    org.apache.coyote.Request.doRead(Request.java:438)

                    org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:347)

                    org.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:420)

                    org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:379)

                    org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:162)

                    org.apache.catalina.authenticator.FormAuthenticator.restoreRequest(FormAuthenticator.java:491)

                    org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:228)

                    org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455)

                    org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:332)

                    org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)

                    org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)

                    org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

                    org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

                    org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)

                    org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505)

                    org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445)

                    org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)

                    java.lang.Thread.run(Thread.java:662)

                     

                    Best Regards,

                     

                    Karl

                    • 7. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
                      Pedro Igor Master

                      Hi Karl,

                       

                          I also realized that during my debugging session. I`m not understanding why this is happening. The problem is that jbossweb is hanging when reading the inpustream from the request when trying to restore the saved request (stored during the j_security_check processing).

                       

                          I`m not sure if this is a PL issue. But i`ll create a JIRA for investigation.

                       

                          https://issues.jboss.org/browse/PLFED-339

                       

                      Thanks.

                      Pedro Igor