-
1. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
Hi Karl,
Which binding are you using in the SP: POST or REDIRECT ? Are you using Strict Post Binding on the IDP ?
I'll try to simulate this problem.
Regards.
Pedro Igor
-
2. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
Hi Pedro,
I appreciate your help. I am using POST bindings. After setting IDPWebBrowserSSOValve with Strict Post Binding according to the the post https://issues.jboss.org/browse/PLFED-271, I have still the same problem.
For you to simulate the problem, let me explain the setup of my projects in more detail:
I have one IDP and two SPs. The IDP and SP1 are running on one server, but with different domain names, SP2 is running on a different server. The Problem should be reproducable only with IDP and SP1.
Jboss Setup
IDP:
jboss-web.xml
<jboss-web>
<security-domain>idp</security-domain>
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
<param>
<param-name>signOutgoingMessages</param-name>
<param-value>false</param-value>
</param>
<param>
<param-name>ignoreIncomingSignatures</param-name>
<param-value>true</param-value>
</param>
<param>
<param-name>characterEncoding</param-name>
<param-value>UTF-8</param-value>
</param>
<param>
<param-name>strictPostBinding</param-name>
<param-value>true</param-value>
</param>
</valve>
</jboss-web>
picketlink-handlers.xml
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
</Handlers>
picketlink-idfed.xml
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0" >
<IdentityURL>${idp.url}</IdentityURL>
<Trust>
<Domains>sso-idp.server.internal,sso-sp1.server.internal,sso-sp2.server.internal</Domains>
</Trust>
</PicketLinkIDP>
standalone.xml
<system-properties>
<property name="idp.url" value="https://sso-idp.server.internal/idp/"/>
</system-properties>
SP1:
picketlink-handlers.xml
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
</Handlers>
picketlink-idfed.xml
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat">
<IdentityURL>${idp.url}</IdentityURL>
<ServiceURL>${sp1.url}</ServiceURL>
</PicketLinkSP>
jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
<security-domain flushOnSessionInvalidation="true">sp1</security-domain>
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator</class-name>
<param>
<param-name>characterEncoding</param-name>
<param-value>UTF-8</param-value>
</param>
</valve>
</jboss-web>
standalone.xml
<system-properties>
<property name="idp.url" value="https://sso-idp.server.internal/idp/"/>
<property name="sp1.url" value="https://sso-sp1.server.internal/sp1/"/>
</system-properties>
Apache config
IDP:
<VirtualHost *:80>
ServerName sso-idp.server.internal
DocumentRoot /var/www
RedirectMatch temp ^.*$ https://sso-idp.server.internal
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLEngine on
ServerName sso-idp.server.internal
DocumentRoot /var/www
#SetEnvIf User-Agent ".*MSIE.*" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
ProxyRequests off
ProxyTimeout 900
<Location /idp>
Allow from all
ProxyPass ajp://localhost:20917/idp
ProxyPassReverse ajp://localhost:20917/idp
</Location>
RedirectMatch temp ^/$ /idp
</VirtualHost>
</IfModule>
SP1:
<VirtualHost *:80>
ServerName sso-sp1.server.internal
DocumentRoot /var/www
RedirectMatch temp ^.*$ https://sso-sp1.server.internal
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLEngine on
ServerName sso-sp1.server.internal
DocumentRoot /var/www
#SetEnvIf User-Agent ".*MSIE.*" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
ProxyRequests off
ProxyTimeout 900
<Location /sp1>
Allow from all
ProxyPass ajp://localhost:20857/sp1
ProxyPassReverse ajp://localhost:20857/sp1
</Location>
RedirectMatch temp ^/$ /sp1
</VirtualHost>
</IfModule>
-
3. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
Hi Pedro,
did you have chance to reproduce the problem?
I have also packed a minimal testcase in JBoss Community
Best Regards,
Karl
-
4. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
Hi Karl,
I did some tests considering the following scenario:
- One Apache installation with two VirtualHosts (sso-idp.server.internal,sso-sp.server.internal). SSL enabled. Basically, the same config as you described.
I did a test using the HTTP Redirect Binding and worked fine. However, when using the POST binding i run into the same problem. Just after a second click on the login button i'm redirect to the SP.
Can you try to use the REDIRECT binding to see if it works for you too ? Meantime I`ll investigate why is not working with the POST binding.
Regards.
Pedro Igor
-
5. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
Karl,
Can you execute a test using the POST binding without the SSL configuration ?
Regards.
Pedro Igor
-
6. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
Hi Pedro,
thank you for investigating this problem. I have actually already tried POST binding without SSL like the testcase posted in JBoss Community. The Problem happens only with the combination of Apache AJP proxy and Pickeltink Post bindings. In debug mode I found that JBoss was trapped in the method socketReader0 without backing to the restoreRequest method of FormAutheticator. Using HTTP proxy instead of AJP proxy can also avoid the problem.
Stack trace of JBoss 7.1.1 and Java6 with Apache AJP proxy:
java.net.SocketInputStream.socketRead0(Native Method)
java.net.SocketInputStream.read(SocketInputStream.java:129)
org.apache.coyote.ajp.AjpProcessor.read(AjpProcessor.java:1131)
org.apache.coyote.ajp.AjpProcessor.readMessage(AjpProcessor.java:1213)
org.apache.coyote.ajp.AjpProcessor.receive(AjpProcessor.java:1152)
org.apache.coyote.ajp.AjpProcessor$SocketInputBuffer.doRead(AjpProcessor.java:1278)
org.apache.coyote.Request.doRead(Request.java:438)
org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:347)
org.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:420)
org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:379)
org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:162)
org.apache.catalina.authenticator.FormAuthenticator.restoreRequest(FormAuthenticator.java:491)
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:228)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455)
org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:332)
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505)
org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
java.lang.Thread.run(Thread.java:662)
Best Regards,
Karl
-
7. Re: Need help with Picketlink on Jboss7 + Apache HTTP Server
Hi Karl,
I also realized that during my debugging session. I`m not understanding why this is happening. The problem is that jbossweb is hanging when reading the inpustream from the request when trying to restore the saved request (stored during the j_security_check processing).
I`m not sure if this is a PL issue. But i`ll create a JIRA for investigation.
https://issues.jboss.org/browse/PLFED-339
Thanks.
Pedro Igor