6 Replies Latest reply on Nov 6, 2014 10:07 AM by hodrigohamalho

PicketLink 2.1.7 Final - Service Provider could not handle the request

ravi.gandhi Sep 6, 2013 3:33 AM

Hi, I am trying to use JBoss test application as Service provider to talk to SSO Easy as IDP Server.

JBoss 6.0.0 Final

Java 1.6.30

PicketLink 2.1.7 Final

PicketLink JARS used: picketlink-core-2.1.7.Final.jar and picketlink-jbas5-2.1.7.Final.jar

When I run test home page, http://localhost:8080/helloworld/Hello it is re-directed to IDP Login Page.

Username password are authenticated at login page and user is directed back to http://localhost:8080/helloworld/Hello but with below exception in JBoss,

browser page is blank and server.log has this error

2013-09-06 17:05:01,523 ERROR [org.picketlink.identity.federation] (http-0.0.0.0-8080-1) Service Provider could not handle the request.: java.lang.NullPointerException

at java.util.concurrent.ConcurrentHashMap.put(ConcurrentHashMap.java:881) [:1.6.0_30]

at org.apache.catalina.session.StandardSession.setNote(StandardSession.java:899) [:6.0.0.Final]

at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:505) [:2.1.7.Final]

at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:319) [:2.1.7.Final]

at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:253) [:2.1.7.Final]

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:559) [:6.0.0.Final]

at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.0.0.Final]

at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.0.0.Final]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [:6.0.0.Final]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [:6.0.0.Final]

at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.0.0.Final]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.0.0.Final]

at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.0.0.Final]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.0.0.Final]

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.0.0.Final]

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.0.0.Final]

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.0.0.Final]

at java.lang.Thread.run(Thread.java:662) [:1.6.0_30]

2013-09-06 17:05:02,402 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/helloworld].[jsp]] (http-0.0.0.0-8080-1) Servlet.service() for servlet jsp threw exception: java.lang.NullPointerException

at org.apache.jsp.error_jsp._jspService(error_jsp.java:71)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [:6.0.0.Final]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [:1.0.0.Final]

at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:369) [:6.0.0.Final]

at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326) [:6.0.0.Final]

at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:253) [:6.0.0.Final]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [:1.0.0.Final]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324) [:6.0.0.Final]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.0.0.Final]

at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:734) [:6.0.0.Final]

at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:541) [:6.0.0.Final]

at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:479) [:6.0.0.Final]

at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:407) [:6.0.0.Final]

at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:331) [:2.1.7.Final]

at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:253) [:2.1.7.Final]

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:559) [:6.0.0.Final]

at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.0.0.Final]

at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.0.0.Final]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [:6.0.0.Final]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [:6.0.0.Final]

at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.0.0.Final]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.0.0.Final]

at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.0.0.Final]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.0.0.Final]

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.0.0.Final]

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.0.0.Final]

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.0.0.Final]

at java.lang.Thread.run(Thread.java:662) [:1.6.0_30]

2013-09-06 17:05:02,441 ERROR [org.picketlink.identity.federation] (http-0.0.0.0-8080-1) Error forwarding to the error page: /error.jsp

Context.xml contents,

<?xml version="1.0" encoding="UTF-8"?>
<Context>
    <Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator" />
</Context>

Jboss-web.xml contents,

<jboss-web>
<security-domain>java:/jaas/Test</security-domain>
</jboss-web>

picketlink.xml contents,

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">




    <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
        BindingType="POST">


        <IdentityURL>http://<IDP-SERVER NAME>/ExampleIdentityProvider</IdentityURL>
        <ServiceURL>http://aud24902rw:8080/helloworld/Hello</ServiceURL>
    </PicketLinkSP>


    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
       <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
       <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
    </Handlers>


</PicketLink>

web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

  
  <servlet>
    <servlet-name>HelloWorld</servlet-name>
    <jsp-file>/index.jsp</jsp-file>
  </servlet>

  <servlet>
    <servlet-name>Logout</servlet-name>
    <jsp-file>/logout.jsp</jsp-file>
  </servlet>


  <servlet-mapping>
    <servlet-name>HelloWorld</servlet-name>
    <url-pattern>/Hello</url-pattern>
  </servlet-mapping>

  <servlet-mapping>
    <servlet-name>Logout</servlet-name>
    <url-pattern>/Logout</url-pattern>
  </servlet-mapping>

   <security-constraint>
    <web-resource-collection>
      <web-resource-name>SonoraResourceCollection</web-resource-name>
   <url-pattern>/Hello</url-pattern>
   </web-resource-collection>
    <auth-constraint>
      <role-name>SonoraSecurityRole</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
  <!--Uncomment below lines for basic authentication-->
    <!--<auth-method>BASIC</auth-method>-->
  <auth-method>FORM</auth-method>
  <realm-name>QSuper SSO</realm-name>
  <form-login-config>
  <form-login-page>/index.jsp</form-login-page>
  <form-error-page>/error.jsp</form-error-page>
  </form-login-config>
  </login-config>


  <security-role>
    <role-name>SonoraSecurityRole</role-name>
  </security-role>


</web-app>

<application-policy name = "Test">
  <authentication>
  <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required">
      <module-option name="password-stacking" value="useFirstPass"/>
    </login-module>
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="password-stacking" value="useFirstPass"/>
      <module-option name="usersProperties" value="users.properties"/>
      <module-option name="rolesProperties" value="roles.properties"/>
    </login-module>
  </authentication>
</application-policy>

I have users.properties and roles.properties in class path. users.properties is empty whereas roles.properties content are as follows,

tomcat=manager,employee,sales
idp-user=SonoraSecurityRole,HttpInvoker,manager,employee,sales
SONORA=SonoraSecurityRole,HttpInvoker,manager,employee,sales

Am I doing something wrong? Previously I was getting “HTTP Status 403 - Access to the requested resource has been denied" response. I believe that somehow roles are not picked up.

Please help.

Thank you.

1. Re: PicketLink 2.1.7 Final - Service Provider could not handle the request

hodrigohamalho Jun 26, 2014 3:44 PM (in response to ravi.gandhi)

In the SP instance, the login-config.xml should has something like this:

<application-policy xmlns="urn:jboss:security-beans:1.0" name="sp">
    <authentication>
      <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
    </authentication>
</application-policy>

And the jboss-web.xml from your SP must point from the application policy "sp".

The jboss-web from your IDP must point to application-policy that you named "Test"
Actions
2. Re: PicketLink 2.1.7 Final - Service Provider could not handle the request

anil.saldhana Jun 30, 2014 2:42 PM (in response to hodrigohamalho)

Example of context.xml and jboss-web.xml on JBoss AS6:
picketlink-quickstarts/saml/employee/conf/jboss-as5/WEB-INF at master · picketlink2/picketlink-quickstarts · GitHub

Your configuration looks ok to me. I am not 100% certain on the password-stacking option you have used. Only when the logs are checked, we can figure out what is happening.

Have you tried enabling trace level logging to see what the security subsystem is doing?
Actions
3. Re: PicketLink 2.1.7 Final - Service Provider could not handle the request

kshiva Nov 6, 2014 6:48 AM (in response to anil.saldhana)

Hello,
I am too getting the same error. Have you resolved it? If so, can you share the solution.
I am using Jboss-EAP-6.2.
Thanks,
Krishna
Actions
4. Re: PicketLink 2.1.7 Final - Service Provider could not handle the request

hodrigohamalho Nov 6, 2014 7:02 AM (in response to kshiva)

Did you checked if your SP security-domain attribute on jboss-web.xml file is appoint to "sp" security domain?
Actions
5. Re: PicketLink 2.1.7 Final - Service Provider could not handle the request

kshiva Nov 6, 2014 8:39 AM (in response to hodrigohamalho)

Hello,
After rigorous testing and trial & error, was able to resolve the issue.
As posted by Anil, made the logs to TRACE, found the issue: PBOX000283: Bad password for username.
Made the login-module in standalone.xml for authorization to sufficient. Started working.
Need to work on the issue why the user has been declined who has correct credentials.
I am using custom login module which extends UsernamePasswordLoginModule.

Silva: Yes, the SP is pointing properly. Thanks for the immediate reply.

Thanks
Krishna
Actions
6. Re: PicketLink 2.1.7 Final - Service Provider could not handle the request

hodrigohamalho Nov 6, 2014 10:07 AM (in response to kshiva)

Nice!
Actions

Go to original post