2 Replies Latest reply on Sep 16, 2014 10:53 AM by hodrigohamalho

Cross Domain Requests to Picketlink SAML IDP

hodrigohamalho Sep 15, 2014 4:02 PM

What i'm trying to do ?

I have on application that works as a portal, it is a service provider(SP) that render many others SPs via AJAX. The initial problem was that when i made a GET from a SP to another SP, the picketlink intercept this request and the response from this GET was a form with SAMLRequest.

I solved it simulating the web browser flow (all via ajax)

SP(x) --------- request ------------> SP(y)

SP(y) --------- request (SamlRequest) ------------> IDP

IDP --------- request (SamlResponse) ----------> SP(y)

SP(x) ---------- request (with new JSESSIONID ----> SP(y)

Legend: SP(x) current SP that works like a portal. This module that init all ajax calls.

SP(y) SP not initialized.

IDP Identity Provider.

This javascript source: https://github.com/hodrigohamalho/picketlink-sp-communication/blob/master/picketlink-federation-saml-sp-central/src/main/webapp/javascript/index.js (line 19)

The problems seens to be solved at here. But when I enable SSL, the IDP now is on 443 and when ajax from localhost:8080/sp to localhost:8443/idp is made the CORS message "not allowed origin" shows up on browser console.

I create a servlet filter that allow origin on response:

HttpServletResponse res = (HttpServletResponse) response;
  res.setHeader("Access-Control-Allow-Origin", "localhost:8080");
  res.setHeader("Access-Control-Allow-Methods", "POST, GET");
  res.setHeader("Access-Control-Max-Age", "3600");
  res.setHeader("Access-Control-Allow-Headers", "x-requested-with, Content-Type");

But, picketlink is configured by a listener on web.xml. The listeners are executed before filters, so that filter isn't above isn't executed.

<listener>
   <listener-class>org.picketlink.identity.federation.web.listeners.IDPHttpSessionListener</listener-class>
</listener>

So, is possible to enable CORS on picketlink SAML IDP?

1. Re: Cross Domain Requests to Picketlink SAML IDP

pcraveiro Sep 15, 2014 5:05 PM (in response to hodrigohamalho)

Hey Rodrigo,

Quick answer is no. But I think you can create and add a custom valve to your application. So this custom valve can handle CORS pre-flight requests for you.

Regards.
Actions

2. Re: Re: Cross Domain Requests to Picketlink SAML IDP

hodrigohamalho Sep 16, 2014 10:53 AM (in response to pcraveiro)

pom.xml

<dependency>
  <groupId>org.apache.tomcat</groupId>
  <artifactId>tomcat-catalina</artifactId>
  <version>8.0.11</version>
  <scope>provided</scope>
</dependency>

jboss-web.xml

<valve>
    <class-name>org.rodrigoramalho.picketlink.CORSValve</class-name>
</valve>

CORSValve.java

public class CORSValve extends ValveBase{
  @Override
  public void invoke(Request request, Response response) throws IOException,ServletException {
  response.addHeader("Access-Control-Allow-Origin", "http://localhost:8080");
  response.addHeader("Access-Control-Allow-Methods", "POST, GET");
  response.addHeader("Access-Control-Max-Age", "3600");
  response.addHeader("Access-Control-Allow-Headers", "x-requested-with, Content-Type");

  getNext().invoke(request, response);
  }
}

Oficial doc: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.1/html/Development_Guide/Create_a_…

1 of 1 people found this helpful

Go to original post