2 Replies Latest reply on Apr 7, 2015 12:38 AM by pradyumna13

in wildfly

pradyumna13 Mar 27, 2015 12:32 AM

This is bugging me for last few days, I felt sharing here would help really. Let me directly jump into details, appreciate any response.

Environemt Details: Wildfly-8.2.0.Final + Picketlink 2.7.0.CR2

Coping the configuration file details below:

Windfly Standalone.xml few sections:: please note , we have supplied idp.url, app.url with specific IP.

<system-properties>

</system-properties>

<subsystem xmlns="urn:jboss:domain:undertow:1.2"> // under wildfly modules the corresponding jar version is 1.1.0.Final except 'jsp' which is 'jastow-1.0.0.Final'

<buffer-cache name="default"/>

<http-listener name="default" socket-binding="http" max-post-size="100000000" no-request-timeout="1800000"/>

<filter-ref name="server-header"/>

<filter-ref name="x-powered-by-header"/>

</host>

</server>

<servlet-container name="default">

<jsp-config/>

</servlet-container>

</handlers>

<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>

<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>

</filters>

</subsystem>

<security-domain name="idp" >

<login-module code="Database" flag="required">

<module-option name="dsJndiName" value="......"/>

<module-option name="principalsQuery" value="......'"/>

<module-option name="rolesQuery" value=........"/>

<module-option name="hashAlgorithm" value="SHA-256"/>

<module-option name="hashEncoding" value="base64"/>

</login-module>

</authentication>

</security-domain>

<security-domain name="sp" cache-type="default">

<login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required"/>

</authentication>

</security-domain>

<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>

</interface>

<any-address/>

</interface>

<any-address/>

</interface>

</interfaces>

IDP Picketlink.xml:

<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"

AttributeManager="org.picketlink.identity.federation.bindings.wildfly.idp.UndertowAttributeManager"

RoleGenerator="org.picketlink.identity.federation.bindings.wildfly.idp.UndertowRoleGenerator">

<IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>

<Trust>

<Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains>

</Trust>

</PicketLinkIDP>

</Handler>

</Handlers>

<!--

The configuration bellow defines a token timeout and a clock skew. Both configurations will be used during the SAML Assertion creation.

This configuration is optional. It is defined only to show you how to set the token timeout and clock skew configuration.

<TokenProvider

ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"

TokenType="urn:oasis:names:tc:SAML:1.0:assertion"

TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />

<TokenProvider

ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"

TokenType="urn:oasis:names:tc:SAML:2.0:assertion"

TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />

</TokenProviders>

</PicketLinkSTS>

-->

</PicketLink>

IDP jboss-web.xml::

<jboss-web>

<security-domain>idp</security-domain>

<context-root>idp</context-root>

</jboss-web>

we have IDPFilter configured

SP Picketlink.xml :

<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"

ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL">

<IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>

<ServiceURL>${app.url::http://localhost:8080/ices/app/}</ServiceURL>

</PicketLinkSP>

<Handler class="com.ingenix.sso.handlers.SAML2ICPAuthenticationHandler"/> //we have our own AuthenticationHandler but doing nothing. The problem is present even with default handler//

<!--

-->

</Handlers>

</PicketLink>

SP jboss-web.xml::

<?xml version="1.0" encoding="UTF-8"?>

<jboss-web>

<security-domain>sp</security-domain>

<context-root>ices/app</context-root>

</jboss-web>

Problem:: when I access with http://192.168.1.101:8080/ices/app everything is working fine login page is displayed, when i give credentials user is authenticated and application main screen is displayed.The url that appears in the browser is "http://192.168.1.101:8080/ices/app" .But when I access with http://localhost:8080/ices/app login page is displayed. After giving proper credentials a white screen is displayed wih url in the browser as"http://192.168.1.101:8080/ices/app/". Observe the trailing '/'. If I remove that slash and press enter, then our main screen is displayed.

Please let me know if need more details.

1. Re: Accessing application with 'localhost' has problem when 'public' interface is configured for <any-address></any> in wildfly

pradyumna13 Apr 3, 2015 5:07 AM (in response to pradyumna13)

when I am accessing with 'localhost' from the machine where this application is deployed, but the picketlink urls are configured to having ip in the url as mentioned above, login page is coming. After giving proper credentials finally this is what happening.

method handleRedirectBack from SPFormAuthenticationMehcnaism:

String path = (String) session.getAttribute(SESSION_KEY); path value is 'null' hence unable to redirect to the url and browser stays as it is with blank screen and the url is shown like " http://192.168.1.101:8080/ices/app/".
Where as when a access the applciation with ip in the url, above path value is set to "http://192.168.1.101:8080/ices/app" and the application is getting redirected to this url and displaying main screen.
Actions
2. Re: Accessing application with 'localhost' has problem when 'public' interface is configured for <any-address></any> in wildfly

pradyumna13 Apr 7, 2015 12:38 AM (in response to pradyumna13)

More Debugging Info::

I have provided detailed session information created for Failure and Success cases below. Observe the session id in each case, the key, value and application(SP / IDP).
Failure case more sessions are created than in Success case. Session id created on IDP is matching before and after login in both the cases. But session ids for SP are differing.

################################################################################################################################################

When accessing with localhost:: URL is http://localhost:8080/ices/app (Failure Case)

         Key                                                                      Value                                         in memory session id                        application

io.undertow.servlet.form.auth.redirect.location         http://localhost:8080/ices/app          aUeAOpOgEUi9gWGX4NxMN-WJ                  SP

io.undertow.servlet.form.auth.redirect.location          http://localhost:8080/ices/app       aUeAOpOgEUi9gWGX4NxMN-WJ                   SP

io.undertow.servlet.form.auth.redirect.location

http://10.194.153.34:8080/idp/index.jsp?SAMLRequest=jZLLTsMwEEV%2FJfI%2BDydpm1pNpNAIEalA1BYWbJBJptRSYgePw%2BPvyQNE2VTdWfaZuXfueIW8qVuWduYot%2FDWARrrs6klsvEhJp2WTHEUyCRvAJkp2S693TDf8VirlVGlqslUch7miKCNUJJY6e9xrSR2Degd6HdRwsN2E5OjMS1zXeo5dBk6dBY4QcgiL%2FLcnkCXt61LrKz3KSQfepytqAb4WukSxgljcuA1ArHyLCZ59lwtaTX3A7CBzn075IuDHQGNbOCeBxGHRTDjPYxFb168w185Yge5RMOliYnv0ZntBba%2F2FPKaMjo0qF%2B%2BESs4iegKyErIV%2FPB%2FQyQchu9vvCLu53e2I9gsZxxh4gyWrYCRvF9cmWLs09uSDalXuiMQm27K5vmmeFqkX5ZaV1rT7WGrjp8zC6gzHghpvzNoYbUdmHEWVGc4kCpCFuMkn%2B%2F4PJNw%3D%3D

                                                                                                                                0eVRtiYY5DuaMpA4DNNGm4UE                IDP

io.undertow.servlet.form.auth.redirect.location     http://10.194.153.34:8080/ices/app         BHH8alMwACrfOjq7zmAxTmHS                   SP

io.undertow.servlet.form.auth.redirect.location   http://10.194.153.34:8080/ices/app            BHH8alMwACrfOjq7zmAxTmHS                  SP


                                                         login displayed enter credentials and submit

with key 'io.undertow.servlet.form.auth.redirect.location' got

http://10.194.153.34:8080/idp/index.jsp?SAMLRequest=jZLLTsMwEEV%2FJfI%2BDydpm1pNpNAIEalA1BYWbJBJptRSYgePw%2BPvyQNE2VTdWfaZuXfueIW8qVuWduYot%2FDWARrrs6klsvEhJp2WTHEUyCRvAJkp2S693TDf8VirlVGlqslUch7miKCNUJJY6e9xrSR2Degd6HdRwsN2E5OjMS1zXeo5dBk6dBY4QcgiL%2FLcnkCXt61LrKz3KSQfepytqAb4WukSxgljcuA1ArHyLCZ59lwtaTX3A7CBzn075IuDHQGNbOCeBxGHRTDjPYxFb168w185Yge5RMOliYnv0ZntBba%2F2FPKaMjo0qF%2B%2BESs4iegKyErIV%2FPB%2FQyQchu9vvCLu53e2I9gsZxxh4gyWrYCRvF9cmWLs09uSDalXuiMQm27K5vmmeFqkX5ZaV1rT7WGrjp8zC6gzHghpvzNoYbUdmHEWVGc4kCpCFuMkn%2B%2F4PJNw%3D%3D

                                                                        under sessionid                                         0eVRtiYY5DuaMpA4DNNGm4UE             IDP

with key 'io.undertow.servlet.form.auth.redirect.location' got null         under sessionid             HzFGkZQxi8BxIB3Gtkkl9dQw                SP    (Failure)

################################################################################################################################################

When accessing with IP:: URL is http://10.194.153.34:8080/ices/app (Success Case)

io.undertow.servlet.form.auth.redirect.location         http://10.194.153.34:8080/ices/app                 qO0chXcRMUj4TpKbzslFRQiG         SP

io.undertow.servlet.form.auth.redirect.location            http://10.194.153.34:8080/ices/app                 qO0chXcRMUj4TpKbzslFRQiG         SP

io.undertow.servlet.form.auth.redirect.location

   http://10.194.153.34:8080/idp/index.jsp?SAMLRequest=jZLRT4MwEMb%2FFdJ3oMAmWzOW4Bbjkqlkmz74Yk44XBNosVem%2FvcC0zhflr017e%2Fu%2B%2B67zgjqqhFpa%2Fdqg%2B8tknU%2B60qRGB4S1holNJAkoaBGEjYX2%2FRuLUKPi8Zoq3NdsWPJeRiI0FipFXPS3%2BNCK2prNFs0B5nj42adsL21jfD9gHvBdOQF48iLRmLCJ9zvCPKhaXzmLDufUkHf42xF0cM32uQ4TJiwEipC5qyWCVstXyKMxsEE0Y2gLNwRALgTKKcuj%2BM4hCiY8rjsYMo68%2FKAf%2BVELa4UWVA2YSEPxi6P3DDeBVyMr0QYeqM4fmZO9hPQtVSFVG%2FnA3o9QiRud7vMzR62O%2BY8oaFhxg5g81m%2FEzGIm5MtXZr7%2FIJoZ%2F6JxlGwEfdd09Uy05XMv5y0qvTHwiDYLg9rWhwCrsGet9HfyMItB1RYA4okKsv8%2BVHy%2Fx%2BcfwM%3D

                                                                                                                                             qzecp_lkGH6pwp_daubgYPDL                    IDP

io.undertow.servlet.form.auth.redirect.location http://10.194.153.34:8080/ices/app               CuNXLG4YXzU8zO1DVme7Yq8p                         SP

io.undertow.servlet.form.auth.redirect.location http://10.194.153.34:8080/ices/app               CuNXLG4YXzU8zO1DVme7Yq8p                          SP

                                        login displayed enter credentials and submit

with key 'io.undertow.servlet.form.auth.redirect.location' got

http://10.194.153.34:8080/idp/index.jsp?
SAMLRequest=jZJRT4MwFIX%2FCuk7UAZM14wlc4txyVSyoQ%2B%2BmAJ3rgm02Fum%2FnsLaJwvZG9N%2B5177j23c%2BR11bBla45yB%2B8toHE%2B60oi6x8S0mrJFEeBTPIakJmC7Zf3WzbxKGu0MqpQFRkk4zBHBG2EksRZ%2Fh5XSmJbg96DPokCnnbbhByNaZjvB9QLZpEXxKEXRuyaXlPfEujzpvGJs7Z9Csm7GqOKsoNvlS6gnzAhB14hEGezTshm%2FToN47KAYOrynEduFNHczSGI3SCflYe4CKdRHlsYU9u8OMGfHLGFjUTDpUnIhFoJDd3JVUZnzHqHgUej2Qtx0p%2BAboQshXwbDygfIGR3WZa66eM%2BI84zaOxntABZzLudsN5cn23p0twXF0Q79888BsOGPdiim3WqKlF8OcuqUh8rDdzYPIxuoQ%2B45ma8je5GlO6hR5nRXKIAaYi%2FGCz%2F%2F8HFNw%3D%3D

                                                                                                                   under sessionid qzecp_lkGH6pwp_daubgYPDL                         IDP

with key 'io.undertow.servlet.form.auth.redirect.location' got http://10.194.153.34:8080/ices/app under sessionid   qO0chXcRMUj4TpKbzslFRQiG      SP (Pass)
################################################################################################################################################
Actions

Go to original post